Episode #299 - Startup Grind, Will Security Companies Disappear?

The destructive 90-hour startup grind vs. sustainable growth, how the AI hype cycle and security industry cyclical consolidation (buy vs. build) are transforming the future of security companies

Author

Seth Law
November 14, 2025

This week for the newsletter, we’re rewinding back to Absolute AppSec’s 299th episode with Seth (@sethlaw) and Ken (@cktricky). That said, we did want to highlight that there is a special episode that ran on Monday this week with Professor Brian Glas who came on the episode in the wake of the Global AppSec conference where the recently released OWASP Top Ten was announced. Be sure to check out that timely episode as well as what we’re covering this week in the newsletter.

Episode #299 of Absolute AppSec was about all things startups, funding, and the grind of building a company or being an individual contributor to an earliest-stage endeavor. Specifically, a recent article about AI startup founders putting in long hours to the exclusion of everything else is debated. This is followed by a discussion on the current AI startup hype cycle, spurred by thoughts from @FranklySpeaking, and how security companies in general are acquired and disappear over time. To find this episode, or to tune in to our landmark 300th episode, go to https://www.youtube.com/@AbsoluteAppSec.

“Success is a sustained, long-term growth—healthy business, healthy culture […] you can actually make a lot worse decisions if you’re sleep deprived, much more rash decisions.”

Ken

Seth and Ken turn to a Wall Street Journal article that profiles young startup founders logging 90-hour workweeks under the mantra of "no booze, no sleep, no fun." Ken immediately challenged this approach, first questioning the definition of success, arguing that merely raising 51 million dollars, as one founder in the article did, demonstrates only traction, not the sustained, long-term growth he defines as true success. Ken firmly believes that this high-intensity work schedule is fundamentally destructive and that true success hinges on making mindful, high-quality decisions. He further contends that sleep-deprived founders are significantly more likely to make rash decisions and long-term detrimental choices for the business. To elaborate, according to Ken, the most crucial insights and decisions in business are often not obvious, requiring a sharp mind to recognize nuance —a capacity severely diminished when running on exhaustion. Seth concurred, framing the constant grind as inevitably leading to diminishing returns and arguing that failing to take care of oneself or spend time with loved ones will ultimately prove detrimental to the main work activity. Seth pointed out the flaw in the highly publicized "hustle culture," noting that it celebrates only those who work 90-hour weeks and succeed, while the cautionary tales of those who put in the same effort but fail are neither popular nor inspiring.

“The initial narrative for security in general was it was underfunded, understaffed, and we were lacking resources to actually go after security issues within companies and actually fix them. […] All of a sudden, it became security as the behemoth in the room.”

Seth

The hosts pivoted to another significant industry topic based on a Substack article by Frank Wong titled "Will security companies disappear?" which analyzed the cyclical nature of the security industry and the transformative impact of AI. Seth observed that the historical narrative of security being perpetually underfunded and understaffed has inverted in large organizations, where teams have grown from small groups, like the AppSec team at GitHub, where Ken previously worked, into an internal "behemoth" that is now sometimes perceived as slowing down sales and innovation. Frank Wong’s central argument is that modern security teams possess ample resources but often fail to solve the right problems, largely due to an overwhelming number of niche solutions. Ken agreed with this assessment, hypothesizing that AI-assisted coding might speed things up enough to allow internal teams to efficiently build customized tools that are functionally superior to some externally funded startup products. Ken predicts a natural push toward more build-versus-buy considerations, while conceding that established companies like CrowdStrike or Semgrep possess valuable, unique data or a strong community-driven rule sets that provides a significant advantage over newer startups.

