Shauli Zacks
Published on: July 20, 2025
Heimir Fannar Gunnlaugsson is no stranger to leadership. With over two decades of experience in steering tech and service-driven organizations, including nearly a decade at Microsof, Heimir joined Nanitor in mid-2023 to help the company sharpen its go-to-market strategy and scale its impact. What drew him in? A platform that delivers real results, a team with deep cybersecurity expertise, and a clear mission: to make Continuous Threat Exposure Management (CTEM) operational, not just theoretical.
In this SafetyDetectives interview, Heimir shares how Nanitor cuts through the noise of cyber risk, why smart prioritization beats chasing CVEs, and what’s next for the company as it doubles down on AI, integrations, and actionable security.
Can you introduce yourself and talk about the journey that led you to become the Nanitor CEO?
My name is Heimir Fannar Gunnlaugsson, and I’ve been leading businesses for over two decades. My background is mostly on the leadership and sales side, where I have been establishing services companies as mostly selling Microsoft related services as well as representing SAP through a Core Banking project with a company named Applicon. I worked 8 years for Microsoft, 6 and a half as Country Manager for Iceland and 1,5 as a EMEA Business Application lead, focusing on ISV’s and Microsoft sales channel. In July 2023 I joined Nanitor as the company was looking to strengthen their sales and marketing strategy. I really liked what I saw with Nanitor, we were actually delivering on the promises we made to our customers. The teams was also very strong, great industry knowledge and fantastic development team. I thought that my experience could help Nanitor.
What is Nanitor’s mission, and what makes it stand out from the competition in the CTEM market?
Nanitor exists to eliminate the chaos of cyber threat exposure. Our mission is simple: make continuous threat exposure management (CTEM) operational, not theoretical. While others in the CTEM space offer shiny dashboards and complex risk scoring, we focus on precision and action.
What sets us apart is our relentless focus on reality over reporting. We don’t just map exposures; we pinpoint exactly where your security posture breaks down, tie it directly to exploitable issues, and guide your team on fixing it. We deliver deep, continuous visibility across hybrid environments without the integration nightmares or months-long deployments. Our Nanitor Dimond shines as we often say – and that means it is so easy to understand for our customers that it always stands out.
Many security teams struggle with alert fatigue and endless vulnerability lists. What do you think organizations get wrong about prioritization, and how can they shift their mindset?
Just because a vulnerability scanner finds 10,000 CVEs doesn’t mean you have 10,000 problems, and especially, they are not equally as important. We want our customers to trust our Nanitor Prioritization scoring so that they build automatic process around what Nanitor finds.
To shift the mindset, teams need to start with impact—what can actually be exploited in your environment, given your specific architecture, privilege paths, and controls. Nanitor bakes that context in. We reduce the noise by showing what’s exploitable right now, not what might be serious in the context of your asset inventory. We give our customers a prioritized list instead of a long list of 10.000 items.
With security teams often stretched thin, what’s the biggest operational mistake you see when it comes to managing cyber risk across large environments?
Trying to boil the ocean. Teams burn out chasing “full coverage” without understanding which gaps actually matter. The result is constant reactive fire-fighting, zero strategic progress.
The better approach is to instrument intelligently and act surgically. Map your critical assets, understand privilege escalation paths, and continuously test your assumptions about exposure. If your security efforts aren’t measurable and prioritized by business impact, you’re just rearranging deck chairs.
Nanitor helps teams move from reactive to proactive by continuously validating where risk converges—not just where it exists.
Integrating CTEM across hybrid and cloud environments can be tricky. What architecture or integration challenges have you encountered, and how did you solve them?
There is no silver bullet – it is just rent less work to support as many environments as Nanitor does. This is the result of 11 years work with many different customers and partners that we are really proud of. I guess the biggest mistake is trying to duct-tape legacy tools onto modern, hybrid environments. You end up with data silos, incomplete telemetry, and a CTEM platform that’s half blind.
We tackled this at Nanitor by putting all our faith – and our customers – on our agent based deployment, giving customers the security and trust Nanitor brings. Our architecture allows for external feed of information, but we recommend using our Agent for reliable analytics we have been offering for over a decade. We also integrate with IAM and CMDBs to keep our asset inventory continuously accurate—no more stale spreadsheets or guessing games.
Integration isn’t just about connectors—it’s about designing for maintainability and observability at scale.
CTEM is then an additional flavour to what we have been doing for our customers all these years. The 5 step approach CTEM offers is the proven process Nanitor has stood for over many years. CTEM was actually a gift from Gartner to Nanitor – as we see it – because there is a perfect match.
Looking ahead, what’s your roadmap for Nanitor in 2025–2026? Are there new AI capabilities, deeper platform integrations, or vertical-specific use cases on your radar?
Absolutely. 2025–2026 is all about advancing Nanitor’s AI-driven prioritization engine to support our customers even better, since their lives are not only a CVSS score. We’re also deepening integrations with EDRs, SIEMs, and ticketing platforms to drive closed-loop remediation workflows. We are also partnering up with other vendors, further strengthening our asset based approach and hopefully we can announce this during Q4 2025. This will in our mind make Nanitor stand out in relation to comparable offerings.
But here’s the bottom line: we’re not chasing buzzwords. We’re delivering continuous, contextualized, fixable security that’s actually useful. That’s the bar—and we’re raising it.
