Jul 12, 2026

AI Just Collapsed the Hacker Talent Gap to a Subscription

An interview with Damien Lewke, Founder of Nebulock

Founder Focused

0:00 / 0:00
💡
At a Glance
  • WhoDamien Lewke is the founder and CEO of Nebulock, who discovered his passion for security on his first day as an intern at Northrop Grumman, built cyber ops and threat hunting teams in the DoD, and held roles at CrowdStrike, Palo Alto Networks, and Arctic Wolf before quitting his job in early 2024 to pursue the company full-time.
  • What: Nebulock is a contextual security platform that looks across the security tools an organization already owns and finds potential threats hidden between the layers, aiming to democratize threat hunting for organizations of any size, skill set, or budget.
  • Traction: Nebulock raised a $25 million Series A led by FirstMark with participation from existing investors Bain Capital Ventures, Decibel, Zetta Venture Partners, and Step Function, and counts customers from the Fortune 500 to growth-stage security companies like Cribl.
In this interview, Damien Lewke reveals why a Mythos-level model in the wrong hands worries him less than what comes after it, how attackers stopped breaking in and started logging in instead, the three telltale signs that an account inside your company has been compromised, and why the question that made him finally quit his job was whether he could solve this problem for zero dollars.

Key Takeaways

AI Has Collapsed the Hacker Talent Gap to a Subscription Model
Elite security judgment takes a decade or more to build, but a Mythos-level model lets a script kiddie do what was once reserved for a very elite group of people. Lewke says the pool of potential threat actors has exploded from a few score sophisticated groups to two people and a GPU, and the effects cascade from individuals to companies to nation-states.
Attackers Don't Break In Anymore. They Log In and Blend In
Ten years ago, attackers simply behaved in bad ways; today they steal your credentials, log in at normal hours, and look completely normal. Each action is a green flag in isolation, and only the sequence and context of events reveal the glaring red flag.
Threat Hunting Is the Fire Marshal, Not the Smoke Detector
An alert tells you a fire has already started; a threat hunter walks the building beforehand and assumes an attacker is already inside. Across the DoD, CrowdStrike, Palo Alto Networks, and Arctic Wolf, Lewke kept seeing defenders one step behind because they only reacted to alerts, and that gap is exactly why Nebulock exists.
Could You Do It for Zero Dollars? Then You're Ready
Before quitting his job in early 2024, Lewke asked himself whether he could work on this problem and make zero dollars doing it, and the resounding yes told him he was ready. His advice to founders: fall in love with the problem, not the solution, and back your conviction no matter what the world tells you.
The Sky Is Not Falling. Fear Inaction Instead
Lewke does not believe AI will catastrophically destroy security; it is here both to create and to solve the challenge for network defenders. What worries him is wasting a very rare window of time, seeing the warning signs of machine-speed attacks and doing nothing.
Below is the complete transcription of the interview. Minor edits have been made for clarity and readability.

Love the Problem, Not the Solution

Damien Lucius, Courtesy of EO
Damien Lucius, Courtesy of EO
Damien Lucius, Courtesy of EO
I'm Damien Lewke. I'm the founder and CEO of Nebulock. Nebulock is a contextual security platform. Really, what we do is look at all the existing security tools that you have, and we find potential threats hidden between the layers. We raised a $25 million Series A led by FirstMark with participation from all of our existing investors: Bain Capital Ventures, Decibel, Zetta Venture Partners, and Step Function.
I'm very fortunate. I discovered my passion. My first day on the job as an intern at a company called Northrop Grumman. So, I started my career in the DoD, building out cyber ops and threat hunting teams, before being a relatively early employee at CrowdStrike, joining after the Series C, being there through and after the IPO.
Damien Lucius, Courtesy of EO
Damien Lucius, Courtesy of EO
Damien Lucius, Courtesy of EO
My first job when I was in the DoD, I actually worked full-time and went to grad school at night to get a master's in aerospace systems engineering. What that taught me was not to be a hero every single day, but that what was most important was that you showed up and did your best as best you could, day in, day out. That's really expanded as I've gone throughout my career. So, on the personal side, I have a challenge where I run a thousand miles a year. It's the same kind of idea, which is: at 10:30 in the morning on a Tuesday in February, can you show up and do your best the same way that you would on a Friday morning when everything is going great?
I then had a chance to experience network security at Palo Alto Networks and managed detection and response, running the AI detection and security research product teams at Arctic Wolf. And I took a stint at MIT, writing a graduate dissertation at the computer science and AI lab there.
What led me to start Nebulock really was a two-sided problem. So, the first is, beginning as an operator, I saw the real problem that all of our existing customers had at Arctic Wolf, and also what our 1,200-person security operations center had. The dissonance was that everybody had already invested in these best-of-breed tools, and despite owning the Audi or Ferrari of security, everybody was still getting compromised.
And it was because different point solutions to specific problems were not the way to solve how not to get breached. It was rethinking everything from first principles. Two years ago, my thesis was: adversaries, or bad actors, are going to use AI to automate tailored access operations. They're going to be able to automate the entire life cycle of targeting an enterprise, compromising it, achieving their objective, and slipping out undetected. And it was those two problems that led me to build Nebulock. The idea being we can democratize the most high-leverage activity in security to all organizations, regardless of size, skill set, or budget, in a way that's flexible and integrates with the existing systems that they have.

