I’ve been covering Aqua Security since the company was founded. Back then, DevOps was just hitting mainstream, containers were still the new shiny thing, and securing cloud native workloads at runtime felt like a bleeding-edge idea.
Fast forward 11 years, and the market has finally caught up. Aqua just announced a pretty big transformation—new CEO, restructured operating model, sharpened focus—and I had a chance to sit down with new CEO Mike Dube and COO Matt Richards to talk about what’s going on.
The short version: stop trying to be everything to everybody.
The Noise Problem
If you’ve walked the floor at RSA in the last few years, you’ve heard the same pitches with slightly different buzzwords. Comprehensive visibility. Shift left. AI-powered everything. Every vendor says they’re a platform, and every platform says it does it all.
CISOs are stacking platforms on top of platforms, each generating alerts that someone has to triage. Dube has a pretty pointed take on this. The big CNAPP concept was supposed to simplify security, but companies trying to be excellent across every quadrant can’t pull it off. They end up acquiring and bolting together technologies, and the customer experience suffers.
Meanwhile, the underlying problem is getting worse. More than 48,000 new vulnerabilities were cataloged last year, growing at roughly 20 percent annually. The time to exploit has gone from hours to minutes. AI-assisted development keeps accelerating how fast code ships, which means more security gaps than any team can reasonably manage.
Going Back to the Core
What Dube described to me is basically a company that was ahead of its time and is circling back to what made it relevant in the first place. Aqua was built on the idea of preventing bad things from happening in production workloads. That mission got diluted over the years as the company chased innovations the market wasn’t ready for.
“It’s very rare that you have an 11-year-old company where that core competency is actually more relevant 11 years from its inception than it was when it first came to market,” Dube told me. He’s not wrong. Most companies ahead of their time don’t survive long enough for the market to catch up.
Aqua has survived, and the bet is that their deep runtime expertise—built on an agent-based architecture they never abandoned even when the market favored agentless—gives them an edge newer entrants can’t replicate overnight.
The Chicken Finger Strategy
During our conversation, I made an analogy that seemed to land. There’s Taco Bell, which keeps adding things like French fries and fried chicken to the menu. Then there’s Raising Cane’s, which sells chicken fingers. Period. That’s it. No sandwich. No bowl. Just chicken fingers. And they’re really good.
Dube ran with the notion of Aqua just doing “chicken fingers” and making sure they’re the best damn “chicken fingers” on the market. “We’re going to focus on the engineering of our products so that we do no harm in your environment. And we’re going to take that engineering expertise and push it closer out to the customers to help them on the journey, because the complexity of what these environments bring to a customer is so great that they need help.”
That pretty much sums it up. Aqua doesn’t want to be the platform that does everything at a B-minus level. They want to be the deep partner for cloud runtime security—the one you bring in to handle the stuff the platform can’t do well.
Why Architecture Matters
There’s a technical argument underneath the business strategy. Dube made the point that competitors sitting at the host level or using agentless approaches end up assembling what he calls “toxic combinations”—hypothetical risk scenarios based on incomplete data. The customer then has to validate those hypotheses, which just generates more noise and false positives.
Aqua’s architecture lives at the container layer itself, collecting runtime data from where applications actually run. That means they can see which vulnerabilities are genuinely reachable in production versus the 95 percent that exist in code that never actually executes.
New Leadership, Same Mission
Aqua brought in Dube as CEO alongside CTO Nir Makovski, and they’ve made internal moves that say a lot about priorities—promoting their customer success VP to chief customer success officer, elevating their North America sales lead to CRO, and shifting the former CMO into a COO role. A new CFO and CHRO round things out. The thread running through it all is customer proximity—getting Aqua’s technical expertise closer to customers and helping them operationalize these tools rather than just selling licenses and walking away.
The Bet
The cloud security market is trending toward consolidation, and being a focused player is always a tough lane. But Dube is betting that security leaders are tired of platforms generating mountains of findings without actually reducing risk. In a market where everyone uses the same buzzwords, a company that can clearly say what it does—and what it doesn’t—might actually stand out.
I find this strategy encouraging. I have been saying for years that the industry needs vendors willing to go deep rather than wide. Ask Aqua what they do, and the answer is simple: they protect their customers’ most critical applications when it matters most—when they’re running in production. That’s it. Chicken fingers.
- The OT Security Problem Nobody Wants to Own - June 3, 2026
- Coupa Is Betting Agentic AI Can Run Enterprise Procurement on Autopilot - May 14, 2026
- N-able’s SOC Data Shows Half of Attacks Never Touch the Endpoint - May 14, 2026