Breaking Out of Stealth: The Story Behind Spektion’s New Approach to Software Vulnerability

[00:00:00] Hey, it's Andrew here. Just quickly before we start the episode, I want to tell you about one of my favorite newsletters. It's called Strategy of Security. If you want to understand the companies, ideas and trends shaping cybersecurity and its submarkets, you should take a look. Cole Gromos runs the newsletter and he has spent the last 20 years in cybersecurity, including stints at PwC and Momentum Cyber, the investment bank dedicated to cybersecurity. Recent articles I'd like include,

[00:00:30] how could platformization work in cybersecurity where he talks about there being lots of single vendor platforms, but not a multi-estate platform. And also one called demystifying cybersecurity's public companies, where he explores the pure play ones and also hybrid companies which are in cyber. He lists all of them and then breaks down the numbers in all sorts of different ways. Now this is not a paid promotion. I just simply enjoy what Cole is publishing. Check it out at Strategy of Security.

[00:01:00] Strategy of Security.com. Now on with this episode.

[00:01:02] All right. Welcome to another special edition of the Cybersecurity Go-To-Market Podcast being recorded live on the second morning, Tuesday morning at RSA 2025. We're here again in the spectacular salubrious atrium in the Marriott Marquis. It's early morning, so we're kind of on our own, except for people, you probably hear the dishes in the background as breakfast is being made for some meeting somewhere.

[00:01:39] And today we're talking with Joe Silva, who's the co-founder and CEO at Spectrum. Joe, welcome to the podcast. Hey, thanks for having me, Andrew. A little early to be breaking out salubrious. I wasn't ready for that kind of vocabulary this early, but... Hopefully I pronounced it right. I might have just lost my train of thought halfway through that long word. No, you got it. So you are an interesting position in that you're a longtime practitioner in security. CISO at a couple of places, I think, if I read it right, or at least one.

[00:02:07] Yeah, I was CISO at JLL, and then I ran cybersecurity at TransUnion prior to that. Okay. And then you crossed over and said, you know what? I need to start my own company doing this. There's a better way to do this. Tell me through the decision to go do that. Well, I felt like I was making way too much money as a CISO, and I was like, what's the best way that I can take the maximum pay cut? So I went to start a company. No. So, well, before that, before I'd been on the customer side as a security executive, I was on the product side prior to that at Symantec. Okay.

[00:03:05] Okay. I was thinking problems over and over again, mostly iterating through them. You know, as an executive, I'm dealing with more organizational political problems. The core competency of an effective CISO is the ability to navigate the organizational politics of that company. Right. Just in the context of cybersecurity sometimes. But my co-founders, their career offensive security pros, and I think like a lot of red teamers, they just keep seeing the same things over and over and over again.

[00:03:33] And we felt like there was an opportunity to fix some things that no tools in the market were fixing for us. And we wanted to really solve a problem, right? Not so much take a fingers in the dike approach to cybersecurity, which is often what you feel like you're doing when you're working in any big enterprise security organization. You're managing security. You're not really solving problems. You're managing risk associated with security because the business has to make a lot of tradeoffs.

[00:03:55] Do you think you had a big advantage over other people looking to fund companies in the war in the trenches and you firsthand, as opposed to having to go and do a bunch of interviews to find out what people are trying to struggle with? It's a double-edged sword. I think part of our unique advantage as a founding team is our ability to understand the actual problems that a lot of practitioners are solving.

[00:04:16] But at the same time, there's a real trap you can fall into where you just mirror image and assume that every other organization has the exact same problems you do. And I think there's been a lot of practitioners who've gone on to become founders and maybe, you know, really interesting products, but kind of a niche because it didn't work for a broader market.

[00:04:35] So I think being on the product side before I was on the customer side really served me well, was able to understand what's unique to the situations I'm in and what's just kind of the endemic problems across the industry. So you had the experience of what it took to actually build a product, spec it out, do the due diligence. Then you had the experience of being in real world, trying to figure out how to use all this stuff and bring your team together, deal with the politics. Then you came back again. That's an interesting kind of flow of a career.

[00:05:04] Was it all kind of planned like that or did you just... None of this was organic. Yeah. Right. I mean, none of this was organic. You know, I started off, I started off in the military, you know, combat arms, then the intelligence world. I actually didn't get into the cyber world until way later in my career after I had mostly left the government. Oh. So no, none of this was planned. I wouldn't say it's like a happy accident. It just kind of ended up here. But going back to the question about, you know, was it beneficial?