How the Security Talent Gap Collapsed into a Subscription

I'd say the power distribution has already happened. Much like how AI has enabled productivity for developers, it's also allowed both attackers and defenders to up-level themselves. Elite AI engineering or elite security judgment? Certainly elite security judgment. That gut instinct takes a decade or more to build, and that is a very small subset of people. But a Mythos allows a script kiddie, a non-sophisticated threat actor, to be able to do things that used to be reserved for a very elite group of people. What the actual power convergence means is not "Hey, can I do things faster?" but rather that the talent gap has collapsed to a subscription model.
It impacts it in a cascading series of events. So it starts with the individual and then moves on to companies, because an individual can quickly adopt AI. A company can adopt AI relatively quickly. But ultimately, this will go towards nation-states. We see that with nation-states already, the US Cyber Command is using AI as part of its components. That is really, really concerning. But I also think the broader, more existential question is what happens when the citizen hacker, when one person, gets access to a Mythos-level model. Because they aren't governed by geopolitics and rules of engagement. They can do what they want. And I think that that will happen.
The number of potential threat actors is dramatically increasing. You've gone from a few score highly sophisticated groups to, honestly, two people and a GPU who, with enough conviction, can target a company. You see earlier-stage companies being targeted. We've seen this in the headlines recently, where growth-stage companies like Vercel have had breaches. That's no fault of anyone's, but just when more people can do these things, you're going to see a greater frequency and severity of threats.

Quitting with No salary: The $0 Test

I got to a point in early 2024 where I decided to quit my job outright and focus on this problem. There was a core moment where I genuinely asked myself: could I try and solve this problem and make zero dollars doing it? And the answer was a resounding yes, and it was at that point that I knew I was ready. Thankfully, we've been able to grow and scale this business. I'm joined by some amazing folks. We get to partner with organizations from the Fortune 500 to growth-stage security companies like Cribl as customers.
Why was I okay making zero dollars and going after this? As a founder, I think what you really need to be obsessed with is the problem, not the solution. Ultimately, you build a team to help you design the solution, and you validate your idea with the market to design the solution, but you have to fall in love with the problem. And to me, the problem was just so pervasive that I realized I had to do my absolute best. And you just got to show up day in, day out and see, like, "Hey, wait a minute. Is this something you can really go after?" And I was fortunate that I did early market discovery that validated the thesis and ultimately allowed us to build what we've built today. No matter how right or wrong the world tells you that you are about the idea you're pursuing as an entrepreneur, the key is that you have conviction and that you continue to back yourself up with that. I think that's really important as a founder.

How One Person Actually Hacks with AI

Damien Lucius, Courtesy of EO
Damien Lucius, Courtesy of EO
Damien Lucius, Courtesy of EO
So, do I think that cyber attackers are not just targeting governments or the Fortune 100, but normal people? Absolutely. They're able to remotely access your Google Workspace account. Once they have access to your Google Workspace account, they're able to access elements of your Google Drive, and eventually they are able to find a way to work their way onto your system, and they can basically go wherever they want. They can move laterally and access critical cloud resources because, again, they look completely normal.
Those are the hardest to spot, because those are the ones who, in isolation, have green-flag activity, but it's only when you take a step back, look at the sequence of events, and the context of their actions, that you can actually spot a glaring red flag. Whereas about 10 years ago, cyber attackers behaved in bad ways. I think that's what's changed a lot, especially since I started in security, right? Attackers are going to try and blend in. They're going to log in at normal hours. They're going to steal your username and password so it doesn't look suspicious or malicious. Can I distinguish Damien as Damien versus Damien whose account has been compromised? What that actual sequence of behavior looks like, and based on that sequence, can I say, "Oh, that's Damien. It's totally cool," or "Hey, wait a minute. Damien's doing something he shouldn't be. Has he been compromised?

