In the premier season of The Web3 Security Podcast, our host and CEO, Jack Sanford, interviewed 10 security leaders from prominent organizations across Web3. These were not abstract conversations. They were grounded in real incidents, real constraints, and real responsibility for systems securing billions of dollars.

‍

What emerged across these episodes was a shared mental model of security that looks very different from the “find the bug, ship the fix” narrative. Instead, these leaders consistently talked about systems, incentives, operations, and failure models. They discussed how they design environments that can absorb mistakes rather than pretending they won’t happen.

‍

This blog is a synthesis of those conversations and what these 10 Web3 Security leaders taught us.

‍

It’s a set of lessons, repeated independently by experienced practitioners, about what actually matters when security moves from theory into production.

‍

Who Are These 10 Web3 Security Leaders?

‍

To set the stage, we’ll first introduce our 10 guests listed in order of their episode number.

‍

‍

1. Fredrik Svantes, Lead Protocol Security Researcher at the Ethereum Foundation
2. Chris von Hessert — VP of Security at Polygon Labs
3. Ernesto Boado — Co-Founder of BGD Labs and Former CTO of Aave
4. Anto Joseph — Principal Security Engineer at Eigen Labs (Eigen Cloud)
5. Sebastian Bürgel — VP of Technology at Gnosis
6. Richard Meissner — Co-Founder Safe
7. Jeroen Offerijns — CTO of Centrifuge
8. Barry Plunkett — Co-CEO of Cosmos Labs
9. Justin Drake — Senior Researcher at the Ethereum Foundation
10. Shashank Agrawal — Head of Security Base 

‍

These guests span across some of the most important protocols in Web3, protecting billions of dollars of real assets. If any one of these large protocols were to fail or suffer a major exploit, the entire industry would be severely damaged. They are among the foremost security experts in Web3 today. 

‍

Top Security Lessons from Season 1 

‍

One thing became obvious over the course of the season: The biggest security lessons aren’t about clever exploits. They’re about systems.

‍

Here are the lessons that came up again and again:

‍

1. Off-Chain Is The New Front Line

‍

Smart contract bugs get the headlines, but many of the highest-impact incidents start off-chain. Exploits start from things like: 

‍

• key compromise
• infra / CI / deployment weaknesses
• front-end or DNS hijacks
• social engineering and signing mistakes

‍

Attackers go for the weakest link, and that is increasingly becoming human error.

‍

“It might be easier to attack one of your off-chain pieces than your on-chain pieces. And people will always go for the weakest part in your security posture.”

— Shashank Agrawal, Head of Security at Base (Episode 10)

‍

“Security is about the entire system—consensus, economics, UX—not just the code.”

— Frederik Svantes, Lead Protocol Security Researcher at the Ethereum Foundation

‍

2. Audits Are Necessary, But Never Sufficient

‍

The best teams treat audits as one piece of a security strategy, not the finish line. A more complete security plan includes strong internal review, multiple independent external audits, monitoring, incident response plans and tabletop exercises, and bug bounties as a continuous safety net.

‍

“Security is not just about auditing smart contracts. Most of the real failures happen outside of that.”

— Chris Hessert, VP of Security at Polygon (Episode 2)

‍

“Finding a bug is only part of the problem. You also need the right incentives and processes for it to actually get fixed.”

— Anto Joseph, Principal Security Engineer at Eigen Labs (Episode 4)

‍

3. Perfect Security Isn’t Real, But Risk Management Is

‍

Every serious leader we spoke to had a similar mindset. We need to assume that bugs exist and that failures happen. Security is not a badge you earn; it’s a process you keep running.

‍

“We assume every complex system has bugs. The real question is whether the system can survive when they show up.”

— Justin Drake, Senior Researcher at the Ethereum Foundation (Episode 9)

‍

“I always say that nothing is ever secure. The goal is not perfection—it’s raising the bar as much as possible.”

— Anto Joseph, Principal Security Engineer at Eigen Labs (Episode 4)

‍

4. Right now, AI Is Both An Accelerant And A roblem

‍

AI is already changing security, but not the way most people think. It boosts productivity, helping with coding, analysis, and triage. At the same time, it boosts noise like AI-generated bounty spam and plausible-but-wrong reports.

‍

“AI is helpful for speeding things up, but it still needs humans to decide what actually matters.”

— Ernesto Boado, Co-Founder of BGD Labs / former CTO of Aave (Episode 3)

‍

“AI is making phishing and social engineering much easier. It’s lowering the bar for attackers faster than it’s helping defenders.”

— Chris von Hessert, VP of Security at Polygon

‍

“We want to adopt AI as much as possible—writing code, reviewing code, threat modeling, risk assessment. Wherever it can make our processes more efficient, we’re actively using it.”

— Shashank Agrawal, Head of Security at Base (Episode 10)

‍

Final Thoughts

‍

Across the very different roles, the same principles from our guests kept surfacing. Assume failure, design for containment, prioritize response over perfection, and protect the entire system, not only the code.

‍

For builders, the takeaway is straightforward. Security isn’t something you outsource, schedule once, or solve with a tool. It’s a discipline that spans engineering, operations, governance, and people.

‍

This way of thinking is a shift to maturity. That shift matters. As Web3 systems grow more interconnected, more valuable, and more visible, the cost of naïve security thinking increases. The question is no longer “Can this break?” it’s “What happens when it does?”

‍

The systems that survive the next decade won’t be the ones with zero bugs. They’ll be the ones designed to fail gracefully, recover quickly, and keep going.

‍