Connect with us

Interviews

Dom Richter, Co-Founder at Mondoo – Interview Series

mm
Published

Dom Richter, Co-Founder at Mondoo is a seasoned product leader with deep expertise across modern software development, product design, and team leadership. With a background spanning backend, frontend, and automation technologies, he has led high-performing engineering teams through a culture of trust, experimentation, and purpose-driven innovation. His work intersects AI, cybersecurity, and DevOps, where he emphasizes collaboration, continuous learning, and delivering meaningful value to end users.

Mondoo is a security and compliance automation platform that empowers organizations to continuously assess, monitor, and secure their infrastructure across cloud, on-premises, and hybrid environments. By leveraging policy-as-code and machine learning–driven insights, Mondoo helps teams identify vulnerabilities, enforce compliance standards, and strengthen security posture without slowing down innovation. The platform integrates seamlessly into modern DevOps workflows, making continuous compliance an achievable reality for enterprises of all sizes.

What inspired you to co-found Mondoo, and how did your background as a hacker and product leader—along with your experiences at Google, Chef, and earlier startups—shape the company’s mission?

When I was in the trenches breaking into systems as part of my job as a pentester, I found a lot of easily preventable weaknesses. At the same time security was often so focused on flooding users with alerts, that they lost sight of what mattered. Back then I thought “There must be a simple button I can press to fix these things”.

I then switched sides and started to defend systems. I learned how to properly operate things at scale, with automation and code. This is useful whether you’re running a small home network or operating a large tech company. The ideas are the same. Ultimately it was this combination of security and platform engineering that motivated me to co-found Mondoo. I wanted to make a difference in the state of security, not just add another scanner that generated more alerts. I find it very motivating to see how our customers are able to quickly improve their posture with Mondoo, after being stuck for years. Several customers have told us that Mondoo reduced their open vulnerabilities by 60%, which is a great result. We’re trying to get that number up to 100% with our agentic vulnerability management.

You’ve described remediation—the process of actually fixing vulnerabilities after they’re discovered—as a myth. Why do you believe the industry continues to invest heavily in scanning and reporting while leaving teams struggling to carry out the fixes?

This is largely the result of how security and platform teams are set up, especially in larger organizations. For the longest time we treated them as separate entities, each with their own goals, tools, and priorities. But Conway’s law proves what happens: You ship your org chart instead of solving the problem. I have seen both teams point fingers at the other – often for very good reasons.

We are now finally experiencing a shift in the industry, where companies realize they want more out of security. They don’t want a business blocker. They want a driver. Thanks to forward-thinking leaders that are now emerging to push the boundaries we are finally seeing a shift in the industry and in the solutions.

How can organizations overcome the cultural rift between security and DevOps teams that often slows down remediation?

DevSecOps is a good start; you need to bring developers and security closer together. You can hire cross-functional roles that can help bridge the gap like SecOps engineers or Platform experts with a security background. Also physically bringing teams together helps. It’s crucial that leadership encourages and plays a role in this process as well. Establish shared goals and metrics and track them.

To support your teams, you then want to bring tooling and technology together. I’m not talking about just dumping security tickets into ticketing systems. You want to establish a shared model that gives both teams what they need. For example, we found that automating vulnerability fixes where we give platform teams enough context and most importantly the specific fix that they need to apply helps them execute much faster on requests. The more you combine this with automation and create change-requests in the automation systems (like Terraform and Ansible), the easier it is. You also want to have a good communication path back, i.e. make it easy for platform teams to object, get exceptions, and report systemic issues. All of this encourages collaboration and bridges the gap.

In your view, what role should leadership play in creating accountability and collaboration around fixing security issues?

As leaders we have two major contributors to our teams’ ability to execute: what we communicate and what we measure. If leaders only talk about collecting findings and pointing to other teams as the bottleneck, then their teams will treat it in the same way. If they measure the number of security issues and not their quality and actions taken, then teams will optimize for that.