6 Steps of Cyber Attack

The real concern here is that everything I described is being done by one person. So, you don't need a team to do all of these things anymore. You can do it as one very patient person. So, if I could draw an axis across the cyber kill chain: reconnaissance, targeting, exploitation, persistence, lateral movement, and then action on objectives. AI has already automated kind of the first three core components, and humans are being orchestrated on the last part. And then if I have a cost on my Y-axis, the cost would be very low, and then it would get very high. So you kind of have the kill chain on your X-axis and cost on your Y-axis. If I were a threat actor right now: reconnaissance, basically $0. Writing a phishing email, also very cheap. Vulnerability exploitation is getting significantly cheaper. Establishing persistence is also relatively cheap.
Right now, lateral movement and ultimately achieving your objective still require a human. It's bit more expensive. A human plus an agent can get there together, but you still need a human. But the first four components of that are basically automated. As attackers go to machine speed, do we think that defenders are going to machine speed as well? I think we have the opportunity to do that now.

Assume You're Already Hacked

The core thread that I saw was that as defenders, we were always one step behind the attackers. In the DoD, we had to operate with the information that we had access to, without knowing everything the adversary could. At CrowdStrike, we scaled that effectively on the endpoint, but the endpoint was only part of the enterprise puzzle. The same at Palo Alto Networks, right? We had the network, but that was only part of the puzzle. And then finally, from the managed detection and response side at Arctic Wolf, you had best-of-breed solutions, but you could only solve problems as well as the existing tools that you had, and you were responding to everything reactively. So, the common thread was that attackers were always one step ahead of defenders, and that's because we were always reacting to alerts as opposed to proactively leaning into how threat actors might be getting around our systems. And it was that gap that prompted me to start Nebulock.
That's really where threat hunting comes in. Threat hunting is analogous to cybersecurity operations, much like the difference between a fire marshal and a smoke detector. So, in cybersecurity, when you have an alert system, that's your smoke detector. There's a fire going off, and I'm alerting you that something bad has happened. Whereas a threat hunter is like a fire marshal. They go into a building before the fire, and they point out the risks or risk areas that might be impacted should there be a fire. Threat hunting exists under the auspice that you should assume a breach. You should assume that an attacker is within your environment. So, does this specific person with these specific permissions have access to the kind of data they're touching?

The Three Signs an Attacker is Already Inside Your Environment

For example, there are really three key things that an attacker will do that show compromise. The first is there will be a slow but consistent exfiltration of data that looks much like backup behavior: all desktop files being uploaded to a personal Google Drive. The second piece will be performing outside the scope of their initial role. So, the marketing intern is accessing financial information. And then the third is, at some point, you will see some sort of persistence mechanism. That could be a remote management tool being installed so that they can access the system at any time. Or that might be the multiplication of accounts that they have access to. So, opening up service accounts when they're a human user, for example. Those are the three things. That's exactly why we exist, right? Nebulock is a contextual security platform. Really, what we do is look at all the existing security tools that you have, and we find potential threats hidden between the layers.
Damien Lucius, Courtesy of EO
Damien Lucius, Courtesy of EO
Damien Lucius, Courtesy of EO
Cybersecurity very quickly is becoming an existential question. Which is not, "Hey, will something bad happen?" but when something bad happens, what do we do about it? The key that we all have to accept is at some point a threat actor will target us. That's not to fear-monger; it's just the reality of a world where the democratization of cyber attacks is a reality.

Don't Fear AI, Fear Inaction

I would not fear that AI is going to catastrophically destroy everything when it comes to security, but rather that AI is here both to create and solve the challenge for network defenders. So, the sky is not falling. What I would tell them to fear, or be concerned about, is inaction. That we don't see these warning signs and instead do nothing. So, I think we have, again, a very rare window to act. And that whole thesis, that whole idea, is exactly why Nebulock exists. To democratize the highest-leverage thing, which is all about finding bad activity before it becomes a persistent breach, and giving that back to the people.

What You Need as a Founder

Now, I think one thing that, as a founder, most people don't think about is that there's you, the business person, and then there's you, the person. Having a personal support network is really, really important. I think what makes my dad so great as a mentor to me is that he understands me deeply. I mean, he's my dad. I'm very fortunate in that regard to have access to someone with whom I have a long-standing, deep, and meaningful relationship. And he also reminds me to show up as my truest self, as opposed to hyper-optimizing to be just Damien the CEO, but rather Damien the person, Damien the founder, Damien who wants to build an environment where people can thrive and grow and do their best work. So, I was not anticipating that question. And you got me a little emotional.

Join the 1.5M+ founders inbox
to get the latest updates.

Explore more
AI Just Collapsed the Hacker Talent Gap to a Subscription