At RSA Conference 2026, leaders from StackHawk discuss application security, runtime testing and the impact of artificial intelligence, AI on code generation and developer workflows. Joe Sullivan of StackHawk, board member, and Joni Klippert of StackHawk, Inc., founder and chief executive officer join theCUBE Research in a conversation hosted by Dave Vellante of theCUBE and theCUBE team. They explore agentic dynamic application security testing, dynamic application security testing, DAST, API and large language model, LLM discovery, and how security integrates with continuous integration and continuous delivery, CI/CD pipelines and modern developer toolchains.
Klippert emphasizes automating runtime testing and shifting dynamic application security testing, DAST left to run in CI/CD so security runs alongside development. They highlight the importance of discovering APIs and LLM integrations to provide AppSec teams with visibility and to reduce blind spots in production environments. The discussion covers practical factors to consider when embedding security into developer workflows and toolchains.
Sullivan warns that artificial intelligence, AI non-determinism increases the attack surface and encourages integrating security directly with engineering practices. They call for funding AppSec to scale with rising code velocity and for security teams to adopt fast portable approaches that fit inside developer pipelines. The conversation addresses implications for API security, runtime security and DevSecOps strategies.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for RSAC 2026 Conference
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC 2026 Conference.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to RSAC 2026 Conference
Please sign in with LinkedIn to continue to RSAC 2026 Conference. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Joni Klippert & Joe Sullivan, StackHawk
At RSA Conference 2026, leaders from StackHawk discuss application security, runtime testing and the impact of artificial intelligence, AI on code generation and developer workflows. Joe Sullivan of StackHawk, board member, and Joni Klippert of StackHawk, Inc., founder and chief executive officer join theCUBE Research in a conversation hosted by Dave Vellante of theCUBE and theCUBE team. They explore agentic dynamic application security testing, dynamic application security testing, DAST, API and large language model, LLM discovery, and how security integrates with continuous integration and continuous delivery, CI/CD pipelines and modern developer toolchains.
Klippert emphasizes automating runtime testing and shifting dynamic application security testing, DAST left to run in CI/CD so security runs alongside development. They highlight the importance of discovering APIs and LLM integrations to provide AppSec teams with visibility and to reduce blind spots in production environments. The discussion covers practical factors to consider when embedding security into developer workflows and toolchains.
Sullivan warns that artificial intelligence, AI non-determinism increases the attack surface and encourages integrating security directly with engineering practices. They call for funding AppSec to scale with rising code velocity and for security teams to adopt fast portable approaches that fit inside developer pipelines. The conversation addresses implications for API security, runtime security and DevSecOps strategies.
In this interview from RSAC 2026, Joni Klippert, founder and chief executive officer of StackHawk, joins Joe Sullivan, board member at StackHawk, to talk with theCUBE's Dave Vellante about how AI-accelerated code generation is outpacing traditional application security. Klippert traces StackHawk's origins to a core frustration: runtime testing was happening in production, far too late, generating backlogs developers couldn't clear. She details how one financial services customer went from 25,000 lines of code a month to 300,000 after adopting AI coding tools ...Read more
exploreKeep Exploring
What motivated the founding of StackHawk?add
How was this type of vulnerability detection moved from production into the CI/CD toolchain, and what design and deployment decisions (e.g., configured-as-code, portable scanner) enabled integration with developer tools and immediate remediation?add
When security professionals encounter AI tools like OpenClaw, what is their immediate reaction and how should organizations secure such AI systems (e.g., runtime monitoring versus perimeter controls)?add
What is the company's total addressable market (TAM)?add
How is AI affecting the role, visibility, and resourcing of enterprise security leaders and the staffing/skills needs of application security (AppSec) teams?add
>> Welcome back to Moscone in San Francisco. We're here at Moscone West. You're watching theCUBE's live wall-to-wall coverage of RSAC 2026. Day three, we're getting deep into the content, starting to get a feel for the themes here. Of course, it's all about Agentic. It's kind of ironic. The theme of the show is the power of community, but of course all we're talking about is machines talking to machines. Joni Klippert is here. She's the founder and CEO of StackHawk. And Joe Sullivan is a board member at StackHawk with quite an interesting background. Folks, welcome. Good to see you.
Joni Klippert
>> Thank you for having us.
Dave Vellante
>> You bet. Joni, why did you start StackHawk? I always like to ask founders why they started their company. What was your why?
