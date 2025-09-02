Securing the Digital Asset Ecosystem with Cantina

In Brief Sharon Ideguchi, GTM lead at Cantina, discusses the shift in attacker focus from code to people, emphasizing the need for new security frameworks to protect companies in the rapidly evolving industry.

Hackers aren’t just targeting code anymore, they’re going after people. In this interview, Sharon Ideguchi, GTM lead at Cantina (Spearbit), reflects on her path from traditional cybersecurity to Web3, unpacks how attackers are shifting their focus, and explains why her team is building new security frameworks to protect companies in an industry that’s evolving faster than ever.

Could you please share your journey to Web3?

My name is Sharon Ideguchi, and I work at Cantina on the sales strategy side. I focus on creating custom product offerings for enterprise-level customers, emerging technologies, and clients in the institutional and traditional finance sectors. My work centers entirely on security. My career so far has been in cybersecurity, primarily in Web2. I spent many years in traditional cybersecurity roles, working in areas similar to CrowdStrike and other everyday security operations.

Over time, I saw the market quickly shifting toward Web3 and recognized it as the future of technology. I wanted to explore what cybersecurity looked like outside of my traditional Web2 background. That decision led me to Cantina, and I’ve been working in Web3 security ever since.

What are the main advantages for your clients of working exclusively with Cantina?

When we founded Cantina about four years ago, we focused on incentivizing the world’s best security talent to work on security projects. We noticed many highly skilled researchers in the field were not working on security, often because they lacked autonomy and the ability to choose meaningful projects or contribute deeply to protocols.

We built a model to give researchers that autonomy, and it worked. Today, our network includes talent across all coding languages, chains, ecosystems, and niche expertise. When clients come to us with a security request, we don’t just find someone qualified; we find the best person in the world for that job, whether it’s a smart contract audit, bug bounty, operational security, incident response, or Web2 testing.

You’ve worked in Web2 security as well. What key trends or narratives stand out as unique to Web3?

One major difference is the permanent nature of Web3 and its lack of intermediaries. In Web2, there are often third parties to help mitigate risks or recover losses. In Web3, if funds are stolen, they’re typically gone. Without proper security measures, like multi-sig protections or transaction pauses, recovery is almost impossible.

Another key factor is that Web3’s structure creates incentives for physical security threats. Attackers may target personnel directly, which is something far less common in Web2. This makes operational security practices, including safeguarding teams, essential in Web3.

What metrics do you use to measure the success of your security strategies over time?

The most obvious metric is whether our customers suffer an exploit after receiving our services. Beyond that, we measure how improved security posture affects funding opportunities, partnerships, and overall growth. We look holistically at how strong security contributes to a company’s financial performance, user trust, and long-term success.

How do you educate non-technical leadership teams about high-level security risks?

I use storytelling and real-world examples. For instance, I might walk a leadership team through a well-known hack: what security measures the company had in place, what they lacked, and the aftermath. Leadership teams are less interested in technical details and more concerned with potential impact, whether they’d lose data, customer funds, or face reputational damage. Framing security risks in terms of tangible outcomes helps them see why investing in security is critical.

What are some emerging attack vectors in smart contracts that teams still underestimate?

Since Web3 began, most security budgets have gone to smart contracts. Teams spend millions on audits, competitions, bug bounties, and peer reviews. Attackers know this and are shifting focus to less protected areas like Web2 components and operational vulnerabilities. Many recent attacks originated outside of smart contracts.

We’re helping teams address this imbalance through services like operational security, 24/7 incident response, and managed SOC teams, covering the entire organizational attack surface.

Could AI or automation ever replace parts of a Cantina review, or is human expertise irreplaceable?

It’s definitely a hybrid approach. We already use AI extensively for tasks like de-spamming competition platforms and adding context to peer reviews. AI is excellent at identifying known vulnerabilities and patterns, which accelerates the initial review process.

However, attackers are also creative and increasingly use AI themselves. Until AI becomes more intelligent and inventive than humans, we’ll always need human expertise to counter novel threats. The future is a combination of AI assistance and skilled researchers.

What inspired you to create specialized assessments beyond traditional audits?

We developed our Web3 SOC framework in response to client needs. Asset managers and VC firms began asking us to perform due diligence on Web3 companies, assessing both security and financial risks.

We realized there was no standardized way to quantify Web3-specific risks. Traditional compliance frameworks like SOC 2 or ISO don’t cover Web3-native threats. So we created a new standard to help Web3 companies secure funding and build partnerships, while also helping traditional financial institutions understand how to engage with Web3 safely.

This framework is now a collaboration with some of our industry’s biggest names. It’s gaining traction with traditional finance and asset managers worldwide.

What innovative security methodologies are you experimenting with right now?

AI is a big focus. We’re using years of bug data to build AI tools that improve code analysis and make security reviews faster and more cost-effective. We’re also enhancing bug bounty triaging to ensure it’s efficient and actionable.

Many of our services come directly from customer needs, like bug bounties and our Web3 SOC framework. Today, we see AI-powered code analysis as the next step in making security processes more streamlined and effective.

Could you share Cantina’s roadmap? Any upcoming features?

Our newest program is operational security with 24/7 incident response. Traditional finance has long relied on SOC teams and monitoring tools, but Web3 has lagged behind.

We built a program with former Coinbase threat intelligence experts to assess attack surfaces holistically, across Web2, Web3, physical, and digital assets. Once that’s in place, we offer a managed SOC service with trained analysts monitoring tools like Hypernative, Blockaid, Guardrails, and Hexagate around the clock, ready to act on threats in real-time.

This program has already gained significant traction, and next, we’re focused on launching AI-powered code analysis tools to help teams build securely from the start.

Finally, what advice would you give a Web3 startup about building security into its roadmap from day one?

Start thinking about security early. Teams that wait until the audit phase often face delays, extra audits, and sometimes need to re-architect their entire product. Investing in security from the beginning saves time and money.

We recommend tools like AI-powered code analysis, third-party peer reviews, and using resources like our Security Review Readiness Checklist. Regularly inviting external perspectives helps identify vulnerabilities early.

Outside of code, startups should also evaluate their full attack surface, both Web2 and Web3. We have services for companies at every stage to help them proactively address risks. Building a security-first culture early on sets you up for long-term success.

