Q. What led you to realize that the human layer of cybersecurity was the most underserved, and how did that insight become the thesis for CybSafe?
It came from pattern recognition across two careers. In my government career we quickly learn that technology and process only take you so far. The person on the ground, how they behave under pressure, how they make decisions with incomplete information, that’s what determines outcomes. When I left military service, I saw the same gap in cyber. Organisations were spending heavily on technical controls but almost nothing rigorous on the human side. And what did exist, annual compliance training and generic phishing tests, was built on weak scientific foundations. It wasn’t changing behaviour.
What struck me most was the asymmetry. Security teams are extraordinarily sophisticated when it comes to technical risk. They run attack surface management, maintain asset and identity truth, deploy tuned EDR, debate detection coverage and logging latency. Serious engineering. Yet for the human layer, which attackers actively exploit just as aggressively, many organisations were comfortable with sentiment, participation, and hope. That gap isn’t philosophical. It’s operational. And it’s indefensible. That became the founding thesis: human behaviour in security contexts is observable, measurable, and changeable. The question was whether anyone would build a platform serious enough to act on it.
Q. How has your background as a former UK Special Forces Lieutenant Colonel shaped the way you build teams, make decisions and lead under pressure as a tech founder?
In a few distinct ways. First, a high tolerance for ambiguity. In SF you’re rarely operating with perfect information. You make the best decision you can with what you have, you act, and you adapt. Founders who wait for certainty don’t move fast enough. Second, an obsession with the quality of the people around you. In that environment the team is everything. You don’t carry people. At CybSafe we’ve tried to build a tribe with the same ethos: high standards, direct communication, genuine accountability. Third, a calmness under pressure. When things go wrong, and they always do, the job of the person at the top is to stay clear-headed and keep others focused on what matters. I won’t pretend I always get that right, but my military and leadership experience helps.
Q. You describe CybSafe as an AI-powered human risk management and behavioral science platform, not just “security awareness training.” What category are you building and what do you need to get right to win in it?
We’re building the Human Risk Management category, and we have strong opinions about why the old category is finished. Security awareness training isn’t just insufficient. It’s dead as a primary strategy. Knowledge doesn’t equal behaviour change. If you proposed deploying EDR without instrumentation, tuning, or measurable detection coverage, you’d be laughed out of the room. Yet many organisations deploy “awareness” without a behavioural architecture, without defined behaviour coverage, without measurable change latency, and without a clear model of which behaviours matter most to business-critical risk. One is treated as an engineering discipline. The other as a communications exercise.
HRM asks a fundamentally different question: what is the actual risk that human behaviour poses to this organisation right now, and how do we measurably reduce it? That requires behavioural telemetry, validated science, and the ability to intervene at the right moment in the right way for the right person. The only way to answer that question at scale, across thousands of employees simultaneously, is AI. Not AI as a feature bolted onto old content libraries, but AI as the architecture: reasoning over behavioural data in real time, identifying who is at risk, why, and what intervention is most likely to change that. To win in this category we need to do three things well: keep our science credible and defensible, build a platform that integrates into security operations rather than sitting alongside them, and demonstrate measurable risk reduction outcomes that CISOs can take to the board. Remember, no behaviour change, no risk reduction. Everything else is theatre.
Q. Where is CybSafe most differentiated today, and how do you plan to maintain and grow that competitive edge?
Our deepest differentiator is SebDB, the Security Behaviours Database. It’s a proprietary, academically validated behavioural ontology that maps over 100 security behaviours to risks, signals, and controls, connected to threat frameworks like MITRE ATT&CK and standards like NIST CSF. No competitor has anything close to it in terms of scientific rigour.
But SebDB isn’t just a content asset. It’s the foundation of an intelligent data infrastructure that generic platforms simply can’t replicate. Platforms like Snowflake or Databricks can move data. They don’t understand the meaning of behaviour, the structure of risk, or how to intervene. Our platform does. It uses AI to reason over behavioural data, not just store or display it. The distinction matters: AI that reports on what happened is table stakes. AI that acts, that turns live behavioural signals into decisions, nudges, and risk controls automatically, is a fundamentally different thing. That’s what we’re building. By owning the behavioural models, the intervention logic, and the AI layer on top, we’re building something that isn’t a feature. It’s our platform, our moat, and our long-term advantage.
We’re extending this further through Project NEXUS, a vendor-neutral open-source behavioural security ontology designed to do for human risk what MITRE ATT&CK did for adversary behaviour: create a common, rigorous reference model that anchors the category in science rather than marketing.
Q. When you talk to CISOs and boards, what outcomes best demonstrate that focusing on human behavior can materially reduce incidents and risk?
The most compelling conversations are the ones grounded in precision. “We ran training” doesn’t move anyone. “We identified a cluster of high-risk behaviours in your finance team, intervened with targeted nudges, and here’s the measured behaviour change three months later, correlated with a reduction in incidents” is a very different conversation.
CISOs increasingly understand the absurdity of the current state. For infrastructure, we insist on visibility before control. For endpoints, we demand telemetry before enforcement. For identities, we require assurance before access. But for the human layer, many organisations are still operating on completion rates and phishing click percentages. Simulated phishing covers three behaviours. There are dozens more being ignored entirely. The metrics the industry has relied on are a comfort blanket. They measure activity, not risk.