[00:05:31] I would say maybe the thing that was most beneficial around being a practitioner beyond just identifying persistent problems that weren't being solved was having dealt with so many other startups. Worked closely with a lot of startups, a lot of great teams. Many of them built really interesting technology and then were working with companies looking for a problem to solve. I think you see that a lot in the startup world. Right. We started with a problem and then built a technology to solve it.

[00:05:55] But I understood the pain points that a lot of security leaders have working with startups where they see a technology, they see a really smart, enthusiastic team. But they also think about how much work it's going to take to get that technology to solve a problem for them. And they oftentimes feel like they're like the shadow product manager. And, you know, I didn't want to put that kind of burden on our customers. Did you, except for that aspect, did you learn a lot about how startups dealt with you as a CISO? I did. You know, what you wanted and didn't want to do?

[00:06:24] I did. I learned, you know, and every security leader has got a different personality and can be approached a different way. But I learned that some were very curious. You know, they said, hey, what are your, you know, what problems are you dealing with that nobody's solving for you? And then some were very opinionated to the point where they would say, hey, this is a problem that you have, right? Well, it's a problem, but it's not in my top 10 problems. And then they would argue with me about why the problem they were trying to solve wasn't more important to me. Well, so that went pretty well. Right.

[00:06:55] So it's probably good to get a point of view, but you've got to balance it a little bit to say, well, just because I've got it doesn't mean to say everyone's got the same point of view. Well, you know, there's a saying like, you know, no plan really survives beyond first contact. And I think there's a lot of founders that when they make first contact with a market that doesn't have the same enthusiasm for the problem they're trying to solve, there's a reflexive nature to just push back and say, no, no, no, you're not appreciating how valuable what we're doing for you really is. Yeah.

[00:07:23] There's that transactional analysis, right? When someone steps away, you don't want to try and grab them going, no, no, no, no, no, you got to listen, you got to listen. You want to actually go, okay, well, let's step away too and just see what's going on here. Let me listen and try and understand. That's right. Rather than double down. I'll talk louder at you so you understand it. Well, you see this, this is what I said about mirror imaging and why that's relevant, where, you know, I worked at TransUnion. It's a credit bureau. I was there during and after the Equifax breach.

[00:07:51] So obviously huge emphasis on security, right? Cybersecurity is kind of core to trust, institutional and consumer trust in the credit bureaus and core to the business. So that's a different priority for cybersecurity than it may be in other sectors where the balance between profitability, disruption and security is going to be struck differently.

[00:08:12] So if I had just mirror imaged my experience in two jobs and said that's broadly applicable to the enterprise security market, I probably would find a very narrow sliver of folks receptive to the problem we were trying to solve. Yeah. Well, let's talk about that. What does Spection do? What are you solving for people?

[00:08:28] So Spection is a runtime vulnerability analysis product where we are saying that CDEs as a measure of understanding the vulnerability risk and all the software you're running are useful, but ultimately a lagging subset of indicators around exploitability. And we're able to find vulnerability risk based on runtime analysis of software behavior and all the software organizations are using.

[00:08:53] So oftentimes upstream of CDEs, insecure memory utilization that if you dealt with it would probably resolve 60, 70 percent of vulnerabilities that come up in software. And so we find vulnerabilities in software and vulnerabilities not synonymous with CDEs, but general exploitable conditions in software. And then we provide mitigations for those in the form of preventive controls that can be implemented, but then finally tuned detection based controls for some XDR EDRs.

[00:09:21] And is that a totally new approach or are you doing it better than perhaps others have been doing it in the past? It's a totally new approach based on the experience I had. What we saw was we just looked at like where was cybersecurity really overperforming? And we looked at the anti-malware market and you have solutions like CrowdStrike and others that had taken they had taken a runtime approach. We went from static AV to next gen AV to EDR EPP, you know, a very runtime approach to data and providing teams with real time visibility.

[00:09:51] And I think threat detection teams are used to near real time visibility into events. But then we saw that vulnerability management, particularly around software, open source, commercial and the increasing amount of homegrown tools that organizations end up having on their systems was lagging behind. I both of my last two jobs, I thought it was the lowest ROI function within the security program I was dealing with in terms of the amount of resources and political capital invested in achieving an outcome was make was creating friction within the organization.

[00:10:20] Because you can never technology teams can never have the capacity to patch even the prioritized vulnerabilities. The nature of CBE disclosure when it's truly important is you're very reactive. So we saw an opportunity to really go from what I would consider the static AV signature era of vulnerability management and take a comprehensive runtime approach in terms of understanding what is my entire software based attack surface? How is it changing in near real time?

