In an era where artificial intelligence is hyped as the ultimate replacement for human labor, Ross Haleliuk makes a contrarian and vital claim: the future of cybersecurity belongs not to algorithms, but to the specific, often invisible class of software engineers who build them. While the industry fixates on AI generating vulnerabilities, Haleliuk argues that the same engineers are the only ones capable of architecting the defenses that scale. This is not a generic plea for hiring; it is a forensic look at the hidden architects behind the world's most valuable security firms, revealing a talent gap that AI cannot fill.
The Invisible Architects
Haleliuk dismantles the myth that security products are primarily the domain of security specialists. He points out that the giants of the industry—Palo Alto Networks, CrowdStrike, Zscaler, and Cloudflare—were not built by security engineers alone, but by software engineers who understood how to productize security. "What most in the industry don't realize is that behind every successful security company is a software engineer you've never heard of," Haleliuk writes. This observation reframes the entire industry's talent strategy. Instead of chasing security certifications, the most critical asset is the ability to build robust, scalable software.
The author illustrates this by highlighting figures like Yuming Mao, the chief architect of Palo Alto Networks, whose contributions are foundational yet his public profile is nearly non-existent. Similarly, Haleliuk notes the crucial role of Fengmin Gong in designing the threat engines that defined the next-generation firewall. "It's fascinating how big a role brilliant Chinese engineers played in the early days of Palo Alto, yet history has largely lost their names," Haleliuk observes. This erasure of technical founders is a recurring theme, suggesting that the industry's narrative often prioritizes the CEO's vision over the engineer's execution. Critics might argue that this focus on the "invisible" engineer ignores the necessity of security domain knowledge, but Haleliuk counters that domain experts identify the problem while software engineers are the only ones who can translate that knowledge into tools that actually scale.
"While founders and CEOs often get the credit for the vision and execution, not nearly enough is said about the engineers who turn that vision into reality."
The piece also touches on the tragic absence of Lee Holloway, the third co-founder of Cloudflare, whose technical genius architected the platform before he stepped down in 2015 due to a rare form of dementia at age 36. Haleliuk uses this story to underscore the human cost and the fragility of relying on a single technical visionary. "The truly tragic story that few people in the industry know is what happened to the brilliant technologist behind Cloudflare," he writes, reminding readers that these platforms are built by people, not just code.
The Israeli Model and the Product Gap
Shifting from individual stories to systemic analysis, Haleliuk examines why Israel has become a powerhouse in cybersecurity. He attributes this success not just to military units like Unit 8200, which has historically served as a talent incubator since the late 1990s, but to a unique cultural pipeline. "There are relatively few software engineers who combine 3 attributes: Having a background in software engineering and experience building customer-facing products, Having experience, understanding, or passion for security, Having experience working at a startup or otherwise shipping products 0 to 1," Haleliuk explains. This triad is rare in the United States, where security talent often lacks product-building experience, and product talent lacks security depth.
The author draws a sharp distinction between writing automation scripts for an internal team and building a product for thousands of organizations. "Product engineering means understanding how to design for reliability, performance, onboarding, and long-term maintenance," Haleliuk argues. This is a crucial distinction for the current market, where companies are struggling to adapt to cloud sprawl and supply chain attacks. The argument suggests that the "shift left" movement failed because it treated security as an add-on rather than a core engineering discipline. "The idea that software engineers are going to get excited about doing security work has proven to be, at best, overly optimistic and, at worst, a somewhat delusional fantasy," Haleliuk admits, before pivoting to his real point: engineers are already defining the industry, they just aren't always recognized for it.
"Every breakthrough in cyber, be it endpoint or cloud security, has been built through the hands of software engineers who took ambitious visions and translated them into working products."
Haleliuk's analysis of the US talent market is particularly biting. He notes that while the US has more security talent than Israel, it lacks the specific blend of startup agility and product rigor. "A person who has worked at any of the big companies can be a great fit for a startup, but someone who has only worked at big companies for a decade or longer is less likely to successfully adapt," he warns. This challenges the conventional wisdom that experience at tech giants like Google or Microsoft automatically translates to startup success. The counterargument here is that large companies provide necessary infrastructure and scale experience that startups lack, but Haleliuk maintains that the ability to "cut corners" and iterate quickly is a distinct skill set that cannot be taught in a corporate environment.
The AI Paradox
The piece concludes with a direct challenge to the prevailing narrative about artificial intelligence. As the industry fears AI will replace engineers, Haleliuk posits that AI actually increases the value of top-tier talent. "I can go as far as to say that for a startup, attracting great software engineers is much more important than having a great idea," he asserts. The logic is that AI is a force multiplier, not a replacement. "The real breakthroughs will come not from AI itself, but from the best engineers who know how to use AI to get even better," Haleliuk writes.
This perspective is particularly relevant given recent data showing a 20% increase in high-severity vulnerabilities since 2024, driven by AI-enabled attackers. If bad actors are using AI to exploit weaknesses faster, the defense must be built by engineers who can leverage AI to scale their own solutions. "For founders, the lesson is also pretty clear: think of AI as a tool for engineers, not as a replacement," Haleliuk advises. He calls for an environment of autonomy and ownership, arguing that the best engineers need room to innovate, not just to execute code generated by machines. "Hire great engineers and give them what they need to do their best work - autonomy, support, recognition, and an environment surrounded by other brilliant minds," he concludes. This is a call to action for the executive branch and private sector alike: invest in the human capital that builds the infrastructure of the future, rather than chasing the illusion of automation.
Bottom Line
Ross Haleliuk's argument is a necessary correction to the industry's obsession with AI and executive branding, successfully re-centering the narrative on the software engineers who actually build the defenses we rely on. The piece's greatest strength is its evidence-based focus on the specific, often overlooked technical founders of major security firms, but it risks oversimplifying the complex transition required for enterprise engineers to adapt to startup dynamics. As the threat landscape evolves, the most critical variable will remain the human ability to architect systems that can outpace automated attacks.