Joni Klippert
>> My why is I had been building software for software engineers for a long time, largely in the DevOps ecosystem. So how do we get our applications into production faster? How do we make sure that we're protecting them, making sure we have uptime? And our last company was acquired by Splunk in 2018. And I had to think about what was the next problem I wanted to solve. And I felt like application security was just the next mile of digital transformation. At the time, the type of testing we do, which is runtime testing, was happening in production, way too late. Software engineers were just building backlogs of vulnerabilities that they needed to fix. And for me, it was, we need to automate this as part of software delivery. This is crazy. So taking a technology that was kind of long to run and hard to run, but super valuable in its findings and making it something that was just automated.
Dave Vellante
>> And your focus is on testing, right? Exclusively, correct?
Joni Klippert
>> Not exclusively.
Dave Vellante
>> The reason I ask is because I see companies coming out with code generation and testing. And I'm like, that's like, yeah, I wrote the code. It's all looking really good. So how does it ... You know what I mean?
Joni Klippert
>> Yes.
Dave Vellante
>> It's perfect. So I'm always intrigued by somebody who started in testing as a specialist because the last thing you want to do is have the person who wrote the code test the code. So what's that dynamic like? So you said not exclusively. So explain that.
Joni Klippert
>> Yeah. Well, we do think actually that what we have to do to keep up with the pace of software delivery is automate the ability to test. And very quickly we're approaching Agentic DAST. So the ability to test a running application and fix it while you're inside of Cursor or Claude or whatever else. But the piece that we built that was more than just testing is as we started to sell into the enterprise, they would say to us, "I love that you test my APIs. I love that it's shift left and automated and great for developers, but I don't even know where all of my APIs and applications are." That was six years ago. Now we have 10Xed our software delivery and we're just getting started. So we built discovery from code, so the ability to look at the code base, look at repositories, figure out where all of our running assets are. And at the time it was, where are my APIs and where are my web apps? But now it's, where are my LLMs? Where are my LLMs that are speaking to my APIs? And making sure that we provide that visibility to AppSec teams who really aren't able today to keep up with understanding what's happening in software engineering.
Dave Vellante
>> Right. So you're not trying to be Cursor or Claude Code or Codex, you're trying to compress the time to actually test the code and ... Okay, got it.
Joni Klippert
>> Exactly. And remediate. Actually fix the vulnerabilities. Turns out that's the goal.
Dave Vellante
>> Not just send more texts to get a problem, more alerts. All right Joe, tell us about your background. It's quite fascinating. A few companies that people have heard of.
Joe Sullivan
>> Sure thing. Yeah. I've been in security my whole adult life. I started out with the Department of Justice. I was the first federal prosecutor in the country prosecuting cyber crime full time. And then I went in-house. I worked at eBay and PayPal. I was the chief security officer at Facebook for seven years, Uber for almost three years and then four and a half years at Cloudflare. And now I spend my days helping startups scale their security and a little bit of work on the side supporting growing startups.
Dave Vellante
>> Okay. So I had Nir Zuk here three years ago, was the founder of Palo Alto Networks. He said, Dave, everything's changed. The security's a complete do-over. And I said, "Explain that." And he did. And of course, at the time it kind of made sense. It makes even more sense now. So you're seeing very rapid velocity of ... I mean, I think Google was here the other day. They were saying well over 50% of their code is generated by machines now. So what does that mean for ... Let's start with you, Joni, for your customers, and I'd like to understand what it means for CISOs.
Joni Klippert
>> For my customers, it's an incredible amount of change that's happening. I mean, we closed a new customer about a month ago, and it's a mid-market financial services firm, and they used to hand roll 25,000 lines of code a month. They employed Cursor. The next month, they wrote 250,000 lines of code. The next month, 300,000. And then they were sitting on a backlog of a million lines of code that they couldn't deploy because they actually were in a regulated industry. So they had to figure out, how am I going to keep up with this change? And engineering is the one job that has fundamentally changed. I mean, my own senior engineers haven't written a line of code since August. They're just prompting Claude. So it's really exciting to see this change, but it requires, to the point of, I think you said the Palo Alto CEO, a wholesale change in how you think about application security.