[00:10:46] What are the risks and how can I manage that without just saying here's a prioritized list of CBEs distributing them to other technology teams and saying, hey, patch these. And we'll have some controls in general, but not being able to tailor the specific capabilities of those controls to the exploitability. So we really just felt like we there was a genuine opportunity to modernize vulnerability management. You know, there's a lot of new technologies that have come out in the last 10, 15 years, created a new attack surface.

[00:11:15] And I think there's been for all these modern technologies, you know, SAS, cloud, and now AI. I think if you look at like MCP now is a new attack surface. There's been a lot of modern solutions that are coming to market doing really interesting things to address modern problems on this attack surface. What we're not seeing is modern solutions to legacy problems around software running on systems. We've not moved to an all SAS world. The amount of software per endpoint is actually increasing in the enterprise.

[00:11:45] We actually have a more atomized software ecosystem. I think largely because the barrier to building your own tools, particularly now with AI, is so low. But we still have a legacy solution to legacy problems. And then the Verizon DBIR said, you know, software, third-party software was the number two cause of breaches last year. So we're doing a pretty good job of security solutions keeping up with new attack surfaces we're creating.

[00:12:11] We're doing a horrible job of keeping up with legacy problems around software. And in those cases, I would say as an industry, we're over-indexed in terms of our reliance on detection and response. So we wanted to build a solution that would provide visibility and solutions for managing the overall exposure to software vulnerabilities. It seems like maybe it's still the case. You can tell me that a lot of bigger companies run mission-critical things on systems being run for a long, long time, years, decades sometimes.

[00:12:41] Is that a prime market for you? It is. There's a lot of reasons organizations are running software on legacy systems. Sometimes it's for resilience. Sometimes it's because they don't want to incur the costs of migrating, where they feel like it's going to be too frictionful. They feel like their overall technology architecture is almost like a mousetrap type setup, where if they change one thing, it could have a cascading impact that's just not worth dealing with.

[00:13:09] And particularly right now, where in general, there's a lot of uncertainty in the economy. Nobody's looking to have a big capex outlay. So nobody's looking to undertake some of these big transformation projects right now. Who is it inside the organization that buys inspection? Vulnerability management. Overwhelmingly, it's the vulnerability management leader, sometimes the threat detection leader, because we're providing a lot of capabilities for blue teams to actually detect and respond and hunt for software exploitation even before a CV is out.

[00:13:38] But vulnerability management teams are buying us because ultimately they say, how do I understand the total vulnerability exposure of my software, not the subset covered in CVEs? And then when where I do have CVEs, what is the most reasonable, defensible prioritization rubric? And so a runtime view of software risk overlaid with CVEs gives you a much better view of the blast radius exploitation of that software.

[00:14:05] And you guys were in stealth for quite a while or a while and recently came out of stealth. And I think you've done some funding as well. Is that right? Two weeks ago, we came out of stealth. We announced that we had had our $5 million CVE round led by Live Oak Venture Partners. And that experience of being in stealth, people seem to have a bipolar view of this. The other thing is the best thing in the world or other people just scorn. Like, why would you even do that? What was your experience and why did you keep like that for a while?

[00:14:31] Well, I think some of it depends on the underlying technology and how complex the technology you're building out. Is we wanted, we built a technology that's hard to build, easy to implement. And so that was one of the reasons we stayed in stealth. We did not want to have a massive overhead for implementation and management of the technology. Now, I think the wrong reason to stay in stealth is because you want to keep something a secret. If you're doing something really unique and really powerful, it doesn't matter. You should just do it and get it in as many people's hands as possible.

[00:15:00] We stayed in stealth, but we worked with customers, early design partners and customers. And we had some criteria for coming out of stealth, most of which was we wanted to have delivered the maximum amount of value with the minimal amount of overhead for a non-friendly prospect, not somebody who was from our network or extended network. And they could implement the product and see value very quickly.

[00:15:24] When we were in stealth, our early design partners and customers were folks where we could deliver value early in the form of visibility, which is necessary, but I don't believe sufficient in this day and age to actually have a full-fledged product. And then because they knew us, largely folks we had worked with before or knew of us, they had a lot of trust in our ability to execute on a roadmap that would help them solve the problems we were surfacing with visibility.

[00:15:49] So our criteria for coming out of stealth was unfriendly prospects who don't know us would see the product and not just say, oh, hey, that's great. You gave me visibility in the problems, but would immediately realize the ability to solve those problems with very low overhead. There's a lot of dangers in staying in stealth for too long, though, that I can. I would. Well, again, you're working with design partners who you probably already have some degree of comfort with,

[00:16:15] and they're kind of accepting of delays, things not being perfect. And that can build bad muscle memory with the product engineering team because they expect post-stealth customer prospects to be just as accepting. The POC process when you go into an unfriendly is a lot different, right? You have to deliver. There's zero excuses. Nothing's going to be perfect.

