Chris
Hughes

The LinkedIn handle says it all. Not @chrish or @chrishughes-cyber. Just @resilientcyber. The brand grew past the name. That does not happen by accident - it happens when someone writes precisely, consistently, and without hedging for long enough that the audience stops thinking about the person and starts thinking about the problem.

Chris Hughes runs one of enterprise cybersecurity's most widely-read newsletters from Virginia Beach, Virginia. He co-founded a Service-Disabled Veteran-Owned Small Business that does real security work for real government clients. He holds a VP title at a startup rethinking how enterprises govern their AI agents. He teaches graduate-level cybersecurity at two universities. He has five children. He still finds time to publish weekly. If you think any of this sounds like too much, he would probably just shrug and tell you the work matters.

From the Air Force to the Front Lines of Software Security

Hughes' career started in uniform. An active-duty stint in the U.S. Air Force gave him the operational discipline that would later make his writing feel different from conference-circuit hot takes. After the Air Force, he moved into civilian federal work - cloud security and DevSecOps for the Navy and the Defense Health Agency - before landing at the General Services Administration, where he worked on the FedRAMP program that certifies cloud services for federal use.

FedRAMP shaped his thinking in ways that matter. Most security professionals operate inside a single company's blast radius. Working at GSA meant understanding how software risk propagates at national scale. When you spend years thinking about whether the cloud platform the entire federal government uses meets security thresholds, you develop a particular allergy to hand-waving.

That allergy became a newsletter. In 2021, Hughes launched Resilient Cyber on Substack - a weekly combination of practitioner analysis, policy commentary, and interviews with the people actually building and breaking enterprise software. By 2026, it had crossed 31,000 subscribers without a single viral tweet doing the work for it. Growth came from the writing being useful, full stop.

Co-Founding Aquia: When "Practitioner" Becomes "Principal"

Around the same time as the newsletter launch, Hughes co-founded Aquia Inc. - a cybersecurity and cloud services firm structured as a Service-Disabled Veteran-Owned Small Business. The SDVOSB designation is not ceremonial. It reflects both Hughes' Air Force background and a deliberate choice to serve defense and government clients who have specific contracting requirements. Hughes serves as both President and CISO of Aquia, which has grown to roughly 70 employees.

Running a security consultancy while building a media platform would be enough for most people. Hughes added adjunct professorships at Capitol Technology University and the University of Maryland Global Campus, teaching in their master's cybersecurity programs. The teaching is not incidental - it explains something about the newsletter's tone. He writes like someone who has had to explain the same thing to smart but non-expert audiences many times and has learned exactly where the confusion lives.

Three Books and a Supply Chain Crisis

The 2020s handed cybersecurity an ugly gift: proof that software supply chain security was not a theoretical problem. SolarWinds. Log4Shell. XZ Utils. The industry suddenly needed people who could explain what a Software Bill of Materials (SBOM) is, why it matters, and how an organization should act on one. Hughes was already writing about it.

His first book - Software Transparency: Supply Chain Security in an Era of a Software-Driven Society (Wiley) - arrived as the conversation was heating up. His second, Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem (Wiley), co-authored with Nikki Robinson, followed in 2024. The third, Securing AI Agents: Foundations, Frameworks, and Real-World Deployment (Springer, 2025), co-authored with Ken Huang, arrived as agentic AI started producing a new category of security problem enterprises hadn't thought through yet.

Three books in three years, each landing on the problem the industry hadn't fully articulated yet. This is not coincidence. Hughes tracks where the gap is between what practitioners need to understand and what good written resources exist. When the gap is large enough and he knows the territory, he writes the book. Then he writes the newsletter issue to explain the book. Then he interviews the practitioners on the podcast. It is a vertically integrated education machine with one person at the center.

CISA Fellow: Where Policy Meets Practice

In May 2023, the Cybersecurity and Infrastructure Security Agency announced its inaugural cohort of Cyber Innovation Fellows. Hughes was one of them. The fellowship placed him at the intersection of national policy and operational security in a way that his FedRAMP days had previewed but not fully realized.

His focus during the fellowship: SBOM adoption for cloud and SaaS software, and vulnerability management modernization. These are not glamorous areas. There are no CVEs named after them. But they are where the leverage is. If you can change how the federal government thinks about its software inventory, you change how vendors build and disclose. You change the defaults for everyone downstream.

Zenity and the Next Problem: Agentic AI Security

In 2024, Hughes joined Zenity as VP of Security Strategy. Zenity focuses on securing agentic AI systems - the autonomous software agents that can now take actions, access data, and interact with external services on behalf of users and organizations. The problem is real and largely unsolved.

Organizations started deploying AI agents faster than they could answer basic governance questions about them. What data can they access? Who authorized that? What happens when an agent calls a compromised external API? Zenity's bet is that this becomes the defining enterprise security challenge of the coming years. Hughes' bet is that having written the book on it - literally - makes him the right person to help enterprises think through what governance actually looks like in practice.

Through Zenity, Hughes represents the company on the Project Governing Board of CoSAI (Coalition for Secure AI), and he has contributed to the OWASP Agentic Top 10 framework - an emerging standard that names and defines the top security risks in agentic AI deployments. RSA Conference 2026 has him on the schedule talking about comprehensive agentic AI security. The book was barely out and he was already on stage with the updated chapter.

The Newsletter as Operating System

The Resilient Cyber newsletter is not a content marketing play. There is no product being softly sold, no brand impressions being accumulated for a future fundraise. It is closer to what a great professor's lecture notes would look like if they were allowed to be opinionated and current.

Each issue covers the intersection of AppSec, AI security, software supply chain, leadership, and vulnerability management - the specific cluster of problems that organizations with mature security programs are actually wrestling with, not the ones that generate the best headlines. The podcast, which has run for six-plus seasons, brings in CISOs, DARPA program managers, researchers, and practitioners for conversations that assume the listener already knows what SBOM stands for.

This is the editorial decision that built 31,000 subscribers: Hughes treats his audience as his peers, not his students. He writes up to them, not down at them. In a field full of content designed to introduce beginners to concepts they'll have forgotten by next week, that choice created a specific and loyal audience of people who need to stay current and have run out of good ways to do it.

The Expertise Stack

Hughes operates at the intersection of several problem areas that most practitioners treat as separate disciplines. His career arc connects the dots: military operations built operational discipline; federal cloud work built systems thinking about compliance and risk at scale; Aquia built the business instincts; CISA built the policy literacy; Zenity built the forward-looking AI security perspective; and the newsletter synthesizes all of it into something practitioners can actually use on Monday.

The Human Part

Hughes lives in Virginia Beach with his wife and five children. He describes himself as a fitness enthusiast. He publishes constantly - books, newsletters, podcast episodes, conference talks, academic lectures - but the output never reads like someone chasing a content schedule. It reads like someone who has a lot to say and has figured out how to say it clearly.

There is also a specific kind of community investment in what Hughes does. He sits on the Cloud Security Alliance's D.C. chapter as Membership Chair. He contributes to OWASP frameworks. He takes IANS Research faculty appointments that require helping security leaders think through hard problems in real time. None of this is required. The newsletter and the books would work fine without it. The investment suggests he actually believes the community is the point.

The aspirations are plain enough: transparent software supply chains, practical vulnerability management, and AI security that keeps pace with AI deployment. Not exotic goals - but goals that require someone willing to do the unglamorous infrastructure work of writing the standards, building the frameworks, teaching the practitioners, and explaining it again to the new cohort that just got promoted into a CISO role and needs to get current fast.

That is what Chris Hughes is for. And he is very good at it.