Semgrep
GitHub
Snyk
Endor Labs
AWS
Joe Sullivan has led security at Meta, Uber, and Cloudflare. Here’s why he’s excited to join StackHawk’s board.
I’ve spent the last few months telling anyone who will listen: runtime is the word for 2026.
So when the opportunity came to join StackHawk’s board, it was an easy decision. They’re building what the industry needs next.
The Inflection Point
I’ve been in security for more than 25 years — first as a federal prosecutor, then building and leading security organizations at Facebook, Uber, and Cloudflare. Over that time, I’ve watched the industry go through several major inflection points. The shift when consumers discovered the internet and the shift when we all moved to mobile were both huge. But the one we’re in now may be the biggest yet.
Just in the last few months, AI has fundamentally changed one job – software engineering. AI coding tools have fundamentally altered how software gets built. Organizations are rapidly adopting AI coding assistants, and engineers are shipping faster than ever. That’s good for innovation and good for business, but it creates a real challenge for security teams.
When AI generates code at 10x the previous pace, traditional code security tools generate 10x the noise. And the vulnerabilities that actually matter – business logic flaws, authorization bypasses, the things attackers really exploit – don’t show up in static scans anyway.
The code side of this problem is getting solved. The runtime side isn’t.
Look at Claude Code Security. It’s still early, but the results are already clear: Anthropic’s latest model found more than 500 bugs in production open-source software that had survived years of expert review. AI reasoning about code is getting meaningfully better than rule-based static analysis. That’s a real capability shift.
But Claude Code Security still doesn’t run your application. It can’t send requests through your API stack. It can’t observe how your authentication and authorization layers actually behave together. And it can’t confirm whether a vulnerability is truly exploitable.
Those issues only show up when code actually runs.
And as AI-generated code expands the attack surface faster than ever, the runtime problem only gets bigger.
The job of security is shifting to what happens when the code executes. That’s where the real risks are.
Why StackHawk
The security leaders I talk to already know their current tools can’t keep up. They need testing that runs fast enough for modern pipelines and smart enough to catch what static analysis misses.
That’s the gap StackHawk fills, and that’s why I’m joining their board.
I only work with a handful of companies at a time. I look for teams building something the market actually needs. Founders Joni Klippert and Scott Gerlach, along with their product team, have built something that fits this moment: security testing designed for the speed at which software actually ships today.
StackHawk tests running applications for real, exploitable risks – and not just in production.
Runtime doesn’t mean production.
StackHawk was designed for scale. Developers can test as they work through the StackHawk MCP or in their local environments. Scans can also run inside customers’ infrastructure as part of their build pipelines.
The security companies that succeed won’t try to compete with foundation models. They’ll build on top of them, and where they don’t extend. StackHawk is using AI to make runtime testing more powerful and more accessible, and that’s the right side of the line to be on.
Runtime testing is where the industry is going. StackHawk is already there.
—
Read the full press announcement here.