Dave Vellante
>> Yeah. It was actually Nir Zuk, their founder who's since retired. The CEO is Nikesh and he's got a whole nother story. But Joe, so you have been a chief security officer at leading technology companies. So when I look back three years ago, I felt like there was a ... The feeling at RSA was there's a balance. The attackers and the defenders, there's always a yin and yang and a catch-up, but I felt like at the time it was sort of less of an asymmetry than there is today. But when you're at a company like Facebook, you're at the leading edge. Company like Google, Facebook, Uber, eBay, you're at the leading edge, so there's maybe not as much of an asymmetry, but I feel like the technology industry is in the third inning of this AI wave, but the practitioners are in the first inning, running single agents, concerned about governance, et cetera. How do you see that asymmetry? Is it widening for most companies, not the leading edge technology companies that you're used to, but some of the ones that you're consulting with?
Joe Sullivan
>> I think you're right. In 2026, the bad guys are all jumping into using AI and they don't have to get through a governance committee to turn it on. The good guys, we have processes. We got to manage risk. And so even if the security team wants to deploy the coolest new AI solution, we got to test it. We've got to make sure that it works. Even when we use the awesome AI coding tools, we've got to bring in AppSec solutions and we got to test them all. From the good guy standpoint, there's one thing that's scary about AI and that's that it's non-deterministic. Anybody who's used one of the chat interfaces knows it doesn't always give you the right answer. And so if we're going to put our companies dependent on these things, we got to make sure that we're testing, we understand the limitations. And the people who have my role have a hard job at the beginning of 2026 because every CEO is saying, "Let's get the AI out. We don't want to be left behind." And us over on the security side are like, "Ah." And to a certain extent, we don't even know what the real downsides are. We've launched all these AI solutions and we're starting to ... We're hearing trickling out stories of, "Oh, somebody's home directory accidentally got wiped out." "Oh, there was a prompt injection in that email." We're just digging in right now to the actual risks. Come back in a year and we'll have lots of horror stories.
Dave Vellante
>> Those are the unknown unknowns. What are the known unknowns specifically as it relates to coding that you're trying to help people close?
Joe Sullivan
>> Yeah. So I think the first thing is some subset of code that gets made has vulnerabilities. And if the velocity of code is going up, like Joni's talking about, the velocity of headaches that come with that code are increasing. I'll give you an example. A company that I support as an advisor, like a company that's growing really fast, mid-market company, probably going to IPO in the next couple of years, they have a very large engineering team and they've tripled their software output and they haven't just had engineers generate code. Now they have non-engineers generating code. So you have real meaningful enterprises with non-engineers generating code. And then what happens is the security team finds the vulnerability. Last year we would send it back to the engineer and say, "Please fix it." This year, we can't send it back to the person in marketing and say, "Please fix your code." So it turns out that the security team's work is getting ... Their to do list is getting longer instead of shorter.
Dave Vellante
>> So this brings up an interesting point because, Joni, correct me I'm wrong, you founded the company before COVID, right?
Joni Klippert
>> Yeah, just before.
Dave Vellante
>> This is like late last decade. So what, 2019, early 2020?
Joni Klippert
>> Are you trying to age me?
Dave Vellante
>> Oh, God, no.
Joni Klippert
>> 2019.
Dave Vellante
>> I got your beat there, kiddo. So the reason I bring it up is because it was during the cloud era that you founded the company. And I felt like the cloud was the first line of defense. But then as you get, you get the SecOps team and the application developers were being asked to secure the infrastructure and they didn't want to deal with that. They just wanted to write great code. So the timing of StackHawk was actually quite good because there was a real problem there. In other words, the last thing that a developer wants to do is to worry about security. They need to worry about creating building. So that's kind of an interesting observation, but then you're kind of made for this time now, right? So explain ... I mean, it's good to be like two miles ahead of your customer as opposed to 200 miles ahead of your customer.
Joni Klippert
>> Yeah. I mean, again, we're very focused on how do we take this type of vulnerability detection and move it from prod into, at the time, the CICD tool chain. And we made some really interesting decisions to do that in order to support the developer, configured as code, it was a portable scanner. So instead of a cloud hosted capability that's traversing the internet to run a tax, it could run on your local machine, it could run in CICD. Very, very portable to fit into whatever SDLC you had. As far as I know, we are the only runtime testing provider that has that kind of deployment mechanism. And little did I know it was a perfect decision for this phase because in order to run Agentic DAST or move this closer to the tools we're using, like Claude and Cursor, Copilot, others, it has to be fast and it has to be portable so that while an engineer is in that tool, they can not only configure and run something like StackHawk, but actually have it just start remediating the vulnerabilities right then. There are no more tickets, right? We're just able to allow AI to do this for us.
