Hackuity co-founder and Chief Revenue Officer Pierre Samson
As cyber threats grow more sophisticated and enterprise attack surfaces expand, vulnerability management (VM) is under increasing strain, especially in fast-digitising regions like Southeast Asia (SEA).
Hackuity, a France- and Singapore-based cybersecurity startup, is positioning itself at the forefront of this shift with its take on risk-based vulnerability management (RBVM). Co-founder and Chief Revenue Officer Pierre Samson argues that the real challenge today is no longer detecting vulnerabilities, but knowing which ones actually matter.
Also Read: ‘Cybersecurity must move at the speed of AI development’: ArmourZero CEO
In this interview, Samson shares how Hackuity’s platform moves beyond traditional common vulnerability scoring system (CVSS) to deliver context-driven prioritisation through its proprietary true risk score (TRS). He also discusses how operating across Europe and SEA shapes the company’s product, go-to-market strategy, and partnerships, as well as how enterprises can overcome internal resistance to security transformation. From MSSP-led adoption models to the future of continuous threat exposure management, Samson offers a grounded view of how organisations can cut through noise and focus on real risk.
Hackuity is described as “reinventing RBVM.” What key insight or moment made you decide traditional VM needed a full rethink, and how does Hackuity’s approach differ in practice?
The turning point was seeing security teams overwhelmed by data they couldn’t act on. Today’s organisations face over 200,000 common vulnerability exposures (CVEs), run 10-15 scanners, and generate millions of alerts; yet 80 per cent of successful attacks exploit vulnerabilities disclosed years ago. The issue isn’t detection, it’s prioritisation.
Traditional vulnerability management relies heavily on CVSS, which measures intrinsic severity but lacks context. A “critical” score says nothing about exploitability, asset importance, or real-world threat activity. The result is a constant backlog of “critical” issues that paralyses teams.
Hackuity set out to fix this by building a vulnerability operations centre (VOC) platform. Instead of adding another scanner, we aggregate data from existing tools, normalise it, and apply risk-based prioritisation.
The goal is simple: help teams know what to fix first, and why.
Hackuity’s TRS sounds central to your value proposition. How TRS works and reduces triage overload and how customers validate its accuracy within their business context?
TRS is our core prioritisation metric, combining three dimensions into a score from 0 to 1000:
- Vulnerability score: Based on CVSS, reflecting technical severity
- Threat score: Measures real-world exploitability using signals like exploit maturity, EPSS, CISA KEV, and threat intelligence
- Asset score: Accounts for business context—criticality, exposure, protections, and potential blast radius
The model is multiplicative, not additive. A severe vulnerability with no exploit activity scores far lower than one under active attack. This ensures prioritisation reflects real risk, not theoretical severity.
Also Read: Asia’s new cyber threat: AI that speaks your language
In practice, TRS highlights the top 0.1-5 per cent of findings that truly matter. Many customers adopt a simple goal: eliminate all TRS-critical issues. Because “critical” is rare and meaningful, it’s achievable.
Importantly, TRS is fully transparent. Customers can see every input and tune parameters, such as asset criticality, to reflect their environment. This tunability is how organisations validate its accuracy.
You operate outside of Singapore and France—how does being bi-regional influence your product roadmap, go-to-market (GTM) strategy, and talent hiring, especially for serving SEA enterprises?
Being bi-regional is a strength. It exposes us to diverse regulatory and operational realities.
On the product side, European customers prioritise data sovereignty and GDPR compliance, often requiring on-premise deployments. SEA enterprises operate under different frameworks and tend to have more fragmented tool stacks. This pushes us to offer flexible deployment models (SaaS, on-premise, hybrid) and remain vendor-neutral.
GTM strategies also differ. In Europe, we focus on direct enterprise sales and MSSP partnerships. In SEA, a partner-first approach is essential due to market diversity. We established our APAC headquarters in Singapore, earned IMDA certification, and actively engage with the local ecosystem.
From a talent perspective, having teams in both regions ensures we build for real-world workflows, not theoretical models.
