You may have heard of Joe Sullivan if you’re plugged into the world of cybersecurity. He is one of the most sought after speakers when it comes to security trends and best practices, and is also an active advisor through his company Joe Sullivan Security LLC.
He recently wrote on LinkedIn that his word of the year in 2026 is runtime. “The bottom line is that existing security efforts are falling short and we need to shift our focus on securing AI to invest more in runtime monitoring,” Sullivan writes. “As security AI ‘transformation’ budgets come into shape, the best bang for the buck will be investing in visibility at the time the AI agents are in action. No amount of advance screening will get us to a place where we can 100% trust probabilistic solutions without real-time oversight.”
This explains Sullivan’s most recent move: joining the board of directors at StackHawk. Over the past couple of years, StackHawk has emphasized the importance of dynamic testing, known as DAST (dynamic application security testing, to be complete). In a world where AI is simultaneously better at humans at scanning static code, as well as finding more vulnerabilities than teams can realistically keep up with, it makes sense that in 2026 cybersecurity professionals will focus more of their energy on what happens when code is actually dropped into an environment and running in production.
Joni Klippert, CEO and co-founder of StackHawk, writes in an official statement that “Joe works with just a select few companies at a time, only joining when he clearly sees where the industry should head. His conviction in runtime testing validates what customers are telling us.” Those customers include British Airways, ITV, and Norstella.
Sullivan’s resume speaks for itself. At Meta, he built the security program during the company’s rapid expansion from startup to global platform. At Uber, he led security through a period of intense regulatory scrutiny and organizational transformation. At Cloudflare, he helped scale security for the internet infrastructure protecting millions of websites worldwide. He’s been at the forefront of massive technology shifts and how cybersecurity needs to respond for two decades.
But this is likely the largest paradigm shift yet. And if anyone claims to know exactly what AI will and will not be able to do in the future, we should be a bit skeptical.
What’s clear today is that traditional 3rd party code scanners from security vendors are becoming more unnecessary in the wake of native solutions offered by powerhouses like Claude. The puck is heading towards dynamic runtime testing as the greatest opportunity for cybersecurity professionals to have an impact. We’ll keep an eye on StackHawk’s updates throughout 2026.