What we’re offering is behavioural surface management. Real telemetry. Defined coverage models. Measurable change. Boards care about residual risk and liability. When you can show you’re managing the human attack surface with the same rigour applied to technical controls, and producing evidence of it, that changes the governance conversation entirely. Every action should be measured for impact. Credible risk decisions demand evidence, not assumptions.
Q. You just published the fifth annual Oh, Behave! report. How has it evolved over time, and what has most surprised you about the findings over the years?
When we launched Oh, Behave! it was partly a way to put a scientific stake in the ground and partly to drive the conversation about measurement in a field running on metrics nobody had bothered to question. It’s grown into one of the most substantial longitudinal datasets on human security behaviour in the industry.
What’s evolved is the sophistication of the questions we can now ask. Early editions were establishing baselines. Now we’re tracking changes over time, interrogating what drives behaviour at a population level, and surfacing findings that challenge industry consensus. The data infrastructure behind it has matured alongside the platform. We’re not just collecting responses. We’re building ground truth about how people actually behave in security contexts, at scale, over time.
The thing that’s consistently surprised me is how weak the link is between security knowledge and security behaviour. People know what they’re supposed to do. They still don’t do it. That gap is where the real work is, and it’s precisely why the training-heavy model was always going to fall short. Most of this industry runs on assumptions nobody’s bothered to test. The report is our way of testing them.
Q. What have been the toughest inflection points in your journey as a founder so far, and what has helped you stay resilient through them?
The toughest moments are always the ones where you’re making high-stakes decisions with very little time and incomplete information, while being honest, calm and clear to a team watching you closely. Fundraising in difficult market conditions, making a call on a senior hire that turns out to be wrong, navigating a competitive threat you didn’t fully see coming.
What’s helped is staying connected to the founding conviction. The problem is real, the science is sound, and the category is being built whether we lead it or not. We’re building something most of this industry hasn’t taken seriously enough: a genuine evidence base for human risk, and the intelligent infrastructure to act on it in real time. That clarity cuts through a lot of noise. So does having people around you who’ll tell you when you’re wrong. That’s rarer and more valuable than most founders admit.
Q. With deepfakes, AI-powered phishing, and increasingly sophisticated threat actors, how do you see the human risk landscape evolving over the next 5 to 10 years, and what is CybSafe’s long-term focus?
The threat surface is expanding in ways that make the human layer more, not less, important. AI-generated social engineering is already undermining the heuristics people rely on to detect attacks. The visual and contextual cues that once flagged a phishing email are disappearing. You can’t train your way to resilience against that.
What’s needed is a fundamentally different model, and here’s the thing: the same technology making attacks harder to detect is also what makes adaptive human risk management possible. AI cuts both ways. On one side, attackers using it to generate more convincing, personalised, high-volume social engineering. On the other, defenders using it to continuously monitor behavioural risk, adapt interventions in real time, and respond to emerging threats before they translate into incidents. Think of what Vitality did for health insurance by linking behaviour to outcomes, or what WHOOP does with continuous behavioural telemetry and adaptive coaching. Apply that model to cyber risk.
CybSafe’s long-term focus is on becoming that intelligent infrastructure layer for human risk. A platform where AI reasons over live behavioural data and turns it into decisions, nudges, and risk controls automatically, giving security teams the same visibility and ground truth on the human side that they’ve always had on the technical side. Where others deliver insight, we deliver change.
Q. As a founder, what do you most value from your investors and board?
Honesty and genuine partnership. What I value most are investors and board members who understand that what we’re trying to do is genuinely hard. Building a new infrastructure category for human risk isn’t a known path. There’s no established playbook to follow. So the people around the table need to bring real pattern recognition from across their portfolios, the kind of insight that comes from having seen similar challenges play out in different contexts, and apply it thoughtfully to the specific situation CybSafe is in. That contextual judgment matters far more than generic advice.
I also value people who understand the difference between the fundamentals and the playbook. Playbooks matter, but they’re a starting point, not a blueprint. The best board members know when to apply them and when to set them aside because the situation demands something different.
Most of all, I want investors who are genuinely excited about what we’re building and willing to engage seriously with the ambition of it. We’re not incrementally improving an existing category. We’re building the intelligent data infrastructure layer for human risk, and that requires intellectual curiosity and a willingness to think beyond what existed before. A board that just benchmarks us against legacy security awareness vendors isn’t just unhelpful. It’s actively limiting. Support and challenge in equal measure, grounded in a real understanding of where we’re headed. That’s what I value.
Q. What is the best piece of advice you received as a first-time founder or as a founder in general?
“Be a missionary, not a mercenary.” Founders who are primarily motivated by the outcome, the exit, the valuation, tend to make different decisions under pressure than founders genuinely obsessed with the problem they’re solving. The conviction has to be durable, because there will be moments where the rational thing would be to quit or pivot and the only thing that keeps you going is belief.
For me that belief is genuine. Human behaviour is the most underinvested, underscientised layer in cybersecurity. Most of this industry runs on assumptions nobody’s bothered to test, metrics nobody’s bothered to question, and strategies nobody’s bothered to challenge. We’ve challenged them. And the answer we keep arriving at is the same: no behaviour change, no risk reduction. Everything else is theatre. Building the platform and the evidence base to prove that at scale is what gets me up in the morning.
