Very few people in the cybersecurity industry do not know, or know of, Bryson Bort. Yes, he’s the CEO/Founder of SCYTHE, but he’s also the co-founder of ICS Village (the next one at RSA Conference from April 28 to May 1, 2025). This event, and all of our industry’s attention on critical infrastructure, is pivotal as it often comes down to a life-threatening situation if something were to go wrong. Read on for more about Bort, why he started SCYTHE, how that led him further down the ICS path, and be sure to check out ICS Village at RSAC.
Q. Tell me about SCYTHE, what it does, and why you started it–and why the industry needs the offerings it provides.
A. I started an offensive cybersecurity consultancy called GRIMM in 2013 after leaving the government. In 2016, Target came to us with a request to build a custom implant. I love the story of Target: their breach in 2013 created the modern cybersecurity ecosystem of organizational investment and market innovation we all enjoy now. Instead of it being a consulting project where we build a tool that trains their defense and we have to build another later, I proposed a platform that would allow you to scale any threat behavior that could ever exist on your terms—and SCYTHE was born.
I realized I couldn’t do it alone and Ron Gula and Dmitri Alperovitch helped me raise and launch the company. The concept is simple: once a threat has breached you, they can only: 1) communicate with the protocols already in your environment to blend, 2) execute on computers you already have, 3) capabilities; only do so many things to accomplish their goals on those hosts. SCYTHE is an offensive box of Legos of communications and capabilities that allow you to no-code create anything a threat might do in your organization. This is key.
Cybersecurity is “hard” because it has to be yours. No one else can give the expert prescription at a distance for the right preventative and detective controls for you. Security is defined by the threat; it’s the only measurement that matters. Our platform allows companies to easily drive that understanding safely and easily across all teams with recommendations.
Q. SCYTHE is not your first endeavor as an entrepreneur. Please tell me about your entrepreneurial journey and what advice you might give to would-be entrepreneurs.
A. When I founded GRIMM, I learned that it’s not the idea you start with, but the agility to pivot. Which we first did by moving from specialized government work to commercial. When Target approached me in 2016 to help them build custom red team tooling, I realized it was a possible product and asked to keep the intellectual property while co-developing what became the SCYTHE platform with them for two years. Along the way, I realized I knew absolutely nothing about commercial software sales and development which is why I reached out and expanded my network to learn. This led to Gula and Alperovitch helping me spin out SCYTHE from GRIMM. Then, I learned the hard lesson of Total Addressable Market (TAM). We were building a red team tool, there is no red team market; it’s a $3B market of in-house or outsourced experts with little budget beyond. So, we looked at how we could make it valuable outside of that scope and it’s why we were one of the leading initial proponents of purple teaming.
There are three key qualities to an entrepreneur (and being the smartest is not one of them!): risk tolerance, risk and reward of living or dying based on what you can do, and tolerance for pain. You are the chief executive officer (CEO) and the janitor for everything it takes to run this new endeavor.
Q. How did you first get interested in cybersecurity? Why is it such a passion for you?
A. Ever since I was little, I had a penchant for technology. I was able to take things apart, put them back together (most of the time), and personally explore the increasing involvement of computers in our lives. I wanted to understand the ins and outs of MS-DOS; I programmed complex games on my graphing calculator for fun when we had to use them in high school; and I wanted to break the protections on games so I could modify them to make them more interesting. “Cybersecurity” when I worked in information security as a cadet at West Point pretty much consisted of running around with golden disks whenever a virus struck, or patches needed to be rolled out and it wasn’t much more complex when I was an Army Officer.
My passion for cybersecurity comes from a lifelong passion for service and protection. Cybersecurity isn’t an esoteric nerd thing: it is the regular people trying to live their lives and be able to manage money; it is local schools, hospitals, and towns trying to provide a good quality of life for their citizens.
Q. Tell me why the intense focus on industrial control systems (ICS) and why you co-founded ICS Village. It seems the focus on this has accelerated significantly in the last five years. Why?
A. Most people only know industrial control systems as “Stuxnet” and, even then, with a limited idea of what exactly that means. These are the computers that run critical infrastructure, manufacturing plants, and dialysis machines in hospitals. A bad day with normal computers means ransomware where a business can’t run, espionage where a company loses valuable data, or a regular person getting scammed out of their bank account. All pretty bad, but at least everyone is still breathing. With ICS, a bad day can mean loss of life or limb and that’s just at the point of use. The downstream effects of water or electricity being disrupted sends us to the Stone Ages immediately and there is a direct correlation to loss of life in those scenarios.
I co-founded the ICS Village, a non-profit 501c3 with a mission to educate and build awareness for critical infrastructure security, with Tom VanNorman in 2017 because we both believe something needs to change. And for years, no one really cared. Then, Oldsmar happened (ironically, nothing actually happened, but it still got the right attention) and we had been demonstrating that attack for years on our custom-built water plant (pictured above). Then, Colonial Pipeline was the real game changer. As I wrote in a USA Today op-ed with Dr. Paul Rosenzweig, you definitely get the attention in a hydrocarbon-based (gas) economy where disruption affects daily life.
Q. Many career cyber folks can get myopic by only applying security solutions to the problems security practitioners face. Your approach is perceived as building a community that embraces security far beyond the industry. What makes this important?
A. Together we will succeed, individually we will continue to struggle and fail.
Q. What is the best advice that you’ve ever been given?
A. The Law of N which is derivative of Dunbar’s Number, the limit of the number of people with which you can maintain good social relationships. The military is built on the organizational concept of squads, 4-10 soldiers, which allows the agility to respond to a rapidly changing environment with a cohesive team with the capability to drive those changes. Then, the unit scales up into platoons, companies, battalions, etc. As an officer, you learn how to manage at different echelons for a greater impact.
As an entrepreneur, it’s the same and the Law of N is the variable number of people that you can lead where you personally have a visible impact on their daily requirements. The second you hit N+1, it is another leader below you in the chain who now has that impact. In summary: 1) you can’t do it alone, being an individual contributor (no matter how talented) is never going to be as impactful as a squad/team; 2) the structure you build is going to dictate the success or failure of the execution of your ideas; and 3) you have leadership limits of what you can control.
Q. Finally, you do a lot of work and coaching with students and future cyber leaders. What advice do you specifically have for them?
A. You are the next generation; you are the ones who are gonna pick up the mantle. Don’t fear AI. Humankind over and over again has had tools that disrupt, but with critical thinking and lifelong learning, you’ll master anything that comes, and you’ll still be in charge of it. Our society is growing increasingly dependent on you.
Cybersecurity is not just this thing where we can debate what’s happening in Ukraine; it’s happening here with multiple nations and bad actors all over the world trying to ruin our lives daily. They don’t care that you don’t work for the military or at the NSA; you and American citizens are fair game. You are the front lines where they’re attacking our schools, our cities, our homes, our hospitals. So, whether you do it on behalf of the government or not, you are the future of our national security.
