Shauli Zacks
Published on: June 8, 2025
Tony Velleca’s path into cybersecurity wasn’t exactly traditional—starting in aerospace engineering before moving into IT services and eventually serving as CIO and CISO at UST. It was during that time he identified a growing gap in how organizations approached security. That insight led him to found CyberProof, a company focused on helping enterprises modernize their security operations and adapt to an evolving threat landscape. In this SafetyDetectives interview, Tony shares his thoughts on continuous threat exposure management, optimizing existing security investments, and what practical steps CISOs can take to stay ahead.
To start us off, can you share a bit about your background and what led you to found CyberProof?
My background, funny enough, is in aerospace engineering—so don’t ask me exactly how I ended up here. But seriously, around the year 2000, I moved into IT services and started my own company. Not long after, I joined UST, where I served as Chief Information Officer (CIO) and Chief Information Security Officer (CISO). That’s when I realized how strange and complex the security industry was.
Security was becoming a much bigger challenge, and it was clear it would only get worse. As companies started going digital and putting more of their assets online, it became an increasingly critical part of their business. I knew we’d have to think differently about how we handled security. When creating CyberProof, I wanted to create a company that tackles enterprise security problems head-on and solves these problems with innovation and ingenuity.
What’s CyberProof’s core mission today, and how has that evolved to meet the shifting cybersecurity landscape?
CyberProof was formed to tackle complex security problems in large enterprises and help them modernize their security operations to keep up with the changing landscape.
Instead of taking a one-size-fits-all approach or trying to commoditize security, we focused on innovation. From the start, my mission has been to help customers determine where their next best dollar should be spent to reduce risk. When we began, the focus was on regulatory compliance, but that quickly shifted toward defending against actual attacks.
One-time security assessments have been the norm for years. Why are they no longer sufficient in today’s threat environment?
That’s one of my key points. It’s no longer possible to do an assessment once a year and build a roadmap from that. That might have worked five or more years ago, but things change too fast now. You’d find yourself needing to pivot halfway through the year.
Today, the threat landscape and technology both evolve rapidly. We need a continuous assessment process. With advancements in artificial intelligence (AI) and data analytics, we should be able to draw insights from large datasets and adjust quickly. It’s not about big-ticket decisions anymore—it’s about small, tactical ones, like which exposure to patch first or which detection rule to implement next.
The term Continuous Threat Exposure Management (CTEM) is gaining traction—what exactly does it mean, and how does it differ from traditional vulnerability or risk management?
We’ve done continuous vulnerability management for years, but there are a couple of key differences now.
First, security is a lot like insurance—nobody wants to overspend on it, because it doesn’t directly grow revenue. So, historically, we used scanners to give us long lists of vulnerabilities. Over time, we began prioritizing those based on active threats.
The next step is targeting threats that are specific to your organization—based on your industry, tech stack and geography. If you’re in Ukraine, for example, you’re going to be targeted differently. Understanding tactics and techniques relevant to your environment helps you focus your efforts more effectively.
And to me, “exposures” go beyond just CVEs and vulnerabilities. It includes cloud misconfigurations, application security issues and even whether your detection systems are configured to actually see those attacks. So exposures can also mean visibility gaps—what you can’t detect or respond to.
Many organizations already have defensive tools in place. How can they optimize what they already have instead of constantly chasing the next solution?
Great question. Security is all about layers. You’ve got Endpoint Detection and Response (EDR), security information and event management (SIEMs) tools, cloud posture management tools and other defensive technologies. When you take a MITRE tactics and techniques approach, you can map your existing tools to specific threats and see where you have overlapping coverage—or where you’re missing protection altogether.
That’s what we call portfolio rationalization. Where are you overspending? Can you consolidate tools? Maybe one platform covers what used to take three or four separate products.
Cloud providers like Microsoft and Google are also consolidating their security offerings, which is changing the tool landscape. Integration has always been a challenge—we’ve relied on best-of-breed tools, but making them work together and configuring them properly has been a long-standing issue in the industry.
What are the first practical steps a CISO or security team can take to begin implementing a CTEM strategy—especially in mid-sized enterprises with limited resources?
For midsize enterprises, it’s all about analytics. You need to pull together information to understand your threat environment and explain it clearly to stakeholders. One of the benefits for a CISO is being able to tell the board, “Here’s how safe we are against the threats that matter.”
I like starting from the top down. In December 2024, we acquired a company called Interpres Security, for example. They connect to your existing tools and provide a picture of your threat exposure, without needing major new investments. It’s more about reframing how you approach the problem.
Start with threat actors. Make sure your threat intelligence is actionable across your existing tools, then make decisions based on that. For some midsize organizations—especially if they’re not in the cloud or developing their own apps—it might be more about improving vulnerability management. But for others, it could mean implementing broader exposure and visibility strategies.
