He teaches machines to look at software the way a radiologist reads a scan - and the tumors light up before the code can run.
Most antivirus software reads code. David Lehrer decided to look at it instead. His company, Cysana, takes an executable file - a thing built of bits and bytes - and renders it as a flat 2D image, then hands that picture to a neural network. Malware, it turns out, has a face.
Here is the strange specific that defines David Lehrer's work: a piece of ransomware, converted into an image, looks different from a clean installer. Not to a human eye - to a deep learning model trained on millions of examples. Cysana, the product his company Conatix built, decompiles software, converts it into a two-dimensional image, and studies the spatial correlations that betray malicious intent. The threat is caught at the download point, before the file ever executes or installs.
It is a sideways solution to a head-on problem. The whole security industry races to recognize bad code by its behavior. Lehrer's bet is that you can recognize it by its shape. Turn a cybersecurity question into an image-recognition question, and suddenly the enormous machinery of modern computer vision is on your side.
The second idea is quieter and arguably cleverer. Ransomware does not bring its own lock. It borrows yours. It reaches for the computer's native encryption keys and uses them to seal your files until you pay. Cysana's anti-encryption module simply refuses to hand those keys over to anything suspicious. Strip malware of the ability to encrypt, and it cannot become ransomware - no matter where it came from. The technique was developed with the University of Luxembourg and patented in fifteen countries.
Lehrer did not arrive in cybersecurity from a SOC or a red team. He came from policy and the social sciences. He studied at Harvard - Harvard College, the Kennedy School for a Master of Public Administration, and Harvard Business School. Before founding companies, he was a visiting fellow and research associate in criminology and international development at Oxford, a visiting economist at the Bank of Finland, and a guest researcher in political economy at WZB Berlin.
His written work on scientific reporting has appeared in Science, in Foreign Policy, in social research methods journals, and on Australian public radio. The throughline of his career is a single stubborn question: how can the scattered, specialized knowledge of the modern world be aggregated well enough to act on hard, interdependent problems? Cybersecurity is one answer. Malware detection is, in his framing, a knowledge-aggregation problem wearing a hoodie.
Conatix did not begin as a malware company. Lehrer first built a system for large-scale discovery, analytics and visualization of unstructured text - the kind of thing that lets an analyst navigate millions of documents and surface the one paragraph that matters. That platform was used or beta-tested by Accenture, BAE Systems, IBM, Dassault Systemes, Bank of New York Mellon and Cisco. He served as CEO and Principal Investigator on text-analytics work for IARPA's BETTER program, the US intelligence community's research arm.
The pivot to cybersecurity is less of a leap than it looks. Both jobs are about finding the meaningful signal hidden in an overwhelming stream of data - whether that stream is a corpus of documents or the endpoint activity of a bank's entire workforce.
One of Cysana's original targets was the threat that comes from inside the building. Banks lose more to insider fraud and data theft than to outside attackers, and it is far harder to spot. Rather than relying on summarized network-level data, the platform streams granular endpoint activity - screen content, applications, browser behavior - and analyzes it on-premise, behind the client's firewall. Instead of drowning a security team in thousands of daily text alerts, it renders the organization's health as a 3D visual dashboard, tracking departments and individuals at a glance.
Conatix is headquartered near Washington DC, in Sterling, Virginia, but it operates as a genuinely distributed enterprise: offices and team members across New York, Montreal, London and Berlin, with deep research ties to Luxembourg. The neural networks behind Cysana were trained and tested on MeluXina, one of Europe's most powerful supercomputers, operated by LuxProvide. The core anti-ransomware research came out of the University of Luxembourg's Interdisciplinary Centre for Security, Reliability and Trust, which granted Conatix an exclusive commercial license.
That geography is not vanity. It is how a small company gets access to a fifteen-country patent, a national supercomputer, and a deep bench of European security research without having to build any of it from scratch. Lehrer assembled a coalition where a less networked founder would have hit a wall.
The validation has been steady. Cysana won the 2024 Products That Count Product Award in the AI & Data category. Conatix landed on the global CyberTech 100 list of innovative banking cybersecurity startups and was named by the UK government's cybersecurity directorate as one of the most innovative startups two years running. It finished in the top 10% of Citi's Tech for Integrity Challenge and won a 1.2 million CAD PROMPT research grant. Lehrer himself sits in rarefied policy circles - the US Association for the Club of Rome, the International Institute for Strategic Studies, and the World Economic Forum's Technology for Integrity community.
Strip away the awards and the acronyms and a simple thesis remains. The best moment to stop malware is before it runs, and the best way to see it coming is to stop reading it like text and start looking at it like a picture. It is a contrarian idea delivered by someone who spent a career being comfortable at the edges - a policy researcher among engineers, an American running a European research coalition, a knowledge-aggregation theorist who found his sharpest application in the most adversarial corner of computing.
Install a lightweight agent on each endpoint.
Run a one-time audit of all installed software.
Decompile new files; convert them to 2D images.
Seven filters - including neural nets - score the threat.
Block, report, and deny encryption keys to bad actors.
Malware, rendered as an image, has a face. Cysana's whole bet is that you can recognize it before it ever speaks.
THE CYSANA THESIS, IN ONE LINE