Why I Decided to Join Empirical Security

After three decades in the trenches of technology and cybersecurity—as a practitioner, a CISO, and a founder—I’ve learned that the more things change, the more the fundamental problems persist. I helped build and lead Kenna Security, where we pioneered what became known as Risk-Based Vulnerability Management (RBVM). We worked to shift the industry from “patch everything” to a more data-informed, prioritized approach.

Our success led us to Cisco, where I had the opportunity to broaden our impact and apply data-driven thinking across the wider security portfolio. Yet, even with all the advances we made, I couldn’t shake a lingering truth: the core challenge still isn’t solved.

That’s why I’m excited to share that I’ve joined Empirical Security—a company built on deep technical roots, a bold vision, and a mission that resonates with where I believe the industry needs to go next.

Why Michael and Jay’s Work Stands Apart

What drew me to Empirical wasn’t just the mission—it was the people. Michael and Jay have spent over a decade applying rigorous data science to some of cybersecurity’s most stubborn problems. They’re not just dabbling in ML and stats—they’ve been shaping the field.

Their most notable contribution? The Exploit Prediction Scoring System (EPSS). It’s become a critical part of the vulnerability management ecosystem, providing a predictive lens into which vulnerabilities are most likely to be exploited in the wild. It’s not only scientifically sound—it’s also practical, scalable, and adopted across the industry.

Their body of work represents what I believe is the foundation of the future: cybersecurity that is empirical, testable, and grounded in data.

Why Models Must Become Local

Having helped build what are arguably the most widely-used and effective global models in cybersecurity, I can say this with confidence: global models are not enough.

Security is deeply contextual. What’s high-risk for one organization might be irrelevant for another. Your stack, your architecture, your adversaries—they’re all unique. Yet most vendors offer one-size-fits-all models that overlook these nuances.

At Empirical, we believe that all security models will eventually need to become local—tuned to each organization’s environment, telemetry, and threat landscape. Global models provide a baseline, but to be truly effective, models must adapt to your world, not the other way around.

A New Chapter, Same Mission

Joining Empirical Security is a continuation of the work I’ve dedicated my career to: solving real problems in security with data. The next frontier isn’t just more data—it’s more relevant data, more adaptive models, and more context-aware decisions.

With our funding round led by our friends and partners at Costanoa Ventures, I’m thrilled to help shape this future alongside some of the sharpest minds in the space. We’re just getting started.

Stay tuned.