Zatko had been hired by co-founder Jack Dorsey after a series of high-profile leaks on Twitter, but Dorsey’s attention was elsewhere. Agrawal, the company’s former chief technology officer, was responsible for many of the security decisions Zatko made wrong before Agrawal succeeded Dorsey.
Best known for the old hacker handle Mudge, Zatko was a pioneer in the security industry in the 1990s. After that, he worked on cybersecurity grants at the Defense Advanced Research Projects Agency, worked on special projects at Google, and built a security department at payments company Stripe.
His reputation for outspoken speech grew from his split with Twitter, which may have scared many prospective employers.
However, Rapid7 CEO Corey Thomas said he appreciates Zatko’s candor and commitment to understanding which security investments actually pay off.
“To move the industry forward, we need to educate organizations on how and what to measure to ensure they make the right investments,” said Thomas. “Peter’s extensive experience in this area and his commitment to measuring cybersecurity practices will be invaluable to both Rapid7 and our customers.”
Rapid7 sells security tools and provides services, including penetration testing, serving 44% of the largest US Fortune 500 companies. Metasploit is an open source hacking tool that adds new technology within hours of its publication.
The company’s co-founder is Chad Lauder, now an activist documenting racist and far-right attackers, including those who participated in the Jan. 6, 2021 Capitol riot. increase. Loder was banned from his Twitter account by order of his owner, Elon Musk, according to a former employee who saw a screenshot of the memo accompanying the decision.
After being fired from Twitter in January 2022, Zatko filed a whistleblower complaint with the Securities and Exchange Commission, alleging that Twitter’s security was so bad it violated a previous Federal Trade Commission settlement agreement. and that it was fraudulent for failing to warn shareholders about it. Among other things, he said half of the company’s servers were running outdated software, thousands of engineers had full access to his Twitter codebase, and their activity was largely unmonitored.
Musk, who is also Tesla’s chief executive, used the disclosure to unsuccessfully backtrack on plans to buy Twitter for $44 billion.
The SEC shared Zatko’s complaint with Congress, which held a hearing in September, promising to improve oversight for privacy and national security. The SEC, FTC, and European agencies continue to investigate Zatko’s allegations.
Zatko declined to discuss Twitter’s turmoil since its acquisition by Musk. This includes shutdowns and layoffs of many safety professionals, about three-quarters of the employee base.
Zatko, who reported to Thomas as Rapid7’s “Resident Director,” said he plans to work with chief information security officers and boards who are hungry for ways to evaluate their cyber investments. problem? ”
Data can paint a picture of what security posture looks like to be good or what it looks like to be terrible. Vendors try to make normal functionality look like magic.
Zatko goes all the way back to DARPA, which introduced a framework for analyzing the effectiveness of security programs, and says, “We’re trying to bring data with context into security.”
“We are at an inflection point in the area where cyber can be measured whether investments are having a positive or negative impact. there is.”