Cyber M&A and the CISO's Seat

Ira Goldstein has lived inside more cybersecurity M&A deals than almost anyone in the industry will see in a career. As executive chair and CEO of Ultraviolet Cyber, founder and CEO of Kernel Advisory, and previously COO of Herjavec Group, he's been the operator on dozens of acquisitions and the advisor on many more. This episode lands the same week Ultraviolet announced its acquisition of Black Duck's application security services business — a carve-out that signals where unified security operations is actually heading.

The substantive thread of the conversation is how a security leader should actually show up to an M&A process. Most CISOs are pulled into deals late, treated as a checkbox on the diligence package, and asked to prove a negative — that nothing scary is hiding in the target. Ira's reframe is sharper: the security leader's job is to translate uncovered risk into a dollar number that the deal can absorb. The Verizon-Yahoo deal still closed after the breach disclosure, just at $4.4B instead of $4.8B. The CISO who can do that math credibly stays in the room. The one who reflexively says no doesn't get invited to the next deal.

The second half of the conversation is on what's actually changing in services. AI-generated code is producing volumes that traditional AppSec gating cannot keep up with. The role of the AppSec engineer is shifting from finding bugs to threat modeling, architecture, and developer enablement — because the scarce skill in the next five years is no longer typing code, it's reasoning about systems. Ultraviolet's bet on unifying offensive and defensive operations under one roof is a direct response to that — the pen test PDF that gets emailed over to the SOC manager three weeks late is a workflow that needs to die, and that's the gap the carve-out is intended to close. 

Thank you to our Sponsors: 

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending

Ira's framing of the CISO's M&A role is direct. Many security leaders find out about a deal a week before it closes, then get told to hustle through paper diligence with no real ability to influence the structure. The first job is structural — figure out who runs corporate development at your organization and build the relationship that gets you in the room months before the deal lands, not days. The work doesn't begin when the data room opens; the work begins when the target gets identified.

Once you're in the room, the second job is to be useful. M&A is risk management at the highest scale — you're balancing the upside of the deal against everything that could go wrong, and the security leader's value-add is to surface the things the rest of the deal team can't see. That requires building the risk register from the outside in: public attack surface, industry-typical threat profile, regulatory exposure, the second-order risks the company isn't telling you about. Showing up with that already done is what gets you invited to the next deal. 

The biggest mistake Ira sees from security leaders new to M&A is conflating diligence with veto power. The deal team isn't trying to find reasons not to buy the company — they're trying to confirm that the upside still outweighs the downside, accounting for what diligence surfaces. The Yahoo case is the canonical example. Verizon discovered the breach during diligence, did the math, and reduced the price from $4.8B to $4.4B. The deal still closed. The cost of a $350M reduction was meaningful but proportional, and the security work was useful precisely because it could be priced into the transaction structure.

The harder, higher-value work is figuring out how to keep the deal alive when something material is found. That means coming back with compensating controls, integration sequencing, time-bound remediation plans, and a credible cost figure. The CISO who does that gets to drive future M&A strategy. The one who only says "this is a problem" gets routed around.

A more advanced practice Ira flagged is doing threat hunts on the acquisition target before close, with appropriate access to systems. That capability is genuinely valuable for surfacing active compromise that paper diligence can't catch. The trap is the legal exposure that comes with it. Once you've done the hunt and confirmed nothing's there, your company is going to lean on your finding. If something turns up post-close that the hunt should have caught, that's now your problem, not the seller's. 

The right posture is to scope the work clearly, document the limits of what was checked, and never let the deal team treat the threat hunt as a guarantee. The indemnification language matters as much as the technical work. This is not a place for a rookie CISO to over-promise.

The strategic logic behind Ultraviolet's acquisition of Black Duck's services business is that the existing market structure — defensive vendors who don't talk to offensive vendors — produces an artifact every CISO has lived with. The pen test PDF arrives, gets emailed to the SOC manager who didn't know the test was happening, gets emailed to the dev lead who has moved on to other work, and the loop never closes. UV's thesis is that offensive and defensive should sit inside one services partner so that findings flow both ways in real time.

The timing is driven by the AI-generated code wave. Volumes are objectively higher and quality is, for now, objectively lower. Supply chain dependencies in AI-assisted IDE output are deeper than most developers realize — third-party packages and open-source code being pulled in without explicit awareness. Ultraviolet's customer advisory board ranked AppSec as the #1 priority area, and the Black Duck services team brought the talent and depth to scale into it quickly.

Ira's view on the AppSec engineer's career path is consistent with the pattern across all the senior security operators on the show this season. Scarcity of developers isn't a thing anymore — there's a glut of generalists. What's scarce is the ability to threat-model effectively, architect for security, and enable developer teams to ship secure code at AI-driven volumes without slowing them down. The AppSec professionals who get good at that work are going to be in high demand. The ones whose value was tied to running the same scanner and writing the same finding report will struggle.

The "magical security IDE" question is the right one to ask, and Ira's answer is honest. The dream of an autocomplete that knows your security context end-to-end is real but distant. Most code is dependent on prior work and third-party libraries the model can't fully reason about. The near-term reality is more application security testing, more architectural enablement, and a continuing investment in threat modeling as the discipline that makes the rest of the program work. 

The closing segment of the conversation went after the broader cyber GTM problem. There are 4,000+ cybersecurity companies in the US, most with overlapping feature sets, all competing for the same CISO inbox. The companies that stand out aren't the ones with the biggest RSA booth — they're the ones that show up consistently, deliver measurable results, and earn trust through repeated small wins. The Stuart-Conor-Ira convergence on this is consistent: buyers are emotional, peace of mind matters more than feature checklists, and CISOs are buying career insurance as much as they're buying technology.

The B-Sides / CSA local chapter / field practitioner conference circuit is the underrated brand investment. A senior practitioner presenting at a regional Cloud Security Alliance meeting in Hyderabad does more for a vendor's credibility with a technical buyer than the same dollars spent on a Black Hat booth would. Ultraviolet's customer-facing time discipline — every executive on the road every week, tracked in Slack — is the operating practice that turns brand into revenue. Trust is built one accountable interaction at a time.

Guests — Ira Goldstein, Executive Chair and CEO of Ultraviolet Cyber; founder and CEO of Kernel Advisory; previously SVP and COO of Herjavec Group; board member at Rogers Cybersecure Catalyst

Books mentioned — none

Frameworks / models / tools named — Ultraviolet Cyber Unified Security Operations (offensive + defensive); the Black Duck application security services carve-out; SOC 2 Type 2 (referenced as baseline diligence); pre-close threat hunting on M&A targets; CTEM; MDR; AppSec testing; Kroll M&A Update; Altitude Cyber's weekly deal review

Other people / shows / resources referenced — Verizon / Yahoo deal (referenced as the canonical breach-during-M&A example, $4.8B → $4.4B); Proofpoint / Hornet Security (~$1B); Palo Alto / CyRAR ($25B); F5 / Fletch (with Grant call-out); Snyk / Invariant Labs; Lovable (referenced as an example of consumer-grade AI app generation); Black Hat / RSA conferences (referenced re: marketing spend); Cloud Security Alliance Hyderabad chapter (referenced as field-practitioner brand investment); HSBC NYC and SF cyber innovation events (Stuart's open invite); Andreessen Horowitz, Night Dragon, SYN Ventures, Ballistic Ventures, Notable Capital (Stuart's HSBC event speakers)