Dave Vellante
>> Explain the then and now. Here's your brain, here's your brain on StackHawk, the previous, the as was and the is now.
Joni Klippert
>> Yeah. I mean, as was. Our AppSec teams were very frustrated about the pace of software engineering. They were using a lot of static code analysis tools because they were easier to deploy, but incredibly noisy. I mean, you're finding thousands or tens of thousands of vulnerabilities, but you don't know if they're reachable or exploitable. And then they would take this very valuable type of testing and only run it occasionally, right? They'd have to kick it off on a Friday and hope it didn't fall over on a Monday morning. They'd start creating tickets. And that was no way to do this. So the now is very commonly, this is just running as part of software delivery. It can run on your local machine. When you're writing code and you deploy it to CICD, like where you run unit tests and integration tests, that's where you're running your security test. So you get immediate feedback. So to your point about software engineers, we have to fit into their tool chain and make this incredibly low friction because if they see I just introduced a new vulnerability, they will fix it. They want to write quality code, but they don't want to become security engineers, to your point. And the now now time is they've never had more pressure to produce value for the customer and output than before, right? So it's a pretty -
Dave Vellante
>> So really, static versus kind of real time runtime.
Joni Klippert
>> Yes.
Dave Vellante
>> Joe, when you see something like OpenClaw, what does your security brain do?
Joe Sullivan
>> It explodes. No, I think that the week that OpenClaw really came to public understanding was for security people like the week that ChatGPT became known to the world. It showed us the risk that we were trying to guess was coming. We knew AI was going to introduce lots of complexity to our lives. We knew we were going to get to the OpenClaw type of experience someday. We just hoped maybe we'd had a little more time to build our defenses. And I mean, at the same time, as a human being, I love the possibilities of tooling like OpenClaw. It shows that all these things that are so inefficient in our lives can get a lot more efficient through AI. And that's exciting. And that's our job as security people to figure out how do we put the guardrails on that? Now, the thing that I think about with OpenClaw that hopefully makes sense to everybody is that in companies we think about, and security, we think about putting in doorways. So like we talk about like, we only let the good people in the door. The challenge with AI is that once you let the AI in the door, you still need to pay attention to what it's doing. It's kind of like a toddler in the house. You can let them in, but you should have somebody following them around. And so that's the way AI is, I think in 2026 and why Joni was talking about runtime. Like for all of us, the word runtime means like we're trying to keep a protective bubble around the dangerous kid in real time. And that's the way we got to secure AI. We can't just say, "Okay, that's good AI or bad AI at the doorway." So like traditional controls just don't work. And so that's why, like you said, if you happened to be a company that was focused on runtime before AI exploded, you were in the right place at the right time, like Joni has been.
Dave Vellante
>> And so you basically put a helmet on the two-year-old and it protects him or her from the sharp edges? Is that kind of what you're doing here?
Joni Klippert
>> Sounds good.
Dave Vellante
>> So tell me more about the space, how you think about the market, where you fit in the stack, and how big is the market?
Joni Klippert
>> Well, it certainly is growing, isn't it?
Dave Vellante
>> The TAM. The TAM is every piece of code.
Joni Klippert
>> Every piece of code. And when we founded the company, we were looking at TAM saying these types of technologies and a more legacy version were run by two, three, four AppSec people. And when StackHawk is used by an organization, it includes every single software engineer. Well, now you have anyone with an AI code gen assistant license. I mean, your accountant can be writing software. So all of a sudden, anyone who has the ability to put innovation and software into the world is part of your addressable market.
Dave Vellante
>> Is there best practice in terms of how to operationalize this? I mean, a lot of pushback I get from practitioners is, "This sounds great, but how do I make it part of my daily operations?" Any advice there?
Joni Klippert
>> The first place I would start is with curiosity. I mean, for a long time, AppSec treated Dev like a very different organization and didn't get too involved with their tooling or anything else. And at this point, they need to understand how AI works. They need to understand things like OpenClaw and become very invested in these tools because everything is changing. I mean, even software delivery as we thought of it before is now changing. So I think one is lead with curiosity. Two is really start thinking about your AI DLC. So how can we start instrumenting more of these controls and protections earlier on before we ever even hit CICD?
