Ex-Military Cyber Experts To Take Game-Changing $1.5 Billion Startup Public

Afghanistan war vet Jason Crabtree is CEO and cofounder of QOMPLX, the cybersecurity unicorn set to go public via a SPAC.

Tysons Corner in Virginia is exactly what you expect a city on the edge of the Beltway to be: full of gray high rises and opaque windows, cars dopplering along the freeways, pedestrians quietly making their way to nondescript workplaces where companies carry out all manner of wild technological missions for the U.S. federal government and armed forces. 

Inside one of Tysons’ mirrored monoliths sits Jason Crabtree. The CEO and cofounder of QOMPLX, a $1.4 billion-valued cybersecurity startup with $96 million in revenue, could’ve disappeared into the world of government contracting like so many here do, supporting the military-intelligence complex without the attention or fanfare they might have received in Silicon Valley or New York. But the 35-year-old ex-military cyber operative and Afghanistan war vet is a scruffier, scrappier outlier compared to the other chief executives down the road. And he has big ambitions. He wants to not only give government agencies cyber tools that could be used to go on offense and play defense, he also wants to protect the private industry from catastrophic attacks. Even John Q. Public will be able to fight off everyday data thieves using a free tool that detects vulnerabilities on the world’s most popular websites. “Our goal as a business is how do you actually go secure the economy,” he says.

To speed that process, QOMPLX is joining the stampede of companies skipping the IPO process and joining the New York Stock Exchange via a special purpose acquisition company (SPAC) merger with Tailwind Acquisition, the blank check company formed by Casper CEO Philip Krim. In preparation for the listing expected to land this week, QOMPLX announced three acquisitions in March alone: insurance cybersecurity specialist Tyche, digital defense and intelligence supplier Sentar Inc. and DARPA contractor Hyperion Gray. Its growing roster of advisors and board members includes Dan Geer, chief of information security at the CIA’s investment arm In-Q-Tel. Also onboard: Chris Krebs, the former director of the DHS Cybersecurity and Infrastructure Security Agency, famously fired by President Donald Trump via Twitter after his election tampering investigation found no effective interference in the 2020 vote. QOMPLX, which claims it can apply AI to its datasets to predict, detect and defend against the attacks that too easily make it through the legacy barriers, is heading towards offering what the industry calls “full spectrum cyber,” whereby it promises to help clients with their diverse security needs, with tools that can be used to both attack and defend, leaning on the specialist skills of its “elite” staff. Already, the company offers extended product integration through partnerships with top tech companies including AWS, IBM, Twitter, Stripe and Slack. QOMPLX is on the path to partial or full competition with all manner of cybersecurity heavyweights, old and new, from IBM and Booz Allen Hamilton, to $9 billion-valued Tanium.

It’s not a bad time to be a more aggressive cyber startup. For decades, Cassandras have warned about the dangers of a hyperconnected world where hackers can not only steal people’s most sensitive data, but turn off power supplies or poison water plants. Now the Biden White House is building a cyber security team to accompany its recent order to improve cybersecurity. Yet the U.S. government is flailing for answers to the questions being posed by Russian hackers whose ransomware caused Colonial Pipeline to shut down its pipes and spies who broke into federal agencies’ emails in the infamous SolarWinds attacks, two of myriad major breaches of the last year. Security companies have simultaneously hyped the threat and failed to stop the rise of increasingly destructive attacks. That failure has left the door open to those with bigger and braver ideas for securing infrastructure. And with calls for the military to start attacking ransomware groups, contractors can make hay from the need for more advanced digital weapons.

Crabtree, a former special advisor to the commanding general of the U.S. Army Cyber Command, quit the Defense Department in 2014 and, with former Air Force agent and Iraq war vet Andrew Sellers, cofounded what was then Fractal Industries. They changed the name to QOMPLX as part of a 2019 near-$80 million Series A, led by tech-focused investment company Motive Partners and Cannae Holdings, an investment firm that claims over $1 billion in assets. They sought to fill a gap that typical contractors had missed: collecting and analyzing masses of data spewing out of a given organization’s network, combining it with information on threats from across the web, to look for any anomalies or vulnerabilities and, using artificial intelligence, present the information in a useful way to a human, helping them make decisions along the way. It promises to do so faster than competitors, helping clients find potential risks before hackers do. “You can actually build a better picture of what the hell is happening on your network and what’s happening on the internet. And we didn’t see the Beltway bandits doing it,” says Crabtree. It also developed a specialization in defending the Active Directory, a store on IT networks where the keys are held to each portion of a company’s network. “It is the single most important computer in the network,” Crabtree notes. He claims major clients include PC giant Dell, Fidelity National Financial and insurance provider Lloyd’s of London.

Setting it apart as a Beltway outlier, QOMPLX is happy to talk about how its technologies could be used by its government clients for both defensive and offensive hacking operations. Crabtree, who claims NSA and US Cyber Command as customers, admits that his startup’s software could be used for the military’s foreign missions to compromise adversaries’ computers, even if its primary mission is defense. “Would an offensive security team use our tools to go identify vulnerable websites? Yep. Could they use that to identify potential targets, if they’re a bad actor? Absolutely.” He clarifies that the company isn’t selling its hacking tech, which the company sees as “neither inherently offensive or defensive,” to authoritarian regimes. QOMPLX deepened its ties to the U.S. military and intelligence agencies with the purchase of Sentar, an Alabama cyber intelligence company that claims multiple multi-million contracts with the DOD, and with the recent recruitment of Brian Hale, a former director of the Office of the Director of National Intelligence and assistant director of public affairs at the FBI.

Alejandro Caceres, QOMPLX’s director of computer network exploitation, created PunkSpider in the mid-2010s to highlight bad security practices across major websites.

But QOMPLX isn’t going to limit itself to protecting its paying clients. Timed with the move onto the public market, QOMPLX is doing something rare in the Beltway: it’s releasing an entirely free tool for the public dubbed PunkSpider, a browser extension that will alert a user if a website they’re visiting contains a weakness that might put them in danger. Marketed as “a Google for the broken web,” the pro bono PunkSpider project promises to help expose websites failing to protect users. Originally the creation of Alejandro Caceres, cofounder of Hyperion Gray, PunkSpider didn’t take off when it launched back in the mid-2010s. Now rebooted after QOMPLX acquired Hyperion Gray, it has all the compute power Caceres could want to test the world’s most popular websites on a regular basis. Caceres, 36, now QOMPLX’s director of computer network exploitation, is even less corporate and more pugnacious than his new boss when it comes to calling out businesses failing to protect their users. He showed Forbes how the new PunkSpider has already found glaring weaknesses in major websites, including crowdfunding site Kickstarter. Pointing out a vulnerability in Lending Tree, he said, “I would kick my own ass if I was the security engineer on this website… websites are really complicated these days, and I don’t think it’s an accident that we are seeing really egregious vulnerabilities.” (Kickstarter and Lending Tree hadn’t provided comment at the time of publication.)

At the same time as helping the average internet user know whether or not they’re going down a “dark alley” on the web, Crabtree hopes it will publicly shame businesses into doing better. “Part of the reason why ransomware, as an example, is so rampant is because of unforgivable negligence in security programmes,” he says, adding that basic cybercrime is “enabled by this kind of shitty behaviour from corporations that are choosing not to invest in this.” Exposing such corporations will encourage better practices, he says. “Sunlight is the best disinfectant.”