-
Damien Lewke, founder and CEO of Nebulo, argues that AI has collapsed the cybersecurity talent gap into a subscription model — meaning a single unskilled attacker with AI can now do what once required an elite team — and that defenders must shift from reactive alert-chasing to proactive, contextual threat hunting before the window to adapt closes.
- Nebulo is a contextual security platform that looks across all of a company’s existing security tools to find threats hidden between the layers. It raised a $25 million Series A led by First Mark with participation from Bain Capital Ventures, Decibels, Zetta Venture Partners, and Step Function.
- Lewke’s career arc — DoD cyber ops and threat hunting, early employee at CrowdStrike through and after its IPO, network security at Palo Alto Networks, AI detection research at Arctic Wolf, and a graduate dissertation at MIT’s Computer Science and AI Lab — gave him a firsthand view of why best-of-breed point solutions kept failing to prevent breaches.
-
The core problem: attackers are always one step ahead because defenders operate reactively on isolated alerts, while adversaries exploit the gaps between tools.
- Lewke describes the defender’s dilemma through his career: at the DoD he operated with incomplete information; at CrowdStrike the endpoint was only part of the puzzle; at Palo Alto Networks the network was only part of the puzzle; at Arctic Wolf he could only respond reactively to what existing tools surfaced.
- His thesis, formed two years ago: adversaries would use AI to automate the entire lifecycle of targeting, compromising, and exfiltrating from an enterprise while remaining undetected.
-
AI has automated the first four steps of the cyber kill chain, making it cheap and easy for a single person to carry out sophisticated attacks.
- Across the kill chain — reconnaissance, targeting, exploitation, persistence, lateral movement, action on objectives — AI has already automated reconnaissance ($0 cost), phishing, vulnerability exploitation, and establishing persistence. Lateral movement and achieving objectives still require a human, but a human paired with an agent can get there.
- A single attacker can now remotely access a Google Workspace account, move laterally into cloud resources, and blend in so that each individual action looks like a green flag — only the sequence and context of actions reveals the compromise.
- Lewke’s example: distinguishing between “Damian” and “Damian whose account has been compromised” requires looking at the full behavioral sequence, not any single event.
-
Three signs an attacker is already inside your environment: data exfiltration that mimics backup behavior, activity outside the user’s normal role, and a persistence mechanism like a remote management tool or multiplied service accounts.
- Examples: all desktop files being uploaded to a personal Google Drive; a marketing intern accessing financial information; a human user opening service accounts.
- This is exactly the gap Nebulo is built to fill — finding bad activity before it becomes a persistent breach by correlating context across existing security tools.
-
The “talent gap has collapsed to a subscription model” means the number of potential threat actors is dramatically expanding from a few dozen sophisticated groups to potentially anyone with conviction and a GPU.
- Nation-states like US Cyber Command already use AI as part of their operations. The greater concern is the “citizen hacker” — an individual not governed by geopolitics or rules of engagement who can target companies at will.
- Lewke points to recent breaches at growth-stage companies like Vercel as evidence that less sophisticated, earlier-stage organizations are now being targeted.
- He frames the existential question not as “will something bad happen?” but “when it happens, what do we do about it?”
-
Threat hunting versus alerting: a fire marshal versus a smoke detector.
- Alerting is reactive — it tells you a fire is already going off. Threat hunting is proactive — it identifies risk areas before a fire starts, operating under the assumption that a breach has already occurred.
- Lewke argues defenders must adopt this “assume breach” posture and proactively lean into how attackers might be moving, rather than waiting for alerts.
-
Lewke quit his job in early 2024 with no salary to build Nebulo, using what he calls the “$0 test” — if he was willing to make zero dollars pursuing the problem, he knew he was ready.
- His advice to founders: fall in love with the problem, not the solution. The solution gets designed with the team and validated by the market; the problem is what sustains conviction.
- He emphasizes the importance of a personal support network — specifically his father as a mentor who reminds him to show up as “Damien the person” rather than hyper-optimizing to be “Damien the CEO.”
-
Lewke’s closing argument: fear inaction, not AI.
- He does not believe AI will catastrophically destroy cybersecurity, but rather that it creates both the threat and the solution. The danger is ignoring warning signs and doing nothing during what he calls a rare window to act.
- Nebulo’s mission is to democratize the highest-leverage activity in security — finding bad activity before it becomes a persistent breach — and make it available to organizations regardless of size, skill set, or budget.