Risky Business Soap Box: runZero Shakes Up Vulnerability Management
Podcast: Risky Business
Host: Patrick Gray
Guest: HD Moore, CEO/Founder of RunZero
Date: September 15, 2025
Episode Overview
In this Soap Box edition of Risky Business, Patrick Gray speaks with HD Moore, renowned for creating Metasploit and now CEO of RunZero. The conversation delves into RunZero’s transformation from an asset discovery tool into a next-generation vulnerability management platform—one that challenges industry incumbents by focusing on unauthenticated network scanning, rapid response, and real-world exposure over compliance checklists. The discussion covers industry stagnation, the rise of EDR vendors, practical shifts in vulnerability management, and how RunZero is positioned to shake up the entire market.
Key Discussion Points & Insights
1. The Evolution of RunZero (Asset Discovery → Vulnerability Management)
-
Origins and Motivation
- Pen testers continually found breaches through unknown/unmanaged assets.
- RunZero started to help organizations find everything in their environment, not just the assets they already tracked.
- "Assets that folks aren't aware of, that aren't part of vault management are the ones that are getting breached the most." – HD Moore [01:15]
-
Gradual Shift to Exposure and Vulnerability Management
- Customer demand drove RunZero toward vulnerability/exposure management.
- "We decided just to go full hog into it and do our best to help folks not just identify what they have, but...fix it as quick as they can." – HD Moore [01:54]
2. Weaknesses of Traditional Vulnerability Management
-
Compliance Became the Focus, Security Was Sidelined
- Legacy vendors (Tenable, Rapid7, Qualys) focused on compliance (SCAP, full host scans, policy profiles) at the expense of real security.
- "Customers [are] spending all this time...patching vulnerabilities...and not moving the needle at all on exploitability." – HD Moore [10:21]
-
Authenticated vs Unauthenticated Scanning
- Legacy tools bias toward agent-based/authenticated scanning—a setup failing for unmanaged, BYOD, or non-domain endpoints.
- "The bar has been dropped so low...bad detection quality is how we got in this mess." – HD Moore [22:19]
- Credentialed scanning can be risky, often putting credentials on the wire.
- "The authentication won't just fail, it'll give the attacker on that machine your password." – HD Moore [06:35]
-
EDR Vendor Encroachment and Market Shifts
- Endpoint Detection and Response (EDR) companies (CrowdStrike, SentinelOne) leveraged their endpoint presence to claim vulnerability management, but focus only on software inventory—not network exposures.
- "They’re not catching exposed services...you’re just looking for outdated software." – HD Moore [05:22]
3. RunZero’s Modern Approach
-
Comprehensive Data Ingestion
- Correlates data from network scans, APIs, EDRs, cloud environments, and MDMs.
- "You can capture that vulnerability...state information from edr, pull it into run zero, and then correlate that..." – Patrick Gray [08:03]
-
Focus on Exposure, Not Just Vulnerabilities
- Prioritizes exploitable exposures: default credentials, misconfigurations, exposed admin panels—not just CVEs.
- "Less than half of the stuff we've been adding to the product actually have a CVE associated." – HD Moore [10:43]
- Real-time mapping and response: Immediate visibility to what's exposed when new critical issues drop.
-
Rapid Response Features
- Emergency notifications and automated queries notify customers within 15 minutes of new exposures in their environment.
- "[RunZero] will throw it up front and center: 'Hey, you've got this Fortinet device that's being exploited right now...'" – Patrick Gray [16:13]
- "You'll get an email within 15 minutes now out of the box. And you don't have to do anything at all to do it." – HD Moore [17:19]
4. Industry Stagnation and Disruption
-
Market atrophy due to lack of competition and innovation:
- HD recounts how legacy vendors saw high entry barriers and became complacent.
- "We realized...it doesn't matter at all. That backlog [of checks] is not what you need to worry about. It's the new emerging threats." – HD Moore [13:45]
-
Why Nucleus and Similar Products Exist:
- Tools like Nucleus exist to compensate for weak triage/reporting in legacy platforms—ingesting third-party scanner data to give real visibility.
