Rebuilding AppSec from the Ground Up: A Conversation with Neatsun Ziv, CEO of OX Security

By Michael Matias, CEO of Clarity and Forbes 30 Under 30 alum

When Neatsun Ziv talks about cybersecurity, it comes from experience—not theory. As a former executive at Check Point who scaled business lines from sub-$1B to $2B+, and now as the co-founder and CEO of OX Security, he’s spent decades at the intersection of security innovation and scale. But if there’s one insight that defines his approach today, it’s this: most application security tools are still stuck in the past.

“Our industry rewarded noise,” Neatsun told me. “We used to say—3,000 vulnerabilities is good. 4,000 is better. But what did it really solve?” Developers would get flooded with alerts, most of them irrelevant, deprecated, or hitting non-production code. “You’d bring it to the developer, and they’d explain why none of these ‘critical’ issues matter. Then you’d run the numbers and realize entire teams were spending quarters chasing ghosts.”

That frustration—living between security teams demanding fixes and developers explaining why nothing needs to be fixed—is what sparked the founding of OX. Neatsun realized the problem wasn’t that developers didn’t care about security. It’s that the tooling gave them zero context and no prioritization.

“Security products were built for waterfall. But software today is agile. Code moves fast. Releases happen daily. You can’t throw a PDF report over the wall and expect anything to change.”

Instead of building a longer list of vulnerabilities, OX focuses on surfacing the one issue that truly matters—and proving why. That focus on provability is critical. “We had customers tell us, ‘You’re probably right—but I don’t believe you until I see the proof,’” Neatsun said. So OX started building in verifiability at every level—context, internet exposure, severity, exploitability—until customers could take the alert straight to their developers and get buy-in.

That mindset—of trust, clarity, and developer empathy—sits at the heart of what makes OX different. “We don’t want to be in your face,” he said. “We want to be native to your existing tools, CI/CD pipelines, and workflows. No new portals, no new friction.”

And yet, the external environment has shifted dramatically. Since 2023, the arrival of generative AI has opened a new set of threats—and changed the landscape of application development. “People are now building their own micro-apps using LLMs. Everyone’s a developer,” Neatsun said. That explosion of shadow code and agentic behavior will challenge every assumption about visibility, identity, and trust across the stack.

Where other AppSec solutions focus on legacy risk categories like hardcoded secrets or dependency scans, OX is preparing for a future where apps write apps, and where prompting—not programming—is the primary interface. “The problem shifts from SQL injection to prompt injection. From static code to dynamic agent behavior.”

But through all the changes, one thing stays constant: execution. “Momentum is everything,” Neatsun told me. “Customers need to feel like they’re winning with you. If you lose momentum, you lose the market.”

And that’s the lesson Neatsun believes most cyber entrepreneurs miss. “Differentiation matters—but only for 9–15 months,” he said. “If your only moat is tech, you’re going to get copied. And you’re going to lose.” The real moat? Understanding customer psychology, building trust fast, and delivering value that’s not just theoretical, but proven.

In the arms race between attackers and defenders, those who focus on outcomes—not features—will win.