The unguarded surface, found again.
In January 2026, Josh Lospinoso did the thing founders almost never do voluntarily: he handed over the keys. After eight years building Shift5, he stepped out of the CEO chair and onto the board, leaving day-to-day command to a former L3Harris executive while he kept the one job that's hardest to delegate - the long view.
It is a strange exit for a man whose entire career has been about refusing to look away from the thing everyone else ignored. Shift5 is not a flashy consumer app. It is an observability platform for the operational technology bolted inside planes, trains, tanks, and ships - the serial buses and control modules that keep a locomotive running or an F-16 flying, most of them designed in an era when "cybersecurity" meant a lock on the hangar door. Lospinoso's pitch, delivered for years in nearly the same words, lands like a slap: a smartphone is roughly a thousand times more secure than the most important ground combat vehicle in the U.S. Army.
"It's a sobering thought that your iPhone is about a thousand times more secure than the US army's most important ground combat vehicles - and attacks against weapons systems are not theoretical; they're really happening."
The line works because he can back it up. Before he was a founder pitching investors, Lospinoso spent more than a dozen years as a captain and cyber officer in the U.S. Army, building elite hacking tools for the National Security Agency's Tailored Access Operations, Army Cyber Command, and the Cyber National Mission Force. He knows exactly how soft these systems are, because for years his job was to find the soft spots in someone else's.
His resume reads like a dare to pigeonhole him. He graduated from West Point with a degree in economics and operations research, then won a Rhodes Scholarship and went to Oxford, where instead of doing the expected thing he came back with a PhD in statistics. He has published more than twenty peer-reviewed articles across disciplines and holds patents. And somewhere in there he wrote and taught the C++ course that U.S. Cyber Command uses to train its junior developers - then turned it into C++ Crash Course (No Starch Press, 2019), an 800-page brick that hands-on programmers actually keep on their desks.
The pattern: go where the data isn't watched.
Shift5 is the second time Lospinoso has spotted a category nobody was guarding. The first was RedOwl Analytics, an insider-threat detection company he co-founded that was acquired by Raytheon (Forcepoint) in 2017. The lesson he seems to have drawn was not "sell a company" but "look for the surface everyone assumed was safe because no one was looking at it."
So in 2018 he started Shift5 with James Correnti and Michael Weigand. The insight, as he tells it, was almost boring in its obviousness once stated: the security industry had poured itself into IT - laptops, phones, network gear - while an entire layer of digital components onboard vehicles sat unwatched. "The components were designed without adequate security," he has said, "and a root and branch upgrade of OT would probably be more expensive than the vehicle itself." You can't rip out the brain of a thirty-year-old fighter jet. But you can put a device on its data bus and finally see what it's saying.
"We found this new area of digital components that had received relatively little attention. The components were designed without adequate security - a root and branch upgrade of OT would probably be more expensive than the vehicle itself."
The company even named its podcast after the one-liner: Planes, Trains, and Tanks. The phrasing is half marketing, half genuine taxonomy - because that really is the spread of what Shift5 instruments, plus ships and rail networks. The money has followed the thesis: a $20M Series A in 2021, a $50M Series B, and a $75M Series C closed in September 2025, pushing total funding past $180M. Along the way the company grew past 130 employees and won an Army OTA to deliver a prototype vehicle security system.
From offense to defense, and onto the Hill.
There's a tidy symmetry to Lospinoso's arc. He spent the first half of his career building tools to break into systems for the United States. He has spent the second half building tools to keep those same kinds of systems from being broken into. It's the same expertise pointed in the opposite direction, and it gives him standing few defense-tech founders have when he testifies. Before the Senate Armed Services Committee, he warned that if the nation fails to keep its AI edge on major weapon systems, "we face the real prospect that an adversary could surpass us."
That blend - the operator who has actually done the offensive work, the academic who can model the risk, the teacher who can explain it in plain C++ - is why the move to Shift5's board in 2026 reads less like a retreat and more like a reallocation. The day-to-day went to Toby Magsig, an ex-L3Harris executive named president and interim CEO. Lospinoso kept the founder's prerogative: long-term vision, the big product bets, the strategic relationships, and the testimony that puts unglamorous onboard data in front of senators who would rather talk about hypersonics.
What makes him worth watching is not the title he just gave up. It's the habit underneath it - the relentless instinct to find the surface no one is defending and plant a flag on it. He did it with insider threats. He did it with the data bus of a tank. The interesting question is what he decides is unguarded next.
Defending the cyber-physical attack surface of planes, trains, and tanks is a national security imperative.
If the nation doesn't retain its AI dominance and empower its major weapon systems with AI-enabled technology, an adversary could surpass us.