- "It's a solution that had to be conjured into existence because of deficiencies in this wider vulnerability management software market." – Patrick Gray [12:07]
5. Technical Innovations
-
Custom Per-Check Engines and Efficiency
- Leveraging precise fingerprinting and service recognition, RunZero only runs relevant vulnerability checks per detected device/service, enabling thousands of checks without slowing down scans.
- "Every single service gets its own configuration and engine launch." – HD Moore [15:04]
-
Safe Default Practices
- All new vulnerability checks and real-time notifications are enabled by default, but carefully rolled out to avoid alert fatigue.
- "You only get one chance to not burn that trust with customers...Defaults really are the most critical thing in security." – HD Moore [19:44]
6. Future Plans & AI
- AI Use Cases:
- Currently uses AI for content: rapid threat intelligence by scraping social media/trend monitoring, and data enrichment.
- Not embedding LLMs directly into scanning logic due to nondeterminism/unreliability:
- "Do you really want your critical vulnerability scanning...working only 1/10 of the time or missing every fourth time?" – HD Moore [25:22]
- Working on natural language query capabilities within the RunZero console.
Memorable Quotes
-
"Assets that folks aren't aware of, that aren't part of vault management are the ones that are getting breached the most."
— HD Moore, [01:17] -
"The authentication won't just fail, it'll give the attacker on that machine your password."
— HD Moore, [06:35] -
"We're not here to help you checkbox your policy and compliance statements...We're here to prevent you from being breached."
— HD Moore, [15:51] -
"It's the new emerging threats...the non CVE exposures...that's what actually matters to people's security."
— HD Moore, [13:45] -
"If what you care about is avoiding breaches and your external facing stuff, we do that all day long. You can turn off your Tenable today...and use us."
— HD Moore, [21:24] -
"Defaults really are the most critical thing in security. If they're not on by default, then you have to do a lot of education to get people to go try the feature."
— HD Moore, [19:44]
Notable Segments by Timestamp
-
[01:15] — History and Origin of RunZero:
Asset discovery stemming from pentesting pains, and the road to vulnerability management. -
[04:48] — Failure of Incumbent Vendors on Unauthenticated Scanning:
Why authenticated/agent-based scanning leaves gaps. -
[06:35] — Dangers of Credentialed Scanning:
Attackers can harvest credentials from "secure" vulnerability scans. -
[10:10] — Why RunZero Rejects Compliance-Driven Scanning:
Focusing on real exploitable issues, not just compliance checklists. -
[16:09] — Rapid Response Notifications:
RunZero's unique ability to alert users almost instantly to trending, exploited bugs. -
[18:53] — Findings, Not Fatigue:
Rollup reporting by exposure category to focus remediation. -
[23:10] — Philosophy of Modern Vulnerability Management:
"Vulnerability detection is not a commodity...bad detection quality is how we got in this mess." -
[26:28] — AI/Natural Language Interfaces:
Integration of an MCP server; plans for natural language queries; practical AI uses.
Market Positioning & Closing Thoughts
-
RunZero’s Target Users
- Especially effective for small to mid-size organizations who can't afford dozens of security products (e.g., local governments).
- Also appropriate for large organizations as a faster, more realistic exposure detection tool—potentially even as a primary vuln management platform if compliance needs aren't dominant.
-
Pragmatic Approach
- Focused on catching what attackers will use next, not on satisfying auditor checkboxes.
- Efficiency, accuracy, and actionable output for both operations and compliance contexts.
- Seamless integration/handoff with EDR, asset, and existing vuln management tools.
-
Vision
- "We'll have all of it, thank you." — Seeking to absorb much of the risk and vulnerability/exposure management market (especially as tools consolidate).
-
Final Thoughts
- RunZero is well-positioned as both a disruptor and an enabler for organizations aiming to prioritize real risk over perceived/compliance-driven risk—delivering rapid, actionable intelligence and simplifying complicated vuln management stacks.
For security teams weary of slow, compliance-first, patch-centric vulnerability management, RunZero offers a refreshing, agile, and operationally-focused alternative.