Dave Vellante
>> Jensen had an interesting line last week. I don't know if you heard it. He was saying ... Somebody playing ping pong back there, you hear that? He was saying that if I hire a half a million dollar software engineer, I'm going to be really angry if that individual spends $5,000 a year on tokens. I want that person's ... I want to give them a token budget or her a token budget of $250,000 and say, "Go." That sounds exciting and alluring, but then it could be the Wild West in terms of code generation. I mean, how do you think about that?
Joni Klippert
>> I think you have to be right in line with code gen.
Dave Vellante
>> Yeah.
Joni Klippert
>> This notion of securing after the fact, I mean, already the security team was so far behind. It's untenable at this point. So you got to get in lockstep, arm in arm with your engineering counterparts, learn how they're building and delivering software and become part of that process.
Joe Sullivan
>> I think you make a really good point. If we're going to spend a bunch of money to accelerate engineering, we got to spend a little money to accelerate security too. I think that's the message I try and bring to CEOs and boards when we start talking about it. When I hear them say, "We're going to unleash the tokens," I say, "Unleash a little security to go along with it." And I think we're starting to see that now too.
Dave Vellante
>> Yeah. And it seems anyway, based on our data, and we had a segment earlier this morning with our partner Enterprise Technology Research, they do some fabulous surveys. It seems like the stock market has it wrong with the SaaS-pocalypse because they're just taking every security vendor and sort of throwing them in. But the reality is that security's getting a slightly disproportionate share of the budgets. It's growing. Certainly AI security is growing and everything else, cloud, Zero Trust, all identity, they're kind of holding firm. So I think that's good news that we're not getting squeezed in the budget. We're probably still not spending enough.
Joni Klippert
>> Agreed.
Dave Vellante
>> But generally speaking, the trends are favorable for this industry.
Joe Sullivan
>> Yeah. And the other trend that goes along with that is the role of the security leader inside these enterprises. AI is making that person more visible because the CEO and the board are paying attention to how is AI impacting our company? How is it impacting our competitors and what are the risks? And so the security leader's getting invited to more senior leadership meetings and getting their voice heard more. And then it's the resources that tend to follow after that relationship develops.
Dave Vellante
>> And Joni, to your point about, we're talking about the toddler, you don't want to give a loaded gun to a teenager, and that's where you guys come in to really pick up because you've got people ... I mean, I'm coding, everybody's coding now, and I'm not a SecOps pro, and so we definitely need help. So I'll give you the final word.
Joni Klippert
>> Yeah. Historically, that team has been underfunded and under-resourced. When we started the business, we talked about a ratio of one AppSec professional to a hundred software engineers. Those hundred software engineers are now at least a thousand software engineers. So to Joe's point, this is a discipline we have to fund. And as AppSec professionals, we really need to retool to understand how modern software is built and just be part of that process.
Dave Vellante
>> Speaking of funding, where are you at in your sort of funding cycle? How's it going? How's the balance sheet? How's the runway looking?
Joni Klippert
>> We're great.
Dave Vellante
>> Okay.
Joni Klippert
>> Yeah. So we are a late, I'd say, series B company continuing to grow into the enterprise. So we had a big shift from more of a PLG type business to a much more balanced, larger enterprise type business, which has been exciting to see some of these huge enterprises really pushing their own practices into very AI native development. So it's pretty exciting.
Dave Vellante
>> Okay. So you got product market fit, the product was selling itself and now you're scaling go to-market to the enterprise, is that right?
Joni Klippert
>> That's exactly right.
Dave Vellante
>> That's always fun. It's a challenge, but congratulations on getting there.
Joni Klippert
>> Thank you.
Dave Vellante
>> Next step is escape velocity.
Joni Klippert
>> That's right.
Dave Vellante
>> We welcome that. I hope to have you back to talk about that and have you at our New York facility to do the same.
Joni Klippert
>> Would love it.
Dave Vellante
>> Thanks you guys. Appreciate it.
Joni Klippert
>> Thank you.
Dave Vellante
>> Okay. Thank you for watching. This is Dave Vellante for Christophe Bertrand and Jon Oltsik, the entire Cube team, RSAC 2026. Be right back with our live coverage right after this short break.
Dave Vellante