The Front Lines
SubscribeContent Studio
Mehul Revankar.
Co-Founder & CPO · Quantro Security
Seasoned Cyber Security Product Leader with a successful track record of building award-winning products, and growing B2B SAAS and Open-source products. Cyber security professional with 20+ years of experience building enterprise security solutions. Product evangelist at heart. Co-Founder at Quantro Security. I regularly write about the intersection of cybersecurity, AI, and product management.
Guest
Mehul Revankar
Co-Founder & CPO
Company:
Quantro Security
Location:
Atlanta, Georgia, United States
Funding:
$5.5M Raised
Loading episode...
Listen onApple PodcastsSpotify

Quantro Security: What Happens When the Cost of Cyberattack Goes to Zero

Mehul spent years at Tenable learning to write vulnerability signatures. The job required reading codebases he hadn't built, identifying the difference between old and new versions, isolating the vulnerable path, and crafting a precise exploit without crashing the system on the other end. "I sucked at it," he says. "But it took a lot of time to master this craft."

Then AI arrived. The skill he'd spent years developing dropped in cost to near zero. "So now an attacker can essentially build a functional exploit with just a prompt." Attack campaigns that once required months of specialized engineering work can now be assembled in minutes.

That insight became the foundation of Quantro Security, which just came out of stealth with an AI agent platform built for cyber defense. In a recent episode of BUILDERS, Mehul shared how this thesis shaped not just what they built, but every decision behind where and how they're taking it to market.

Defenders in the Wrong Gear

Mehul's argument doesn't need a long setup: if AI makes offense cheaper and faster, defense has to move at the same speed. "You need AI native defends against AI native offense," he says. The problem is that most enterprise security teams are still running on static, rules-based tools that weren't designed for this pace.

The playbook itself hasn't changed: inventory your systems, patch them, secure them, repeat. What has changed is the time window defenders have before attackers move through. Legacy vulnerability management platforms surface data. They don't reason on it. They tell you what they found. They can't tell you what to do next, in what order, given what your organization can actually act on today.

The Category Trap

When Quantro came out of stealth, the obvious move was to slot into an existing market. CTEM, risk-based vulnerability management, exposure management. Mehul rejected all of them.

"Are you a CTEM player? Are you a risk-based VM player? Are you VM player? Well, no, no, no, none of that," he says. The existing categories frame the problem as tool replacement. That's not what Quantro does. "We don't replace the tools. We just make their existing tools much more, much more effective."

The shift was to frame Quantro as the "user interface of record" rather than a "system of record." Most AI companies pitch replacing HubSpot or Salesforce equivalents. Mehul calls that framing unrealistic in enterprise — large organizations aren't ripping out entrenched infrastructure based on an AI pitch. Quantro's play is different: connect everything you already have into one interface and let the agents do the work across it.

The Barbell Map

Mehul uses a framework he calls the "barbell problem" to describe the competitive landscape. On one end sit the hyperscalers. "They are a mile wide, a millimeter deep. So they claim to do everything, but do nothing really well," he says. These platforms often get bundled into enterprise agreements, so customers end up using them by default and develop a perception of doing something with AI while extracting little actual value.

On the other end are siloed point tools. They're excellent within their specific domain — cloud security, infrastructure vulnerability management — but they operate in isolation from the organization they're protecting. A cloud security tool has no context about what the infrastructure team is managing. The data stays siloed.

Between these two sits the enterprise customer, trying to make sense of investments already made. "We come in, we become the connective tissue," Mehul says. The goal is to make everything purchased work together and translate fragmented data into decisions.

The 50% Problem

When Mehul talks to security prospects, the same operational reality surfaces: roughly half of the team's time disappears before any meaningful security work begins. "Almost 50 % of the time is triaging false positives, reaching out to the people," he says.

Asset ownership is unclear. Handoffs break down. Someone patches something but two weeks later no one has confirmed it was done. The follow-up cycle never ends. None of it moves the risk needle. The agents absorb that work — freeing the security team for the decisions that actually matter: where to put the next dollar of budget, which exposures are most likely to be exploited, what's achievable given 10 hours of available capacity.

Selling What Buyers Can't Picture

The hardest part of the go-to-market isn't the competitive landscape. It's that many buyers don't yet have a mental model for what Quantro is selling. "Sometimes we have to educate the market because when we go and pitch these solutions, this almost seems like the customers are driving a horse buggy and we are pitching a self-driving car," Mehul says.

Buyers ask if Quantro can do ticketing. Yes — but that's the least interesting thing on the platform. The harder capability to explain is an agent that can reason across an entire enterprise security dataset, surface risk the human team missed, and act on it without requiring a prompt for every step. The vision Mehul is building toward flips the interaction model entirely: agents that know your organization well enough to initiate, with humans approving rather than directing.

His own team is the proof of concept. A small group backed by coding agents handles work that once required dedicated headcount. He envisions the same structure for security operations — a lean, elite team at the center managing a fleet of purpose-built agents across vulnerability management, compliance, pen testing, threat intelligence, and risk reduction planning. "Your organization is secure, doesn't show up on the front page of Washington Post or New York Times," he says. That's the outcome. The question is how many defenders build toward it before the attack surface shifts beneath them.

Five takeaways from this conversation.

Actionable for Cyber security Builders founders

  1. AI-native offense requires AI-native defense
    Mehul's core thesis isn't speculative — it's built on what he watched happen to his own craft. Writing vulnerability exploits once required deep skill and months of work. AI collapsed that barrier. "So now an attacker can essentially build a functional exploit with just a prompt." The implication for defenders is direct: the tools built for the old pace won't be sufficient for the new one.
  2. Rejecting every existing category
    When Quantro came out of stealth, the obvious move was to slot into CTEM or risk-based vulnerability management. Mehul passed. "Are you a CTEM player? Are you a risk-based VM player? Are you VM player? Well, no, no, no, none of that." The existing categories imply replacing tools. Quantro's frame is different: become the connective layer on top of what customers already have.
  3. User interface of record, not system of record
    Most AI companies pitch replacing core platforms. Quantro's pitch is the opposite: "We don't replace the tools. We just make their existing tools much more, much more effective." Enterprises aren't ripping out entrenched infrastructure. They want ROI from what they've already bought.
  4. The barbell competitive map
    Mehul frames the landscape as a barbell: hyperscalers ("a mile wide, a millimeter deep") on one end, siloed point tools (deep in their own data, blind to organizational context) on the other. Quantro positions as the connective tissue between them.
  5. The 50% false positive tax
    When Mehul talks to security prospects, the same reality surfaces: "Almost 50 % of the time is triaging false positives, reaching out to the people." Asset ownership is unclear. Handoffs break down. None of it moves the risk needle. The agents absorb that work.

More episodes

Joni Klippert
Founder / CEO · StackHawk
Idan Bar-Dov
CEO and Co-Founder · Heka Global
Denny LeCompte
CEO · Portnox
Joe Levy
CEO · Sophos