Zatko had been hired by co-founder Jack Dorsey after a series of high-profile Twitter infractions, but Dorsey’s attention was elsewhere. Agrawal, the company’s former chief technology officer, was responsible for many of Zatko’s security decisions before Agrawal took over from Dorsey.
Widely known by his former hacker alias Mudge, Zatko was a pioneer in the security sector during the 1990s. He then led cybersecurity grantmaking at the Defense Advanced Research Projects Agency, worked on special projects at Google, and created the security department of payment company Stripe.
His outspoken reputation grew out of his break with Twitter and likely scared off a number of potential employers.
But Rapid7 chief executive Corey Thomas said he admires Zatko’s candor and commitment to figuring out which security investments actually pay off.
“In order to move our industry forward, we need to educate organizations on how and what to measure to ensure we’re making the right investment,” Thomas said. “Peiter’s extensive experience in this area and his work on measuring cybersecurity practices will be invaluable to Rapid7 and our customers.”
Rapid7 sells security tools and offers services, including penetration testing, serving 44% of the US Fortune 500 companies by revenue. He’s not afraid of controversy, being widely known as the maintainer of Metasploit, an open-source hacking tool that adds new techniques within hours of their disclosure.
One of the society’s co-founders was Chad Loder, now an activist who documents racist and far-right abusers, some of whom participated in the Jan. 6, 2021, Capitol riot. Loder was banned from Twitter by order of owner Elon Musk, according to a former employee who saw a screenshot of the notes accompanying the decision.
After his termination from Twitter in January 2022, Zatko filed his whistleblower complaint with the Securities and Exchange Commission, arguing that Twitter’s security was so poor that it violated a previous Federal Trade Commission settlement agreement. and that his failure to notify shareholders of this constituted fraud. . . Among other things, he said half of the company’s servers were running outdated software and thousands of engineers had full access to Twitter’s code base with little monitoring of their activity.
Musk, who is also the chief executive of Tesla, seized on the revelations in an unsuccessful bid to back out of buying Twitter for $44 billion.
The SEC shared Zatko’s complaint with Congress, which held a hearing in September and pledged to improve oversight in the interest of privacy and national security. The SEC, FTC and European agencies are still investigating Zatko’s claims.
Zatko declined to comment on Twitter’s turmoil since its takeover by Musk, which has included outages and the removal of numerous security experts and about three-quarters of its employees.
As an “executive-in-residence” at Rapid7, reporting to Thomas, Zatko said he plans to work with information security leaders and boards of directors who are “hungry to know how to evaluate their investments. in cyber – does it pay they can predict the likelihood of problems?”
Data can be painted over to make a security posture look great or terrible, and vendors try to make ordinary abilities look magical.
From DARPA, where he introduced a framework for analyzing the effectiveness of security programs, Zatko said he was “trying to bring contextual data to security.”
“We are at an inflection point in the field where we can measure cyber, whether investments are having a positive or negative impact. And there are forces that could be against that.
correction
An earlier version of this story incorrectly characterized Zatko’s new position as full-time. This version has been corrected.
0 Comments