Cybersecurity Training Gets Personal: The Dune Approach

Kirk Hachigian: Welcome to Wharton Tech Talks, the official student-run technology podcast of the Wharton School, where we host forward-looking conversations throughout the tech ecosystem. I’m Kirk Hachigian, and my guest today is David DellaPelle, CEO and Co-Founder at Dune Security.

David DellaPelle: Thanks so much for having me, Kirk.

Kirk Hachigian: It’s great to have you here, David. Congratulations on the recent seed round — and I saw the Dune Security billboard in Times Square, which must have been an incredible moment. I’d love to start with the basics: what problem is Dune Security solving, and how did you and Michael get started?

David DellaPelle: Great question. I’ve been in cybersecurity and AI since 2017. Earlier in my career, I was Chief of Staff at an AI startup in Tel Aviv, and I realized something fundamental — the “castle wall” approach to cybersecurity wasn’t working. Most breaches still start with human behavior. In fact, around 90% of them do, whether through phishing, social engineering, insider threats, or business email compromise.

Every company was paying for a solution called “security awareness training,” but it didn’t actually work. In many cases, it was counterproductive. These programs rely on standardized phishing tests and generic videos that treat every employee the same. That’s not how humans learn or behave.

So the founding premise for Dune was simple: what if we could train people only on what they’re bad at, instead of wasting time on what they’re already good at? That evolved into something much bigger — a platform that quantifies and reduces user risk at the individual level.

We now measure user risk comprehensively, then remediate it through targeted interventions — from adaptive training to access controls or performance management — depending on the person’s specific behaviors.

Kirk Hachigian: That makes sense. The human layer really has become the frontline of modern attacks. Could you share an example of how this personalization actually works?

David DellaPelle: Absolutely. The attacks themselves have changed dramatically in the past few years. Five years ago, no one cared about this space. Investors viewed it as commoditized content. But AI changed everything — it turned the human layer into one of cybersecurity’s most active frontiers.

Today, we’re seeing sophisticated deepfake attacks — cloned voices or videos of executives asking employees to perform urgent actions. These deepfakes are nearly imperceptible. And then there’s AI spear phishing — attackers scrape public data from LinkedIn and other sources, then send hyper-personalized emails that look completely legitimate.

We recently released a data report that found users are three times more likely to click on an AI-generated phishing email than a generic one. That’s a massive delta.

To address it, we built Dune’s Business Impact Model, which quantifies risk based on what an employee can access — whether they manage payments, source code, or sensitive systems. Then we simulate real adversaries like Scattered Spider or ShinyHunters across all social engineering channels: email, SMS, encrypted messaging, and deepfakes.

From there, we measure how people perform and adapt the experience accordingly. If someone learns and improves, great. If not, we can apply access restrictions or escalate remediation.

Kirk Hachigian: So you’re combining behavioral data with contextual business risk. What data sources do you use to build those profiles?

David DellaPelle: Exactly. Our primary data comes from user testing and training, but we also integrate what we call risk signals from the broader security stack.

For example, we might pull device compliance data from CrowdStrike or identity data from Okta to detect abnormal logins. That context allows us to create what’s essentially a credit score for user risk — comprehensive, individualized, and actionable.

If you think about it like a credit score: some people get a mortgage, some get denied, and others qualify for premium rewards. We apply that same concept to cyber risk — adaptive, data-driven, and unique to each employee.

Kirk Hachigian: That’s a great analogy. Who is Dune primarily designed for? What kind of organizations are you focused on?

David DellaPelle: We built Dune for the world’s largest enterprises — Fortune 500s with thousands of employees, complex risk profiles, and real budgets to match. We wanted to solve the toughest version of the problem first.

Some competitors in our space target the SMB market with a lighter, product-led motion. That’s fine, but our solution is purpose-built for scale, complexity, and integration with large enterprise environments.

Kirk Hachigian: And when a company adopts Dune, what are they typically replacing?

David DellaPelle: We’re replacing their security awareness training — the legacy model that’s outdated and ineffective. We don’t usually touch the HR learning management system since that covers other topics, but we work directly with the CISO organization to replace their existing security training programs.

Kirk Hachigian: Got it. You mentioned deepfakes earlier. How do you help employees recognize them, given how realistic they’ve become?

David DellaPelle: That’s one of the scariest emerging threats. Many people still don’t realize that a Zoom call could include a completely fabricated participant.

One of our most powerful exercises is what we call awareness through shock. We’ll simulate a company executive — often the CEO — delivering a familiar training message in a video. Ten seconds in, the video reveals it’s a deepfake. That moment of disbelief creates a lasting impact. Employees suddenly realize just how convincing this technology has become.

Kirk Hachigian: That’s a powerful way to make it real. What’s next for Dune? Any upcoming capabilities you’re particularly excited about?

David DellaPelle: Yes — we’re launching something called adaptive workflows. Think of it as the final mile of user risk management. For high-risk users, Dune will automatically trigger actions across the rest of the security stack — for example, identity systems, email security, or network access controls — to restrict privileges in real time.