RBVM and automation can meet organisational resistance from security, IT ops, and dev teams. How do you drive adoption and change management inside large enterprises?
Resistance is common and usually comes from three groups:
- Security teams wary of new layers
- IT ops concerned about workload
- Leadership seeking visibility
We address this through three principles.
First, we integrate with existing tools — no rip-and-replace. Hackuity connects to over 100 solutions, so teams retain their trusted systems.
Second, we deliver role-specific value. CISOs get board-level insights, analysts get prioritised queues, and IT teams receive enriched tickets via integrations like Jira or ServiceNow.
Third, we prioritise transparency. When users question scoring differences, we show them exactly how TRS works and allow tuning. This often converts scepticism into trust.
A common outcome: after running Hackuity alongside existing processes, teams realise a large portion of their effort was spent on low-risk issues. That insight changes internal priorities quickly.
Hackuity integrates with many third-party tools and data sources. How do you balance prioritising new connectors vs deeper integrations (e.g., remediation orchestration), and what integration has delivered the biggest ROI so far?
Coverage comes first. Enterprises often run dozens of tools, so a platform must integrate broadly to be useful. We maintain all connectors ourselves to ensure reliability.
Also Read: When security fails, trust breaks: Why cybersecurity is now a business priority
At the same time, we are investing in deeper integrations, particularly around remediation orchestration. This includes enriched ticketing, SLA tracking, and feedback loops that automatically update exposure status.
The highest ROI consistently comes from ITSM integrations like ServiceNow and Jira. These turn vulnerability data into actionable tasks, accelerating remediation without manual triage.
For SEA firms that are often resource-constrained, what pricing/packaging, onboarding, or managed-service models have you found most effective to accelerate adoption?
The challenge in SEA is clear: smaller teams facing the same volume of vulnerabilities. The solution is not simplification, but faster time-to-value.
Effective models include:
- SaaS deployment for quick onboarding with minimal infrastructure
- MSSP-led services, where partners provide operational capacity using Hackuity
- Our pricing is asset-based and scalable, allowing organisations to start small and expand over time.
Onboarding focuses on rapid proof-of-value. By connecting a few scanners in the first week, teams can immediately see how TRS reshapes their risk landscape. This drives internal buy-in.
For MSSPs, our multi-tenant platform enables centralised management of multiple clients, making it ideal for scaling across the region.
The vulnerability landscape is evolving fast (cloud, IaC, supply chain). How do you foresee vulnerability management changing over the next three to five years, and how is Hackuity preparing for those shifts?
Three trends are shaping the future:
First, the attack surface is expanding rapidly — across cloud, containers, IaC, and AI-generated code. Traditional scanner-centric approaches won’t scale. The future lies in unified risk layers that aggregate and prioritise across all environments.
Second, AI is transforming both attack and defence. Attackers can identify and exploit vulnerabilities faster, while defenders can move toward predictive risk management. Hackuity is investing in this through initiatives like VulnHubIntel, a privacy-preserving intelligence hub that enables cross-organisation insights using techniques like federated learning.
Third, continuous threat exposure management (CTEM) is becoming the standard. Organisations are shifting from periodic scans to continuous monitoring. Hackuity’s VOC model — always-on aggregation, scoring, and prioritisation — is designed for this shift.
Security startups sometimes face trust and credibility barriers. How do you build trust with prospects and customers (e.g., audits, certifications, references), and what’s been the most effective signal?
Trust comes from evidence.
Also Read: ArmourZero raises strategic capital to scale automated vulnerability management across Asia
We demonstrate this through certifications such as SOC 2 Type II and IMDA accreditation, as well as GDPR compliance. We’ve also gained industry recognition, including Forrester’s UVM landscape and multiple awards.
However, our strongest differentiator is transparency. TRS is fully explainable; customers can inspect every input and challenge every output. This contrasts with opaque “black-box” approaches in the market.
Ultimately, the most effective trust signal is a live proof-of-concept. When customers see TRS applied to their own data and recognise its accuracy, that’s when trust is established.
The post Cybersecurity has a prioritisation problem, and Hackuity wants to fix it appeared first on e27.