ITTech Pulse Exclusive Interview with Scott Kuffer, Co-founder and Chief Product Officer Nucleus Security
Stay updated with us
Sign up for our newsletter
Scott Kuffer, Co-Founder & CPO of Nucleus Security, in an exclusive ITTech Pulse interview, explains how exposure management and data normalization help teams cut through noise and prioritize real risks.
You co-founded Nucleus Security in 2019 and recently transitioned to Chief Product Officer in July 2025 – what inspired this shift from COO to CPO, and how do you see your role evolving the product roadmap?
I’ve always been the product founder at Nucleus, but in a startup, you have to be willing to do more than one job. As COO, my focus was on the sprint to product-market fit, tightening the feedback loops between marketing, sales, and engineering. That tight iteration cycle is what I attribute to a lot of our early success and innovation.
As we scaled and brought in world-class leaders to manage the business operations, I realized my highest impact would be returning to my roots. My shift to CPO is about accelerating our next generation of innovation, specifically moving beyond traditional vulnerability management into “exposure management” and leading our AI strategy to stay ahead of shifting attack patterns.
What was the defining moment when you realized you were building something that could fundamentally change how enterprises approach vulnerability management at Scale?
I was hooked the moment my co-founder, Steve, showed me the prototype. Having worked in defense, I saw agencies repeating the same manual mistakes everywhere; I knew we had to build this, or we weren’t doing our part for cyber defense.
The “lightning in a bottle” moment came in early 2019. Before we even had a website, a large national utility company tracked us down through a mutual contact to buy the software. We hadn’t even launched, yet they were determined to get their hands on it. That was the moment I went from thinking “this is cool” to “this is really big.”
Read More: ITTech Pulse Exclusive Interview with Michael Jacobs, Head of Social Innovation at IBM
You consolidate vulnerability data from 160+ scanners into one platform. What is the hardest challenge enterprises face when trying to unify all that vulnerability intelligence?
I like to say that the problems that Nucleus solves are a product leader’s worst nightmare. It is all the notoriously hardest enterprise challenges: mass integration, big data, workflow automation, specialized BI, and project management. Each of those are multi-billion-dollar categories on their own. To make vulnerability management (VM) work, you have to do all of them simultaneously.
The hardest part isn’t just the 200+ integrations; it’s the lack of a normalized source of truth. We inherit every bug, inconsistent risk rating, and data quality issue from upstream vendors. Truly understanding what that data means, then correlating it over time across assets, patches, and mitigations, is a level of normalization that is generally unrealistic for a typical enterprise to achieve at scale. At Nucleus, we make this possible.
Nucleus raised $34 million in Series B funding in 2024, with In-Q-Tel joining as an investor. What does government sector momentum mean for your product roadmap and go-to-market strategy moving forward?
Our roots are in defense, and our partnership with In-Q-Tel reinforces that exposure management is now a national security priority, not just an enterprise headache. We built Nucleus for the mission, and our FedRAMP-authorized status confirms our commitment to that defensive standard. By partnering with critical agencies to solve their most sophisticated challenges, we’re able to bring those “battle-tested” capabilities directly into our commercial product. This creates a unique roadmap where the high-stakes requirements of the public sector drive the innovation and scale that our largest global enterprises now demand.
In February of this year, we announced a $20 million Series C funding round led by Delta-v Capital. This investment reinforces what our customers already know: security teams need speed, clarity, and real outcomes, not more data. We’re helping organizations cut through the noise, prioritize the risks that matter most, and reduce exposure faster in today’s cloud- and AI-driven environments.
The vulnerability management space is crowded. How do you differentiate Nucleus in a market with established players, and what makes your approach to risk-based vulnerability management different?
While the space seems crowded on paper, the reality on the ground is very different. Most current vendors existed when we started Nucleus, and frankly, my co-founders and I didn’t launch a startup because we wanted to be the next Steve Jobs. We did it because not a single tool addressed the actual pain we were experiencing in the trenches. Today, there are still only a few players truly in our space, and most of them are simply trying to copy our approach because they lack that foundational perspective.
A lot of the confusion comes from the term “Vulnerability Management” itself. Traditionally, vendors in this category were really just “Discovery” tools focused narrowly on CVEs, which misses the entire context of a remediation workflow for cloud or software development. We differentiate Nucleus by providing an end-to-end capability; a true “operating system” for vulnerability management. We treat the entire lifecycle as a holistic business process rather than a siloed technical task; a philosophy we’ve been leading the charge on while the rest of the industry is just beginning to catch up.
Read More: ITTech Pulse Exclusive Interview with Michael Campell, Chief Product Officer, Hyland
You recently published “Stop Blaming CVSS: The Real Problem in Vulnerability Management is Us.” What’s the hard truth about CVSS and vulnerability prioritization that the industry needs to hear right now?
This was my first blog post to ever go viral, so thank you for bringing it up [laughs]. The inspiration for that piece was the constant cycle of complaints I see on LinkedIn regarding CVSS. The hard truth is that almost no one is actually using CVSS the way it was designed, yet the entire industry blames it for not being a “perfect” out-of-the-box algorithm. CVSS provides a transparent, high-quality framework, but it was never intended to be a replacement for internal risk analysis.
I see our industry investing billions of dollars in a search for better prioritization algorithms as a form of avoidant behavior. We are collectively obsessed with finding a magic number so we can avoid the difficult, manual work of collecting the right internal data to implement a real risk-scoring model.
Ultimately, your prioritization isn’t failing because of CVSS; it’s failing because you haven’t dedicated the time, resources, or process changes required to operationalize it. We are contributing to a vicious cycle of bad press that threatens mission-critical programs like the NVD. There is no one-size-fits-all score, and real progress only happens when you stop looking for a shortcut and start doing the hard work of data normalization.
How are you thinking about the intersection of cybersecurity resilience and AI safety – especially as enterprises increasingly rely on AI-driven exposure management?
I think about AI safety much like physical security. We have huge amounts of automation in our daily lives, and AI is essentially “autonomous automation.” To build resiliency, we have to borrow concepts like “Fail Open”. If the power goes out in a skyscraper, the doors must fail open so people can reach safety.
So, in the context of exposure management, it is irresponsible to proceed with large-scale automation without analyzing the negative implications. In the short term, I’m most excited about using AI to infer truth from poor data quality. Feeding that into existing patch management systems balances the high upside of AI with limited operational risk.
Looking at the landscape now, where do you see the biggest untapped opportunity for Nucleus and the broader exposure management space?
It’s a very exciting time to be in exposure management. Our space is undergoing a resurgence of popularity. From our perspective, our vision has never been clearer; it’s about execution. We’re looking hard at connecting exposure management to the business. So traditional VM processes will become one and the same with business/engineering processes.
But of course, I have to say AI exposure management, don’t I? [chuckles]
Thank you, Mr. Scott, for taking the time to share your insights with us.
Write to us [wasim.a@demandmediaagency.com] to learn more about our exclusive editorial packages and programmes.
Scott Kuffer is co-founder, COO & CPO of Nucleus, operating as a hands-on technical executive, building and managing the security software aimed at optimizing the vulnerability management process. Prior to founding Nucleus, Scott was a Security Engineer at Rampant Technologies, providing security, systems, and software engineering services to the Federal Government. Scott holds a Master’s of Cybersecurity Management and Policy from Embry-Riddle Aeronautical University.
Transforming vulnerability and exposure management programs, Nucleus helps enterprises and government agencies unify asset, vulnerability, and threat data to automatically prioritize and mitigate critical exposures, at scale.