We’re essentially connecting our user risk intelligence to Zero Trust frameworks, allowing enterprises to grant or restrict access based not only on identity and device but also on behavioral risk.

Kirk Hachigian: How do you think about go-to-market? Are you primarily selling directly to CISOs, or through channel partners?

David DellaPelle: Both. Our direct motion is strong, but the channel is incredibly important for scale. Under our Director of Channel Partnerships, Zack Bagliore, we’ve built strong relationships with major partners who help us reach large enterprise customers efficiently.

We know that having the best product isn’t enough — distribution is the key to dominance.

Kirk Hachigian: And on the brand side, Dune’s made a big splash in a short time. How have you approached awareness and positioning?

David DellaPelle: We’ve focused heavily on organic growth. The Times Square billboard was fun, but most of our traction has come through LinkedIn — leveraging thought leadership rather than paid ads. Some competitors are spending aggressively on Google ads. That’s fine. We’re investing in credibility and substance. Our view is: build the best product, and let authenticity drive awareness.

Kirk Hachigian: Let’s talk about your journey. Many of our listeners are current or aspiring MBA students. How did your time at NYU Stern shape your career path?

David DellaPelle: I went to Cornell for undergrad, then to Israel to help build an AI startup focused on predicting traffic crashes. Later, I joined EY in management consulting, but I always had the itch to build something.

I applied to Stanford and Wharton — got rejected from both — and ended up at NYU Stern’s one-year Tech MBA program on the Andre Koo Scholarship. It was a great experience, though COVID forced it to go remote. More than anything, it gave me the foundation and confidence to build.

Before Dune, I tried to start five different companies. Some were software, one was even a construction business during COVID. None had real traction, but each taught me something. Ultimately, I learned that success takes three things: the right co-founder, the right timing, and full commitment. You can’t do this halfway.

Kirk Hachigian: That’s a great takeaway. A lot of listeners probably feel stuck between stability and the urge to take that leap. How did you make the jump yourself?

David DellaPelle: You either have it in you or you don’t. Founders tend to share two traits: unlimited self-belief and extreme risk tolerance.

When I started Dune, I poured my life savings into it. I lived lean and reinvested everything into the business. It’s not easy — but if you believe in what you’re building, you’ll find a way.

I’ve also been shaped by personal loss. I buried two of my closest friends in my early twenties. That gave me resilience. I can absorb more pain and pressure than most, and that endurance has been critical.

Kirk Hachigian: That’s powerful, David. Switching gears slightly — fundraising is often one of the biggest challenges for founders. How did you approach it?

David DellaPelle: We were fortunate to get early traction with large enterprise customers, which helped us raise efficiently. I probably spent a cumulative month fundraising, stretched over a few months, and we ended up with six co-lead term sheets without running a formal process.

That said, fundraising is tough. You need resilience, structure, and balance — sleep, workouts, systems, delegation. Otherwise, you burn out fast.

Kirk Hachigian: You’re based in New York. How has the startup culture there compared to San Francisco?

David DellaPelle: New York has an incredible hustle culture. San Francisco is more homogeneous — it’s like a one-industry town. I sometimes describe it as The Great Gatsby — incredible innovation side-by-side with real-world chaos.

In New York, it feels more grounded. People balance ambition with life. And we have strong academic partnerships with Columbia, NYU, and Fordham, which helps us recruit exceptional talent.

Kirk Hachigian: On that note, how do you approach hiring and scaling the team while keeping agility?

David DellaPelle: It’s a balancing act. You’re always hiring ahead of revenue and ahead of rounds. We just brought on a Chief of Staff to help us formalize performance management and OKRs.

One thing I’ve done is automate the resume review process. We built a system — using tools like ChatGPT — that takes a job description, creates a quantifiable rubric, and then automatically scores resumes against it. That removes human bias and speeds up hiring.

Kirk Hachigian: Very smart. Any other AI tools you rely on day-to-day?

David DellaPelle: Plenty. We use Perplexity for research, Vanta for compliance automation, and other tools for internal workflow. AI saves us countless hours, especially in areas like procurement, documentation, and candidate screening.

Kirk Hachigian: Finally, what’s your vision for Dune over the next few years?

David DellaPelle: Our goal is to make the user layer a first-class citizen in cybersecurity. For too long, it’s been treated as a compliance checkbox. We’re building the foundational company for user-layer defense — integrating across the stack, quantifying human risk, and driving real outcomes.

We see Dune as the central intelligence layer for user risk — pulling in signals from across the enterprise and powering adaptive, behavioral security at scale.

Kirk Hachigian: David, this has been a fascinating conversation. Thank you for sharing your insights and story.

David DellaPelle: Thanks, Kirk. It’s been great being here.

Kirk Hachigian: And thank you to our listeners. You can find more episodes of Wharton Tech Talks wherever you get your podcasts.