[00:16:38] But the expectations around delivering up to what you committed to and very quickly addressing feedback on where you're falling short are a lot different than. Does it have the same effect when you think about how you present to the market? Like we kind of stealth, the idea is, OK, now we need to actually say something on our website about what we do. That's right. You have to assume they know nothing about you. Right. And you don't get the luxury, I would imagine, after you come out to keep tweaking everything daily or weekly, depending on what you learn.

[00:17:06] Right. Because being stealth, you don't have that pressure to let's formulate the right phrase to what we do differently. That's right. You've got the attention span of your potential user or buyer for 30 seconds initially, and you've got to grab them. And then they're going to move on to the next. Like as a CISO, I tell you like how I thought of as a buyer, you know, other than a handful of folks, every non JLL email went to an external box. I would look at it a couple of times a week.

[00:17:36] And if you're a vendor and I don't know you or you weren't referred to me by somebody I do know, hardly talk to you. Any exposure I got to vendors that I didn't already know about was maybe through LinkedIn. I think a lot of folks use it as a news aggregator. And then you can kind of see maybe you'll see, though, somebody I know also follows this company and what they're doing. So would you rely on friends in the industry as a CISO? Like you get together and someone say, oh, I just find this great company. Or would you rely on investors? What was your primary channel?

[00:18:05] Friends, but it's that they have to be really good friends. And here's why I say that folks in the industry that you're friendly with, they'll give you some insights, but they're your friends. And if they're not your really good friends, they're generally going to affirm the problem you're solving and the way you think you're going to solve it because they're your friends. Right. I say really good friends because you need really good friends who can tell you, hey, this is a horrible idea. Right. That in your head, that sounds right or that may have worked for you, but that is not reproducible at other organizations. And they're not going to get it.

[00:18:34] They're either not going to get it or they're going to think this is way too difficult to do or this is providing way more work than it is. It's valued. And anything surprising to you as you came out of stealth two weeks ago that you weren't expecting? That's like, oh, that's interesting. I wouldn't say it's happening from a go-to-market perspective. I wouldn't say really because I was very fortunate.

[00:18:58] We had a sales leader on board early who had been at other startups and he knew what to expect. And we had talked about this for a while. Honestly, the thing that I was most surprised by was all of the spam from BDR as a service, HR servicers, folks that are just nonstop hitting me up to deliver services to me. That's the thing I was not prepared for was what a cesspool my LinkedIn inbox would be. That's what happens, right? Oh, someone got some money. I sell things for money.

[00:19:27] I must go and hit them up to try and give me some of that money. When I left my CISO job and I did the startup, I didn't think that I was going to continue to be assaulted by vendors. Little did I know it was just a different type of vendor I would continue to be assaulted by. And you have this big title. This guy's got the, he's not only got the money, he's got a big title. He can decide these things. That's right. Yeah. I'm the CEO of a 12-person company. And as you're looking at this year at the go-to-market, where are your investments going to be, do you think?

[00:19:54] Well, our investments are going to be continuing to not just provide the maximum visibility into what software is doing across any system it's installed on, but increasingly going into other areas around, hey, how can we deliver even more value? For example, we're providing visibility into software running, but there's things like extensions, IDE plugins. What are these specific IDE plugins doing at runtime? What are browser extensions doing at runtime?

[00:20:22] There's a lot of browser security companies that look at what's happening from the browser to the other end of the web session. There's not as much that's looking at what are these extensions actually doing on your system in terms of what credentials are they accessing? How are they mismanaging memory in a way that's creating exploitable conditions? And the same is true with IDE plugins. So we want to provide real-time visibility across anything running in a customer organization.

[00:20:46] So the same amount of exposure, same amount of insight into what your exposure is as you do to everything that's exploiting that, right? So right now we've got near, we've got runtime visibility into threats, but the 99.9 stuff that we've already put on our systems, we have pretty static visibility into. And I think probably that disparity is something that attackers are taking advantage of.