We create the right conditions by working with other leaders across boundaries, acknowledging the shared nature of this area, and focus on shared outcomes rather than siloed metrics. Time and time again we see that when leaders tackle the shared problem together, they achieve more for their individual teams and more for the business, because they drive the outcomes that matter.

Risk scores are widely used yet often lack context, and alert fatigue overwhelms many teams. How should organizations rethink prioritization so that the right issues get fixed?

For effective prioritization you need business context and technical context. Business context includes knowing which digital assets keep the lights on at your company and need to be protected to maintain your good reputation. For example, the database containing users’ private pictures or the gateways that process all website traffic are of higher priority than test systems that aren’t connected to the internet. When we look at security findings, we must know the business context. If you show “critical” on a low priority finding, your teams will get desensitized and not take it seriously. If an issue truly is critical, you need to clearly show why.

Next is technical context.This means knowing the system, its configuration, location, tags, apps, packages, and users. But that’s not all. You need to uplevel your view. You must understand how a security issue can expose your critical systems, how they are connected and integrated, by not just looking at one or two individual systems, but by looking at them as a cluster. We also need to know how these systems are automated and built to quickly tell people where to look and how to fix the issue at its root.

As attackers increasingly weaponize AI, how can defenders use AI responsibly to stay ahead without creating new risks?

Using AI greatly multiplies your ability to fix vulnerabilities, and do so at machine speed. However if AI systems are not secure, they can potentially introduce new risks to the environment. When deploying AI-powered systems, it’s important to ensure that they use a secure and transparent architecture, and enable thorough logging and event monitoring. By restricting agent permissions to only what is necessary for completing assigned tasks, risks can be kept to a minimum. Further guardrails, such as allowing users to interrupt or shut down Agentic AI systems when necessary, and conducting regular audits on the agents and their actions is also something that I would highly recommend.

What guardrails do you believe are essential when granting automation the ability to remediate in production environments?

For every action that an automation can take, you need guardrails in place to make sure it acts within its expected scope. If you create an AI agent and give it free-roaming access to your entire infrastructure, it will break things sooner or later.

Luckily we understand guardrails really well thanks to the tireless work in platform automation over the last two decades. Modern automation systems have restrictions in place that control what actions can be taken. At Mondoo we combine AI-driven remediations with adversarial policy frameworks that check their actions. Any remediation is created in code, can be tested, verified, and most importantly restricted when necessary.

How do you see the balance between human-led and machine-driven remediation evolving over the next five years?

Similar to self-driving cars, we will see teams adopt machine-driven automation in more and more areas, one step at a time. They will start by first focusing on a subset of the security scope, such as lower priority systems, and introducing agentic automation for it, creating metrics and tracking goals, and then incrementally rolling it out. Once this is automated, you expand to other areas.

Ultimately, the automation focus should be on areas that are large in scale with many similarities. Those benefit the most from the consistency that automation brings. I believe in five years all major remediation actions will be machine-driven and systems will be tightly integrated between security and platform operations.

What is your long-term vision for how vulnerability management should look by the end of this decade

By the end of the decade, vulnerability management will have a much stronger focus on automation and remediation. Our job as security specialists will be more focused on evolving this automation, working with platform teams on securing their evolving IT environments. These systems will be more closely integrated, using platform automation and agentic AI to take actions at scale while being safe and predictable.    

For smaller security teams with limited resources, what practical first steps can they take to improve remediation and resilience?

Start with patch automation. Introduce automation early – especially when you have limited resources – and integrate security into it from the start. This is the simplest step which already greatly decreases exposure to the automated scans that attackers use.

Thank you for the great interview, readers who wish to learn more should visit Mondoo

Related Topics:
mm

Antoine is a visionary leader and founding partner of Unite.AI, driven by an unwavering passion for shaping and promoting the future of AI and robotics. A serial entrepreneur, he believes that AI will be as disruptive to society as electricity, and is often caught raving about the potential of disruptive technologies and AGI.

As a futurist, he is dedicated to exploring how these innovations will shape our world. In addition, he is the founder of Securities.io, a platform focused on investing in cutting-edge technologies that are redefining the future and reshaping entire sectors.