The Flight Delay That Launched A Cybersecurity Rocketship - Dune Security

Joseph Cooper: Welcome to another episode of CyberBytes, the podcast where we break down the most important conversations in modern cybersecurity. I am your host, Joseph Cooper, and my guest today is David DellaPelle, CEO and Co-Founder of Dune Security.

David DellaPelle: Thanks for having me, Joseph. Great to be here.

Joseph Cooper: It is great to have you on. Before we get into the work you are doing at Dune Security, I would love to set the stage. Where are you joining us from today?

David DellaPelle: I am in New York City, down in Tribeca. I have lived in the city for more than a decade, and I grew up in the area, so New York has always been home.

Joseph Cooper: I love it. And fun fact, I actually met your co-founder David Otto at Black Hat last summer at Mandalay Bay, where your team was making a lot of noise. That was the moment I first came across what you are building. I am really excited to dig in deeper today. But first, let us start where we start with all our guests. How did you get into cybersecurity?

David DellaPelle: It was not a straight path. After graduating from Cornell, I went to Tel Aviv to work for an AI startup called Waycare Technologies. They were ingesting unlimited data sources to predict road risk, traffic crashes, and congestion with the goal of saving lives. I stayed there for about six months before moving back to New York to work in management consulting at Ernst and Young. I learned a lot about how to operate in business, but I had an itch to get back into building something.

One of my good friends, James Alvarez, was at Perimeter 81. He pulled me in to help across a wide range of revenue functions, including business development, account management, operations, and even some product strategy. That was my real entry point into the cybersecurity industry.

Joseph Cooper: And Perimeter 81 had a pretty incredible growth story, right?

David DellaPelle: Yes. I was there for two full years. During that time the company grew from 2 million to 18 million in ARR. That triple triple growth pattern is what every investor wants to see. We eventually raised at a valuation above one billion dollars in 2021. It was an amazing team and a great experience. The company was later acquired by Check Point.

Joseph Cooper: Incredible. And I have to ask, how did you meet your co-founder Michael? I heard there is a story there.

David DellaPelle: There is a story. Michael and I met completely by chance on a plane. We were both flying to Portugal. There was a four hour delay at JFK because of a cybersecurity issue that had taken systems offline. They were checking passengers in manually. When we finally boarded, Michael was sitting across the aisle from me on a mostly empty plane. We started talking. The flight was diverted to the Azores for a layover, which gave us even more time to talk. I shared the early version of my idea with him, he started adding to it, and it was a very natural fit. He had the technical background, and I had everything else. That was the start.

Joseph Cooper: As far as founder stories go, that is an incredible one. So when did the idea for Dune Security really take shape?

David DellaPelle: After my time at Perimeter 81 I joined a cyber insurance company to run security product strategy. During that period I kept coming back to one statistic. Around 90 percent of breaches still start with human behavior. And the industry has been relying on a solution that does not actually solve that problem. The legacy approach to security awareness training has not kept pace with deepfakes, multi channel attacks, AI driven spear phishing, smishing, vishing, and everything else attackers can do today.

I realized there had to be a better answer. If you could bring in unlimited input data about users, you could generate something similar to a credit score for user risk. And if you could quantify that risk at the individual level, then you could remediate it at the individual level. That was the spark, and that vision has stayed the same for a long time.

Joseph Cooper: Let us talk about that vision. Give us the clear overview of what Dune Security does and how the platform works.

David DellaPelle: Security awareness today is a standardized solution, and that is exactly why nobody pays attention to it. Low risk employees waste time. High risk employees are not held accountable. And CISOs end up with an adversarial culture between security teams and end users.

We built something completely different. We created a set of small language models over the last two years. The first is our Business Impact Analysis model. It pulls in simple data on users and determines their risk level. Once we understand that, we can launch user adaptive testing across phishing, SMS, encrypted channels, and many other vectors. We can also deliver user adaptive training tailored to both risk and role. We call this user adaptive risk management.

Seventy percent of users are low risk, and we reduce the amount of training they need and give them time back. About twenty five percent fall in the moderate range, and user adaptive testing and training brings their risk down. Then you have the top five percent who are high risk. For that group, you need security control adaptation. You need to lock down their environment. We enable that.

Joseph Cooper: For that five percent, are you seeing mostly negligent behavior, or is it malicious?

David DellaPelle: It is a mix. What surprised me most while building the company is how many malicious insiders actually exist in large organizations. You only see it when you have a system that continuously red teams users across multiple channels. Legacy solutions do not reveal that. A single fish prone percentage does not tell you much. When you look across channels with continuous testing, the patterns become clear.

Joseph Cooper: Let us talk about social engineering. What is different about your approach?

David DellaPelle: Everything we send to a user is based on their risk and their role. A low risk employee will not receive irrelevant training or tests. We save them time. A moderate or high risk employee will get specific guidance on exactly where they need to improve. We check whether they actually improve. If they do not, that is when it becomes time to lock their access down.

Our risk score is also comprehensive because we bring in data from the rest of the security stack. It is not just simulations or content. It reflects user behavior across the environment.

Joseph Cooper: You have some impressive customers, including Fortune companies. Any success stories you can share?

David DellaPelle: One that stands out is Culligan. Their CISO, Amir Niaz, told us that security awareness used to feel like a chore for employees. With Dune, people now talk about their risk scores over coffee. It has become part of the culture. It is gamified by nature because it behaves like a credit score. People compare scores, they pay attention to what drives changes, and they want to improve.

Joseph Cooper: I love that. Let us shift to AI. How has the evolution of AI changed both the threat landscape and the work you do at Dune?

David DellaPelle: Three years ago ChatGPT had just been released. Since then there has been a massive wave of capital going into open source and closed source foundational models. We rely on guardrail models for safety. Attackers do the opposite. They look for the most powerful models with no guardrails at all. ChatGPT is not the only model available, and attackers know that.

AI spear phishing is now the number one way attackers break into companies. They use open source intelligence from platforms like LinkedIn to craft individualized messages at scale. They can send thousands of high quality spear phishing messages in the same amount of time that it used to take to send a few dozen. Both quality and quantity have surged.

Joseph Cooper: I saw that you have built a very large bench of CISO advisers. How are they influencing the product?

David DellaPelle: Those advisers played a huge role in shaping the early stages of Dune. I started working with them in November 2023. Many of them have already completed their vesting periods. They provided clear guidance on exactly what to build. The reason they joined is simple. Our idea market fit was on point from day one. We knew the exact problem we were solving. Execution was the only challenge. Now there are younger players entering the space, which validates the market, but we have a multi year head start.

Joseph Cooper: Looking ahead over the next three to five years, where is Dune Security going?

David DellaPelle: We built the foundational model for user risk. I use the term user intentionally. Not every user is human. There is an emerging category of non human identities and agentic systems. Humans are still the primary users in companies, but the future will include more non human identities. If we are building the industry standard credit score for user risk, it has to include all types of users. That is where we are headed. With increased capitalization we will continue hiring top technical talent to accelerate that future.

Joseph Cooper: David, this has been fantastic. Thanks for coming on the show, and I look forward to catching up at the next conference.

David DellaPelle: Thank you, Joseph. I appreciate the conversation.