By In today’s complex cybersecurity landscape, traditional vulnerability management approaches are failing to keep pace with evolving threats. Spektion, a Texas-based security startup that recently emerged from stealth, aims to transform how organizations identify and mitigate software vulnerabilities by focusing on software behavior rather than relying solely on the Common Vulnerabilities and Exposures (CVE) system.
The fatal flaw
📹 Going on record for 2026? We're recording the TFiR Prediction Series through mid-February. If you have a bold take on where AI Infrastructure, Cloud Native, or Enterprise IT is heading—we want to hear it. [Reserve your slot
According to Joe Silva, CEO of Spektion and former Global CISO at Jones Lang LaSalle (JLL) and Senior VP of Cybersecurity and Fraud at TransUnion, traditional vulnerability management represents “probably the lowest ROI activity” in enterprise security programs. “We didn’t feel like there were any solutions that gave us the tools we needed to move beyond legacy vulnerability management—CVE-based, reactive, incomplete, and blind to software behavior,” Silva explains.
Silva argues that the CVE-based system, which relies on discovering and patching vulnerabilities after the fact, is fundamentally broken. “CVEs are lagging indicators of risk,” he explains. “Just because software lacks a CVE doesn’t mean it’s secure. Conversely, 90% of CVEs in a codebase may never materialize in execution, creating noise that wastes security teams’ finite resources.”
This inefficiency is exacerbated by the sheer volume of installed software, which continues to grow despite the rise of SaaS. “The amount of software per endpoint is increasing, not decreasing,” says Silva. So, even with the adoption of SaaS, the challenges remain.
The problem is twofold: legacy systems persist in regulated industries like finance and healthcare, while AI-driven code generation enables non-developers (e.g., finance or HR teams) to build internal tools that fly under the radar of IT inventories. “It’s hard to secure what you don’t know about,” Silva adds.
Spektion’s Agentless, Behavior-First Approach
Spektion’s solution focuses on real-time visibility into software behavior, regardless of CVE coverage. Unlike traditional tools that rely on static analysis or agent-based monitoring, Spektion’s SaaS platform passively observes software execution at the system level, identifying risky behaviors such as privilege escalation, insecure system calls, or unauthorized network connections.
“Imagine a junior analyst builds an AI-generated app that inadvertently accepts remote certificates,” Silva illustrates. “There’ll never be a CVE for that, but Spektion flags the behavior — like privilege misuse or unencrypted data transfers — before exploitation occurs.” This approach not only mitigates unknown risks but also enriches existing CVE data with context-specific insights.
Critically, Spektion avoids the “noise” problem inherent in SBOMs (Software Bill of Materials). While SBOMs like those mandated by the Biden administration’s cybersecurity executive order provide component lists, they often highlight vulnerabilities in unused code. “SBOMs are insightful but insufficient,” Silva states. “They may show 10,000 parts in a warehouse, when only 500 are actually used in the car. Security teams end up chasing theoretical risks rather than focusing on what truly matters.”
Industry Implications: Legacy Tech, AI, and the Future
Silva warns that AI amplifies existing risks. Attackers use AI to accelerate vulnerability discovery, while developers leverage AI code generation to build applications without security oversight. “We’ve democratized application development the same way cloud democratized infrastructure,” he says. “But this creates an untracked attack surface.”
Spektion’s platform addresses these challenges by:
- Inventory completeness: Detecting portable applications, shadow IT, and AI-generated tools.
- Behavioral analysis: Identifying exploitation pathways (e.g., credential access, system-level execution).
- Actionable insights: Integrating with existing IT tools to enable mitigations (e.g., blocking risky binaries).
For software producers, Spektion offers a “level playing field” by providing buyers with runtime visibility into security posture. “If a vendor’s secure SDLC claims don’t align with how their software behaves in your environment, you now have the data to demand accountability,” Silva emphasizes.
Conclusion: A Shift Left for Vulnerability Management
Spektion’s approach mirrors the shift-left movement in application security, prioritizing proactive risk detection over reactive patching. As Silva concludes, “We’re not here to clean up the mess after attackers exploit vulnerabilities. We’re giving security teams the tools to stop those vulnerabilities from becoming breaches in the first place.”
With a recent investment from Live Oak Venture Partners and plans to publish research on common software risks, Spektion aims to redefine vulnerability management as a proactive, behavior-driven discipline.