Seth echoed the sentiment that the security space is cyclical, with new point solutions constantly being acquired by incumbents and the cycle restarting with the next technological hype. He maintained that this spate of security startups actually signals healthy innovation and a healthy market, but that the enduring companies are the ones that successfully build a moat around unique data, service, or intellectual property, confirming the basic business principle that differentiation matters. Ken added a crucial refinement regarding the role of venture capitalists, noting that VCs contribute to the market problem when they pressure companies to prioritize shareholder and VC and board member opinions over the market reality. This can lead to stale product development, and also misleading hype cycles buoyed up by VCs and major CISOs exchanging testimonials to promote companies that may not yet have a functioning product. This ultimately hurts the security ecosystem. Finally, Seth concluded that security companies won’t die, but they will continue to evolve and consolidate to meet the constantly shifting market needs and technological landscape.

This episode is sponsored by DryRun Security. Authorization flaws are some of the trickiest security gaps—permissions get messy, logic gets overlooked, and suddenly, users have access they shouldn't. DryRun Security helps you catch these risks early with Natural Language Code Policy (NLCP). Their latest blog post is written by Absolute AppSec’s very own Ken Johnson, titled, “How We Turned Natural Language Into a Scalable Agentic AppSec Engine.”

Are you shivering? Are your ears displaying unexpectedly pink or red hues? Well, the Absolute AppSec merch store might just have what you’re looking for. Pick out a hoodie or beanie to keep your core temperatures nice and toasty.

You’ve made it to beanie season! Get the appropriate weather-wear in the Absolute AppSec store!

And, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover as well as pick the brains of a number of industry experts.

Stay Secure,

Seth & Ken

https://www.youtube.com/watch?v=4Pw_BJciR5o - Episode #52 - Chris Gates / @carnal0wnage - In contrast to the start-up culture promoted in the article discussed in episode #299, here Chris Gates (carnal0wnage) discusses planning to avoid burn-out and hacking your happiness.

https://www.youtube.com/watch?v=EJdwK82wb6M - Episode #172 - Jimmy Mesta - Kubernetes, Startup Adventures - In addition to some in-depth discussion of Kubernetes security, in this episode with KSOC now Rad Security’s Jimmy Mesta, provides some insight on the nature of start-ups and the decisions one needs to make to provide your enterprise the best chances for success.

https://www.youtube.com/watch?v=EoaWnNwSS8o - Episode #200 - Jerry Gamblin - Startups, CVEs - In this episode there is some taking stock of AppSec given that it was an earlier century landmark for the Absolute AppSec show. Jerry Gamblin provides some insight into start-ups but more from an investing perspective. CVEs, understandably, also make an appearance.

Absolute AppSec Happenings

https://owasp.org/Top10/2025/0×00_2025-Introduction/.#whats-changed-in-the-top-10-for-2025 - Let’s compare and contrast the OWASP Top 10 of 2021 to 2025, which features two new categories and one major consolidation, while continuing to prioritize classifying security risks by their root cause over their symptoms.

https://franklyspeaking.substack.com/p/we-need-to-solve-the-security-poverty - An investigation of the cybersecurity poverty line that divides between companies that can afford to be strategic in their security programs and those who can’t. When we solve this problem, we help everyone.

https://devansh.bearblog.dev.ai/slop/ - AI slop is bigger than ever. This garbage can account for up to 20% of submissions for projects like curl, wasting thousands of hours of limited volunteer time, leading to severe maintainer burnout and an exodus from critical open-source projects. The author suggests a shift toward mandatory AI disclosure in reports, raising the bar for valid proof-of-concept, and critically, providing real monetary compensation to maintainers to ensure the long-term sustainability of the open source ecosystem.

Upcoming Events

Where in the world are Seth and Ken?

November 20-21, 2025 - Harnessing LLMs for Application Security - VIRTUAL TRAINING - Our classic training for dev and sec alike. Participants will gain a deep understanding of LLM functionality, strengths, and weaknesses, and learn to craft effective prompts for diverse use cases.

December 8-11, 2025 - Next-Gen Secure Code Review: Black Hat Edition - Seth and Ken are bringing a four-day exclusive course to Black Hat Europe in London, UK. This is a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.

April 7-8, 2026 - Harnessing LLMs for Application Security - IN PERSON at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!