[00:21:11] And is there a partner opportunity for you this year to say, well, can we just get in with this type of technology partner and we're going to get some acceleration? There are. There's a couple of different partners that we're working with. Some are very regionally focused in cybersecurity. Others have national practices, but they're very focused on vulnerability management, security architecture. One of the things that our customers are doing is, you know, they're continuing to get requests from users to use new software,

[00:21:38] which is good because I've seen a lot of cases where people don't request, they just go ahead and find a way to install it. And so, you know, security architects are, you know, in vulnerability management teams and sometimes even third-party risk teams, they don't have the bandwidth to do a deep technical analysis of every piece of software. They're like, oh, no CVE. It's good. Vendor assessment. Check the box. Sure, go ahead. So we're working with some partners who are helping security architects totally overhaul the software evaluation process.

[00:22:05] So now organizations POC a piece of software while the requester is evaluating it for functionality. We're seeing all the behavior of the software and score it and say, hey, why are you doing these things? Why is this software accepting revoked certificates and creating these types of network connections and running at this privilege level? So that's doing the security review before the security review. That's right. What we're doing is essentially vulnerability management is typically something where you wait for CVEs to come in,

[00:22:32] you prioritize, then you send out work for teams to patch, and then you try to portray a picture of your residual risk. We're trying to help vulnerability management shift left from the time software gets installed in the organization or is even being considered for installation, give them ability to evaluate it at scale, and then really shift right in terms of empowering their peers on the blue team and security engineering ways to mitigate the risk.

[00:22:57] So, which overall means the CISO and the security organization is way more empowered to manage software vulnerability risk rather than just portraying it as a problem for like server, desktop, and other teams to solve. Well, Joe, thanks for joining us on the podcast. Thanks for having me. It's been great. Good luck for the rest of the week. I know you probably got a whole bunch of different types of meetings set up for the week. I do. I hope the time was worthwhile before you fly back to home. Yeah, I think it will be. It's great to be here, Andrew, despite not being ready for salubrious at 7 a.m.

[00:23:30] Another segment for Visionary or Smoking Crack. Introduce yourself. Robbie Robbins, VP of BD at NetRise. All right, Robbie. I'm going to throw out some bold predictions about the future of sales, cybersecurity, cybersecurity sales. And you have to tell me, am I a deep thinking, insightful visionary? Or did I inhale a little bit too much walking through the tenderloin on the way to the conference this morning? Are you ready? Absolutely. All right.

[00:23:56] By 2030, 80% of cybersecurity purchases under $100K will happen without a human seller or a human buyer, just AI agents buying and selling. Yeah, you're smoking crack on that. Tell me more. Well, considering how long it's taken us to get here, I don't really see AI suddenly revolutionizing buying and selling in five years. All right, next one.

[00:24:21] In five years, more CISOs will report to CFOs than to CIOs or CEOs and sales in the enterprise will shift to being finance first and security second. Is that visionary or is that smoking crack? Yeah, I think that is a bit of a revelation. I think you're on to something there. It's an economic decision a lot of times instead of a checkbox requirement. So I do think it will be more finance driven in the future. Cool.

[00:24:50] Number three, in 10 years time, both the RSA conference and Black Cat will be gone, completely dead. Is that visionary or smoking crack? Yeah, you're smoking crack. I mean, how long has RSA been around, right? 30 years? Probably 30 years. So, you know, another 10 years, is it going to go away completely? No, I don't see it happening. It may change quite a bit, but I don't see it going away. Maybe it should change quite a bit, right? Yes, exactly. It might be virtual for all we know. Next one.

[00:25:19] By 2030, Shador Sanders will have won a Super Bowl. Visionary or smoking crack? Smoking crack. Tell me more. Will he even make the league? Right? I think it's a wild card whether or not he's going to stick on anybody's roster. All right. Final one. Recently, Google announced they're acquiring Wiz and some people in the industry called the merger and the acquisition of G Wiz. So, question for you.

[00:25:46] Within 12 months, the OT security company Insane Cyber will buy another OT security company that's called Century, and the combined company will be renamed to Insane Asylum. Is that visionary or smoking crack? That's smoking crack, right? That's a marketing dream. It's meant to be. Surely it's meant to be. We need to find the executives of these companies and propose a merger. Well, Robbie, thanks for joining us. Thank you very much, Andrew.

[00:26:29] It would mean a lot to me and to the continued growth of the show if you'd help get the word at. So, how do you do that easily? There are two ways. Firstly, just simply send a link to a friend. Send a link to the show, to this episode. You can email it, text it, Slack it, whatever works for you, and it's easy for you. The second way is to leave a super quick rating. And sometimes that can seem complicated, so I've made it as easy for you as I can.

[00:26:55] You simply have to go to ratethispodcast.com slash cyber. That's ratethispodcast.com slash cyber. And it explains exactly how to do it. Either of these ways will take you less than 30 seconds to do, and it will mean the world to me. So, thank you.