Zatko had been hired by co-founder Jack Dorsey after a series of high-profile breaches at Twitter, but Dorsey’s attention was elsewhere. Agrawal, the company’s former chief technology officer, was responsible for many of the security decisions Zatko faulted before Agrawal succeeded Dorsey.
Widely known by his old hacker handle Mudge, Zatko was a pioneer in the security industry during the 1990s. He later ran cybersecurity grant-making at the Defense Advanced Research Projects Agency, worked on special projects at Google and built up the security department at payment company Stripe.
His reputation for blunt speech grew from his split with Twitter and likely scared off a number of prospective employers.
But Rapid7 chief executive Corey Thomas said he admired Zatko’s candor and commitment to figuring out which security investments actually help.
“In order to move our industry forward, we must educate organizations on how and what to measure to ensure we are making the right investment,” Thomas said. “Peiter’s extensive experience in this field and his work around measuring cybersecurity practices will be invaluable for both Rapid7 and our customers.”
Rapid7 sells security tools and offers services including penetration testing, serving 44 percent of the Fortune 500 largest U.S. companies by revenue. It is not afraid of controversy, being widely known as the maintainer of Metasploit, an open-source hacking tool that adds new techniques within hours of their disclosure.
A co-founder of the company was Chad Loder, now an activist documenting racist and far-right attackers, including some who participated in the Jan. 6, 2021, riot at the Capitol. Loder was banned from Twitter by an order from owner Elon Musk, according to a former employee who saw a screenshot of the notes accompanying the decision.
After his termination from Twitter in January 2022, Zatko filed his whistleblower complaint with the Securities and Exchange Commission, arguing that Twitter’s security was so bad that it violated a previous Federal Trade Commission settlement agreement, and that its failure to warn shareholders of that constituted fraud. Among other things, he said half the company’s servers were running out-of-date software and that thousands of engineers had full access to Twitter’s code base with little monitoring of their activity.
Musk, who is also chief executive of Tesla, seized on the disclosures in an unsuccessful attempt to back out of buying Twitter for $44 billion.
The SEC shared Zatko’s complaint with Congress, which held a hearing in September and pledged to improve oversight for the sake of privacy and national security. The SEC, FTC and European agencies are still probing Zatko’s claims.
Zatko declined to talk about Twitter’s turmoil since its takeover by Musk, which has included outages and the removal of many safety experts along with about three-fourths of its employee base.
As “executive in residence” at Rapid7, reporting to Thomas, Zatko said he planned to work with chief information security officers and boards that are “hungry for how to evaluate their investments in cyber — is it paying off, can they predict the likelihood of problems?”
Data can be painted to make a security posture seem great or terrible, and vendors try to make ordinary capabilities seem magical.
All the way back to DARPA, where he introduced a framework for analyzing the effectiveness of security programs, Zatko said he has been “trying to bring data with context to security.”
“We’re at an inflection point in the field where we can measure cyber, whether the investments are having a positive or negative impact. And there are some forces that might be against that.”
