ExtraMile by SecureITWorld is back with another informative Q&A session, revealing critical insights into the cybersecurity space from industry leaders and decision-makers. We aim to simplify cybersecurity so that you stay informed and secure in the tech-first world.
For today’s discussion, we are accompanied by Ken Ammon, Chief Executive Officer of CodeHunter, a frontrunner in zero trust for code. The firm shifts its focus from traditional security practices to a strategic approach to evaluating software before its full deployment. For this purpose, CodeHunter integrates static control-flow with data-flow analysis to create a Behavioral Intent Profile.
Our guest, Ken, brings over three decades of experience in cybersecurity. He started his career as an Air Force Officer at the NSA. Hence, he combines extensive leadership qualities with a mission-centric perspective as he guides CodeHunter to address modern cybersecurity risks.
Join us as we explore zero trust for code, supply chain attacks, AI-generated malware, Manual reverse engineering, and more with none other than a thought leader from the SecureTech space.
Welcome, Ken; we are thrilled to host you today!
1. You began your career as an Air Force Captain at the NSA. What is the one mindset or tactic attackers use that most private-sector CISOs still overlook?
Ken. The biggest thing many CISOs still underestimate is that attackers do not think in terms of individual alerts or isolated tools. They think in terms of access, persistence, and leverage. They look for the fastest path to execution, then they adapt their code to evade whatever detection model is in front of them.
That matters because most private-sector programs are still organized around identifying known bad artifacts after the fact. Attackers have already moved on. They assume their malware will be inspected, so they mutate it constantly. The better mindset is to stop asking, “Have I seen this before?” and start asking, “What is this code capable of doing if it runs?” That shift is where defense gets much stronger.
2. You have called your mission Zero Trust for Code. But most people think Zero Trust is just about logins and identity. Why do such presumptions still prevail, and how would you guide people and organizations in this regard?
Ken. Those presumptions prevail because identity was the first place Zero Trust took hold in a visible way. People naturally associate it with users, devices, and access control. That is still important, but incomplete.
Software also exercises privilege. Code reaches into endpoints, cloud workloads, CI/CD pipelines, and automation systems. Once you recognize that, the logic becomes straightforward: if a user should not be trusted by default, neither should a software artifact. My guidance is simple. Extend Zero Trust to the point of execution. Do not trust code because it is signed, familiar, or came from a known source. Verify what it is programmed to do before it runs, then enforce a deterministic policy decision based on that evidence. That is the practical meaning of Zero Trust for Code.
3. Every firm says they trust their vendors. With supply chain attacks surging up 431% since 2021, is trusted software actually the most dangerous category of code in enterprises today?
Ken. In many environments, yes, because trusted software gets the benefit of the doubt. It is exactly the code most likely to move quickly through approval processes and into production. That makes it a highly attractive vehicle for attackers.
The real issue is not whether software came from a vendor you recognize. The issue is whether the artifact you are about to execute is behaviorally consistent with what your policy allows. Supply chain attacks work because organizations still use origin, reputation, or signatures as a proxy for trust. Those signals are no longer enough. Trusted software becomes dangerous when trust is inherited instead of verified.
4. CodeHunter received the 2026 Global InfoSec Award recently at the RSA Conference. How does the acknowledgment boost the firm’s advanced behavioral malware analysis initiatives?
Ken. Awards do not validate the technology by themselves, but they do help the market pay attention to problems it has been slow to confront. In our case, the recognition helps shine a brighter light on behavioral malware analysis and on the need to move from probabilistic detection to deterministic trust decisions.
What matters most to us is that it validates the urgency of the category. Security teams are overwhelmed, AI-assisted malware is mutating faster, and legacy approaches are struggling to keep pace. Recognition at RSAC helps accelerate conversations with security leaders who already know the old model is under strain and are looking for a more defensible way to decide what software should be allowed to execute.
5. AI-generated malware is expected to bypass traditional signatures or patterns by up to 1000% in the next two years. How does CodeHunter’s malware hunting solution outperform in this regard?
Ken. The exact percentage will vary, but the direction is clear: AI makes it easier for attackers to change a file’s form without changing its purpose. That is why signature-heavy and pattern-heavy models are under pressure.
Our approach is different because we are not asking whether this artifact matches a known sample. We are asking what it will do if it runs. Behavioral intent analysis looks at execution patterns, system interactions, privilege use, persistence behavior, and other indicators that reveal purpose rather than appearance. That lets us identify malicious intent even when the artifact is obfuscated, newly generated, or never seen before. In other words, we are not chasing mutations; we are evaluating behavior.
6. Manual reverse engineering takes weeks, but CodeHunter does it in minutes. Which key aspects contribute to such performance?
Ken. The speed comes from automation and from avoiding the bottlenecks built into traditional workflows. Manual reverse engineering depends on scarce expertise, time-intensive analysis, and often sandbox-based detonation. That does not scale.
CodeHunter automates the deconstruction process. It combines static control-flow and data-flow analysis with parallel dynamic observation to model execution paths, system interactions, privilege use, and persistence behavior. That produces a Behavioral Intent Profile quickly, without waiting for full runtime detonation. The result is deep forensic visibility in minutes, with enough explainability to support real enforcement decisions rather than just another suspicious score.
7. Security teams are burning out on thousands of alerts which include both critical and hoax ones. Give us two practical strategies to overcome this challenge.
Ken. First, reduce the number of ambiguous alerts entering the system. Too many tools still generate probability-based findings that require a human to decide what is real. Security teams need more authoritative verdicts upstream, before execution, so they are not spending their day sorting “maybe malicious” from “actually malicious.”
Second, standardize response around explicit policy and evidence. When every artifact is evaluated against the same behavioral criteria, teams can automate the allow, block, contain, or escalate decisions consistently. That cuts alert fatigue, reduces analyst burnout, and lets people spend their time on genuine threats instead of repetitive triage.
8. If you could mandate one reform in how private companies manage their code, what would it be, and how would you make sure it’s realistically implemented?
Ken. I would require every organization to establish a pre-execution trust gate for software artifacts. No code should be allowed to run in production, on an endpoint, or in a build pipeline based solely on origin, signatures, or reputation. It should first be evaluated for behavioral intent and checked against enterprise policy.
To make that realistic, companies do not have to rip out everything they already have. They can implement it as an out-of-band control that integrates with existing endpoints, cloud workflows, CI/CD pipelines, and security tooling. That is how adoption happens in the real world: not by adding theoretical policy, but by giving teams a practical enforcement point that reduces workload while improving control.
Discover More In-depth Interviews:
