Podcast Summary: BUILDERS — How StackHawk Repositioned Runtime Testing for the AI Age

Episode Date: March 30, 2026
Host: Brett (Front Lines Media)
Guest: Joanie Clippert, CEO & Founder of StackHawk

Episode Overview

This episode of BUILDERS delves into how StackHawk redefined runtime application security testing (DAST) at a moment when AI-generated code made static analysis approaches overwhelming and unmanageable. Joanie Clippert unpacks not only the technical shifts but also the go-to-market metamorphosis—and describes how StackHawk secured credibility with both startups and massive enterprise customers in a rapidly changing security landscape. The conversation features candid insights into product strategy, category creation, AI disruption, and the cultural intersection of developers and security.

Key Discussion Points and Insights

StackHawk’s Mission and the Security Problem (01:01–02:41)

• Challenge: Traditional static code analysis couldn’t keep pace with evolving, AI-driven software delivery. Security teams frustrated by being bottlenecks to deployment.
• Solution: StackHawk focuses on enabling engineers to catch and remediate vulnerabilities pre-deployment, integrating runtime testing within DevOps toolchains so developers actually adopt and use them.
• Joanie Clippert:

  “…We were built to help software engineers find and fix security vulnerabilities before they ever deploy that code to production.” (01:15)

Early Company Days & Rethinking DAST (02:52–03:56)

• Initial Research: The first 90 days: analyzing the DAST space, recognizing that open-source tools weren’t suited to modern CI/CD environments.
• Innovation: Simplifying the scanning engine for easy DevOps pipeline integration, making runtime testing as seamless as unit testing.
• Approach:

  “...it started with reimagining how this tech would work in the CI/CD toolchain.” (03:38)

Landing the First Enterprise Customer & Market Evolution (04:04–06:24)

• Mindset Shift: StackHawk began as a PLG (Product-Led Growth) tool aimed at engineers and startups, but started receiving inbound interest from large enterprises.
• Memorable Moment:

  “...when you start closing logos that are household names, it's something to be celebrated and it's just, it's really exciting. I was kind of beside myself, honestly.” (05:19)

• Cultural Touches: Celebrating customer wins (e.g., drinking the beverage of a major client on a plane).

Go-to-Market Transformation (06:24–07:58)

• Transition: From small, engineer-driven deals to enterprise motion, responding to market dynamics and tighter focus on customers who value security as a differentiator.
• Notable Quote:

  "...you hear a lot of like, devs will never care. They don't care about security. And I'm like, actually if you build tools that work in their tool chain with DevOps principles, they do. In fact care and they will use them." (06:48)

The AI Disruption & Rise of Runtime Testing (08:33–10:09)

• Tailwinds: The explosion of AI-written code created a “math problem”—static analysis tools produced more findings than teams could triage, making runtime (DAST) essential.
• Competitive Landscape: Static analysis used to be a default, but AI code generation has shifted focus to runtime validation.
• Joanie:

  “…there are so many static code analysis findings you can't possibly weed through them. And the type of testing we do proves that it's actually reachable and exploitable.” (09:31)

• Product Angle: AI enhancements make DAST and runtime testing easier to deploy and operate.

Adapting to Customer Sophistication; Legacy vs. AI-Driven Approaches (10:18–11:21)

• Customer Maturity: Enterprises range widely in DevOps/AppSec sophistication; StackHawk builds features that both resemble known (legacy) patterns and offer modern “config as code” under the hood.
• Strategy: Bridging current practices with future "shift left" automation by leveraging AI for intuitive setup.

Category Definition & Analyst Relationships (11:21–15:39)

• Category Dilemmas: StackHawk’s hybrid focus (API security at runtime) doesn’t fit legacy analyst categories, especially as AI and LLM attack surfaces emerge.
• Discovery Innovation:

  "We connect to source code and we are doing discovery, leveraging AI from source code so we can see which repositories turn into running assets before they're ever even deployed to production..." (12:54)

• Analyst Dynamics: Strong relationships with analysts (especially Forrester) are beneficial—helping shape runtime testing’s recognition as core to modern AppSec.

Using Original Research for Growth & Credibility (15:39–16:41)

• Marketing Lever: Publishing research (surveying 250 AppSec leaders) revealed a rapid shift from AI-skepticism to AI-enthusiasm in security.
• Impact:

  "…customers were asking, what is your AI roadmap? We're all in on AI and all of our vendors need to be too. So it was a wild swing..." (16:18)

AI’s Impact on Software Engineering and Security (16:56–18:50)

• Paradigm Shift: AI-driven code generation has “8x’d software delivery,” but AppSec teams must adapt—they cannot keep up using old models (“making JIRA tickets, it’s absurd…” (17:50)).
• Organizational Alignment:

  “…the next just most important domino that needs to fall is we're putting all this code into prod code that we understand way less than had we written it ourselves. And the AppSec team has to completely retool how they do their job.” (17:13)

Vision for the Future (19:01–20:06)

• Constantly Changing Attack Surface: StackHawk is committed to evolving with how and where code is produced and run.
• Key Mission:

  "We provide the runtime tooling which we think is the most important in the age of AI. But we build that bridge and provide a lot of insights for those who are responsible for the security of their applications." (19:44)

Notable Quotes

• “If you build tools that work in their tool chain with DevOps principles, they do. In fact, care and they will use them.” — Joanie Clippert (06:48)
• “...there are so many static code analysis findings you can’t possibly weed through them. And the type of testing we do proves that it’s actually reachable and exploitable.” — Joanie Clippert (09:31)
• “Engineering as a discipline has fundamentally changed and I think that will be very solidified in 2026. My most senior software engineers haven’t had written a line of code in five months, six months. It’s just pure prompting. We’ve 8x’d software delivery in the last six months.” — Joanie Clippert (16:56)

Timestamps for Key Segments

• 01:01: StackHawk’s core problem: enabling proactive, developer-friendly security
• 02:52: Early R&D and why DAST needed reinvention
• 04:04: Landing the first enterprise customer
• 06:24: Transitioning go-to-market from PLG to enterprise
• 08:33: AI tailwinds and why runtime testing matters in 2026
• 10:18: Adapting StackHawk’s product for both legacy and modern teams
• 11:21: “What category are we?” Analyst challenges and StackHawk's unique focus
• 15:39: Original research as a growth lever
• 16:56: AI’s impact on engineering and the urgent need for modern AppSec
• 19:01: StackHawk’s vision for the future

Closing

For listeners interested in StackHawk, visit stackhawk.com or connect with Joanie and co-founder Scott Gerlach on LinkedIn for ongoing insights and customer stories. This episode provides clear strategic and tactical insights for anyone navigating the convergence of AI, security, and developer productivity in the modern enterprise.