Guest: Joe Sullivan
Company: Joe Sullivan Security
Show: Secure By Design
Topic: Application Security

AI coding assistants are generating thousands of lines of code every week, accelerating developer velocity at an unprecedented rate. But there’s a problem: traditional static code scanners can’t tell you what happens when that code runs in production. They can’t predict when authorization will break, when business logic will fail under real user behavior, or when endpoints get exposed that developers didn’t even know existed. And by the time these vulnerabilities surface in a live environment, it’s often too late.

Joe Sullivan, CEO and Founder of Joe Sullivan Security LLC,knows this better than most. As the former Chief Security Officer (CSO) at Uber, Meta, and Cloudflare, he’s spent two decades protecting some of the biggest platforms on the internet. He’s also lived through one of the most high-profile security incidents in tech—the 2016 Uber case where the government accused him of covering up a breach. He was convicted, fought back, and emerged with a clearer understanding of what security really means when your reputation is on the line.

Now, Sullivan has joined the board at StackHawk, a company focused on runtime security testing. His word for 2026? Runtime. And he believes it’s where every security leader needs to focus as AI fundamentally reshapes software engineering.

From Federal Prosecutor to Silicon Valley CSO

Sullivan’s path into cybersecurity wasn’t conventional. He started as a federal prosecutor in the Department of Justice in the mid-1990s—right when the internet was becoming mainstream. “I wanted to join the government. I was a mission-oriented person,” Sullivan recalls. He didn’t know much about the business world growing up, but he was fascinated by technology.

By the late 1990s, Sullivan was prosecuting cybersecurity-related cases at a time when the field was still nascent. “Cybersecurity in the 1990s was very interesting, very challenging. It was evolving so quickly. The pace of change, the technical complexity, but also the human element—at the end of the day, cybersecurity is all about protecting humans from risk.”

That combination of mission, technical challenge, and human impact became Sullivan’s north star throughout his career. He moved from the DOJ to Facebook (now Meta), then to Uber, and later to Cloudflare—always looking for the next most challenging and interesting opportunity.

The Uber Incident: A Hard Lesson in Transparency

In 2016, Sullivan’s team at Uber responded to what they considered a successful security investigation. Researchers had found a vulnerability, accessed some user data to prove they had access, and contacted Uber. Sullivan’s team worked with them to fix the vulnerability, physically interviewed the researchers, and ensured the data was deleted so customers wouldn’t be harmed. They even invited the researchers to Uber headquarters to speak to the team and helped them get jobs at a security company.

But the U.S. government saw it differently. They believed Uber—and Sullivan—should have disclosed the incident to regulators. In 2022, Sullivan was convicted for his role in how the company handled the disclosure.

“The case wasn’t about access or unauthorized access. It was about how we as a company interacted with the government,” Sullivan explains. He relied on Uber’s legal team, who advised that disclosure wasn’t required. “I wasn’t acting as an attorney. I was acting as the chief security officer.”

The judge ultimately rejected the government’s request to send Sullivan to prison, stating that the case was unprecedented, there was no financial motivation, and the outcome was not a cover-up. But the experience left Sullivan with a hard-won lesson: transparency matters, even when it’s uncomfortable.

“If I had to redo it, I’d speak up more for transparency. I tried to stay in my lane, but I should have gotten out of my lane more,” he says. Today, he’s a vocal advocate for clearer communication between companies and government, even as regulatory expectations remain murky.

Why 2026 Is the Year of Runtime

Sullivan’s focus has shifted sharply to runtime security—and for good reason. “In early 2026, we can say for certain one profession has fundamentally changed already because of AI: software engineering,” he says.

AI coding tools are generating code at an unprecedented pace. Developer velocity is way up, but so is the volume of code that needs to be secured. Traditional static analysis tools (SAST) scan code line by line before deployment, but they can’t catch vulnerabilities that only surface when code runs in a real environment.

That’s where dynamic application security testing (DAST) and runtime security come in. “When we put code into action, we run into new types of vulnerabilities—business logic issues, authorization failures, exposed endpoints. That’s where DAST comes in,” Sullivan explains.

He draws a parallel to cybersecurity’s broader philosophy: “In cybersecurity, our goal is prevention. But we also recognize this is an adversarial situation. We don’t always prevent the bad guys from getting in. That’s why every mature security organization has a large percentage of the team focused on detection and response.”

Runtime security operates on the same principle: assume prevention failed, and focus on detecting and responding to threats in real time as code runs in production.

What Security Leaders Should Do Now

For Sullivan, the message to CISOs is clear: you don’t have a choice. “Security leaders need to be the first team in the company that fully embraces the use of AI, fully understands the implications, and fully leads the organization into the new world. If we’re in denial, we’re going to be caught in a bad situation.”

He also believes the role of the CISO is evolving beyond technical implementation. “We don’t control the budget, the company culture, or the company’s appetite for risk. Those things are decided at the CEO and board level. We need to make the rest of the leadership team understand the opportunities and risks in cybersecurity and see shared ownership.”

Sullivan’s advice is blunt: stop staying in your lane. Security leaders must push for transparency, challenge legal teams when necessary, and ensure the CEO and board take ownership of security risks—not just the CISO.

Why StackHawk?

Sullivan joined StackHawk’s board because the company is focused on the area of application security he believes is most critical right now. “StackHawk came along at the right time, evolved their product at the right time. They’re in that sweet spot—AI-native, not trying to bootstrap AI into a legacy organization.”

For Sullivan, runtime security isn’t just a technical shift. It’s a strategic imperative for 2026 and beyond. As AI accelerates code velocity, the old playbook of static scanning won’t cut it. Security leaders need to invest in tools and processes that detect vulnerabilities when code runs in production—because that’s where the real risks emerge.