From teenage hacker to the architect behind one of the most widely used penetration testing platforms on the planet, HD Moore’s fingerprints are all over the modern cybersecurity landscape.
Best known as the creator of Metasploit – a tool that reshaped the way defenders and attackers alike understood software vulnerabilities – Moore has spent nearly three decades at the bleeding edge of the industry.
Today, he’s channeling that same disruptive energy into runZero, the Texas-based company rapidly emerging as one of the fastest-scaling names in cyber. His philosophy is simple: “We find what others miss.” By actively scanning environments to uncover hidden devices and exposures, runZero has carved out a niche in an already crowded market, proving there’s still room for bold ideas in vulnerability management.
In this conversation, Moore reflects on his unconventional path into cybersecurity, shares unfiltered views on AI hype, and reveals what it takes to build and scale a security-first company in the heart of Texas.
For those unfamiliar, how would you describe runZero’s core mission and the problems you’re solving?
At its core, our mission is to prevent customers from being breached, especially through things they didn’t know existed in their environment. We help organizations identify everything across their infrastructure – whether it’s a camera in a closet, a cloud workload, or an entire partner-hosted environment.
We then map those assets, connect them to the customer’s broader security systems, highlight exposures, and help them address critical zero-day vulnerabilities where no patches exist. It’s about surfacing the unknowns and vulnerabilities before they become compromises.
What drew you into cybersecurity, and how did your journey lead to founding runZero?
I’ve been in this field for nearly 27 years. My start was in high school as a “hoodlum hacker,” doing things like war dialing and BBS tinkering before the internet became mainstream. That eventually led to a Department of Defense job in San Antonio, despite being too young to qualify for clearance. They paid me out of petty cash to build exploit tools and backdoors, mostly on the offensive side.
From there, I focused on building security tooling to help defenders understand what attackers could do. My biggest project before runZero was Metasploit, which became the world’s most widely used penetration testing platform. It was open source, controversial at the time, but ultimately helped normalize exploit research and disclosure. These experiences really shaped my approach: build tools that empower others and solve real-world problems.
For people trying to break into cybersecurity today, does that same hustle mindset you had early on still apply?
Definitely. In this field, you often need to “do the job before you get the job.” Back in the day, almost nobody had formal security roles – we were all hacking for fun. Today, there are degrees and programs, but the principle’s the same: show your work.
Get involved in open source, do bug bounties, publish security research. It doesn’t have to be groundbreaking, but you need tangible examples that prove you can do the work. Cybersecurity is tedious and grind-heavy, so passion is key. Employers look for people who’ve demonstrated they enjoy doing this enough to spend their own time on it.
Texas has built a strong reputation in cybersecurity. Why did you choose to build and scale runZero there?
Austin’s been my home base since 1988, though I’ve left and come back for various jobs. It’s a fantastic hub for cybersecurity, home to one of the largest infosec groups in the US.
Austin also benefits from being a “second-tier” city for tech companies, attracting top talent who want a better quality of life than on the coasts. Many highly skilled professionals end up here because housing is more affordable and the lifestyle is attractive.
AI and automation are hot topics. How do you see them influencing cybersecurity in the next few years?
Honestly, AI has sucked the air out of the room. Every product now feels like it needs an AI label, but customers are already tired of the hype. Most so-called AI integrations rely on sending your data to a third-party cloud, which introduces security risks.
There are a few practical use cases where AI adds value, but the majority just add complexity and risk. My advice: don’t use AI for the sake of it. Focus on solving real problems.
How do you balance security innovation with the potential misuse of powerful tools?
My whole career has been about this. I gave away exploit tools to the world, endured criticism, and even received threats of jail time. But I’ve always believed that research should be open and accessible. At runZero, we’ve built tools like our Secure Shell testing framework, presented them at DEF CON and Black Hat, and released them open source – even though they can be used offensively.
It comes down to empowerment. Gatekeeping knowledge doesn’t help anyone. Giving people the tools and letting them make informed choices is better than trying to restrict access.
runZero has been recognized as one of the fastest-scaling cybersecurity companies in Texas. What’s been key to attracting and retaining top talent?
Hiring in security is tough. You’re not just hiring developers: you need people who understand vulnerabilities, networking, and customer needs. At a security company, you’re expected to write secure code by default, not rely on a separate team to fix it later.
We often hire people with non-traditional backgrounds – maybe less formal development experience but deep security expertise, or vice versa. We also look for people who can communicate effectively with customers about everything from VXLANs to the latest OT vulnerabilities. Traditional hiring channels don’t work well for us; we rely on referrals, spotting promising junior talent, and looking for those who’ve already built tools or research portfolios.
Sustaining growth is always a challenge. How do you plan to maintain momentum into 2026?
We bootstrapped for two and a half years, getting to $1M ARR before raising money. That gave us discipline: we don’t hire faster than revenue supports. Our headcount growth is tied directly to customer wins. Every big client brings unique feature requests, and we scale the team to deliver on those.
The philosophy is simple: sell more, then hire more. Growth is gated by real demand, not vanity metrics.
When building teams, what skills or mindsets do you value most?
We look for “T-shaped” people… those who go deep in one area but can stretch across others.
Strong communication skills are also essential. You can’t just rely on ChatGPT to handle customer conversations; you need to be able to empathize, explain, and respond in real time. Those softer skills are often harder to find among engineers but just as critical as technical depth.
Vulnerability management is a crowded space with many sizable, legacy players. How does runZero differentiate?
We consistently find assets and exposures other tools miss. You can try runZero without talking to a salesperson – spin up a free trial, point it at your network, and we’ll show you what no one else told you about.
A big reason is approach: we don’t just wait on passive monitoring; we actively crawl the entire environment. We’ll discover every subnet and device, look behind switches, and safely interact with PLCs and controllers at the bottom of the Purdue stack.
Passive-only tools often miss devices that aren’t “speaking,” and depending on where they’re deployed, they may not see certain east–west or north–south traffic. Because we operate at that lowest layer and actively enumerate, we come back with much deeper, more complete asset detail.
At the heart of runZero is a simple but powerful idea: surface real risk before it surfaces you. Our discovery approach and ability to perform in-depth fingerprinting allows us to surface risks faster and more comprehensively than other tools, whether it’s zero days or vulnerabilities that simply aren’t detectable by other solutions. We map environments comprehensively, giving customers the actionable data they need to immediately reduce exposure.
Looking back, have mentors played a role in your journey?
A bit of both. I’ve always been self-sufficient, but I did reach out to people I admired when I got stuck – folks like Dan Farmer, Tom Tacek, and Tim Newsham, who did pioneering research in the ’90s.
I don’t lean on mentors constantly, but when I do, I make sure it’s for a real problem. That balance of independence and occasional guidance has served me well.
Finally, what’s next for runZero?
We’re not trying to be everything to everyone. We won’t replace your EDR, antivirus, or firewall. Our goal is to do a few things exceptionally well and provide security teams with world-class exposure management that makes their jobs easier and more effective
The current market is in a consolidation phase, with customers under pressure to reduce tool sprawl. That makes growth challenging – you have to be so good at your niche that customers are willing to fire two other vendors just to bring you in.
That’s our focus: being the best at what we do, so we remain indispensable even in tough market cycles.
