Imagine you’re a CISO. You’ve just signed a six-figure contract for “offensive security” services—penetration testing, red teaming, the works. You feel safe. You’ve done your due diligence, right?
Now imagine learning that the founders of that startup are convicted fraudsters. One did time for wire fraud. Another for identity theft. They’re not just selling you security. They’re selling you access to your own systems—and they’ve proven they can’t be trusted.
This isn’t a hypothetical. It’s happening right now. And it’s the most dangerous trend in cybersecurity you’ve never heard of.
Welcome to the world of “offensive security” startups founded by people with rap sheets. The logic is perverse: who better to break into systems than people who’ve literally done it for profit? But that logic ignores a fundamental truth: security is built on trust, and trust requires integrity.
I’ve spent years covering the cybersecurity industry, watching startups pop up overnight, pitch their wares, and disappear when the heat gets too high. But this one is different. This one feels like a betrayal by design.
The startup in question—let’s call it “BreachForge”—marketed itself as a cutting-edge offensive security firm. Their pitch deck? Flawless. Their tech demos? Impressive. Their background checks? Never happened. Because if they had, no legitimate investor would have touched them.
Here’s the part that should make you angry: the founders’ criminal pasts were an asset, not a liability, in the eyes of some venture capitalists. The narrative was that they “learned from their mistakes” and could now use their skills for good. But the line between offensive and defensive security is dangerously thin, especially when the people crossing it have already shown they respect no boundaries.
This isn’t about rehabilitation. It’s about a market that has normalized gray-hat ethics to the point where past crimes are seen as a credential. “Oh, you’ve hacked for money? Great, you’ll understand the adversary.” That logic is a ticking time bomb.
Consider the implications. These companies often require unfettered access to client networks. They see your architecture, your vulnerabilities, your crown jewels. If a founder with a history of fraud decides to go rogue—or if they’re simply tempted by a quick payday—the damage could be catastrophic. And because the startup itself is unregulated, there’s no oversight. No external audit of the founders’ behavior.
The most dangerous security threat isn’t a hacker. It’s the person you paid to protect you, who has already shown they can’t be trusted.
Now, I’m not saying every startup founded by a felon is a disaster. People can change. But the cybersecurity industry is unique: it requires absolute trust because the stakes are absolute. You can’t have a “maybe trustworthy” person guarding your digital vault. It’s all or nothing.
The twist? This story is likely just the tip of the iceberg. I’ve heard whispers of similar startups founded by ex-hackers, ex-scammers, even ex-terrorist financiers. The venture capital community is so hungry for growth in the offensive security space that they’re willing to ignore due diligence. And why? Because the returns are enormous, and the consequences—if they come—will fall on clients, not on investors.
So here’s my take: if you’re evaluating a cybersecurity vendor, do a background check on the founders. Not just the company. Ask for references that go beyond the tech. And if something feels off, walk away. Because the cost of trust is far lower than the cost of betrayal.
This isn’t a cautionary tale about one startup. It’s a warning about an entire ecosystem that has confused criminal instinct with expertise. In security, character is not optional. It’s the entire product.
FAQ
Q: How can a startup with convicted felon founders legally operate?
A: There's no federal law barring felons from founding cybersecurity companies, unless their crime specifically involves computer fraud or they are on a restricted list. Many states have licensing requirements, but they're often easy to bypass. The lack of regulation is a core part of the problem.
Q: What practical steps should I take when vetting a security vendor?
A: Beyond standard tech evaluations, run background checks on all founders and key executives. Look for criminal records, civil suits, and regulatory actions. Ask for client references that specifically discuss trust and integrity, not just technical performance. Also, check if the company has external oversight or a board with independent members.
Q: Isn't it possible for former criminals to be rehabilitated and run an ethical security firm?
A: Rehabilitation is real, but the cybersecurity industry's trust requirements are extreme. A single slip can expose thousands of clients. Until there's a track record of years of clean behavior and external verification, the risk is too high. The burden of proof should be on the founders, not on the clients.