Guarding the machinery of business
Mariano Nunez spends his days on a problem most people never think about and most companies cannot function without. The enterprise resource planning systems sold by SAP and Oracle sit underneath payroll, supply chains, financials, and manufacturing lines for a large share of the world's biggest organizations. They are old, deeply customized, and rarely rebuilt. For two decades they were also, in security terms, a blind spot. Nunez built his career, and then his company, on closing it.
As CEO and co-founder of Onapsis, the Boston company headquartered at 101 Federal Street, Nunez leads what is now the recognized market leader in protecting business-critical applications. The pitch is straightforward: the software running the global economy deserves the same scrutiny as the laptop on your desk or the website in your browser. For years, it did not get it. Attackers eventually noticed the same gap Nunez did. His answer was to get there first, and stay ahead.
The nature of the threat has shifted, and Nunez is candid about it. Early ERP security worried mostly about who had access to what. Now, he says, attackers increasingly skip the front door entirely, going after unpatched vulnerabilities and insecure configurations that let them bypass traditional controls. That change is why Onapsis leans so heavily on its research arm. Onapsis Research Labs has discovered and responsibly disclosed more than 1,000 zero-day vulnerabilities across SAP and ERP environments, feeding fixes back to vendors before criminals can weaponize them.
“In cybersecurity, it is not about competition; it is about collective defense.”
From a movie to a mission
The origin story is unusually specific. Nunez traces his obsession to watching the 1995 film Hackers as a pre-teen, then to an 800-page security book he bought from a street vendor's table in New York. He barely understood it at the time. He read it anyway, and taught himself the field. By 15 he had built a community news website and was carrying his laptop into local shops to sell advertising space. At 16 he sought out a well-known Argentine security researcher for mentorship. That researcher hired him at 18, while he was still studying computer science and already doing offensive penetration testing, breaking into client systems legally to show where they were exposed.
One of those tests changed everything. Assigned to probe an SAP application, Nunez realized that a system running an enormous share of global business transactions had almost no independent security research behind it. The systems were highly valuable, highly vulnerable, and largely undefended. Most people would file that away as an interesting observation. Nunez treated it as a market. In 2009 he co-founded Onapsis to proactively protect the world's most critical business systems.
“Being an entrepreneur is like being on an emotional rollercoaster. There are frequent highs and lows.”
The bedroom years
Onapsis did not begin in a gleaming office. It began, by Nunez's own account, in a co-founder's bedroom with no air conditioning and no heating. He was not raising money on the strength of a category that existed; he was building the category itself. That meant standing on stage at conferences like RSA, Black Hat, and SANS as the first person to publicly present cybersecurity risks affecting SAP and ERP platforms, and how to mitigate them. It also meant giving the community tools, including the first open-source ERP penetration testing framework. Over the years his teams uncovered critical vulnerabilities not just in SAP but in Oracle, IBM, and Microsoft applications.
Publicly demonstrating how to attack the systems of some of the largest software vendors in the world took a certain nerve. The harder and slower work was building the company that helps organizations defend them, and eventually earning the trust of the vendors themselves. Onapsis today is the SAP-endorsed application security solution and runs the SAP Defenders Community, a practitioner group built around the collective-defense idea Nunez keeps returning to. The company raised a Series D in 2020, bringing total funding past $115 million, and now employs roughly 380 people.
The way he leads
Nunez has little patience for one of startup culture's favorite slogans. “Fake it till you make it,” he has said plainly, is shallow advice. In a field where faking competence gets you breached, he treats authenticity as the product, not a soft value. He is also unusually honest about luck, telling interviewers that success depends partly on circumstance and not on effort alone. That belief shapes what he says he wants to do beyond Onapsis: create opportunities for underserved people through mentorship, education, and access to jobs, on the theory that the right opening can genuinely change a life's trajectory.
To survive the rollercoaster he describes, he keeps a steadying routine. He meditates. He exercises for mental clarity. He takes real vacations with email switched off. For a founder who spends his professional life anticipating worst-case scenarios inside other companies' most important systems, the discipline of disconnecting is its own kind of security control.
The recognition has accumulated along the way: EY Entrepreneur of the Year 2018 in New England, an MIT Technology Review Top 35 Innovators Under 35 nod, a Boston Business Journal 40 Under 40, and selection as an Endeavor entrepreneur. He has completed executive programs at Harvard Business School and Stanford's Graduate School of Business, layering business training on top of the engineering foundation. But ask what the real scoreboard is, and the honest answer is not a trophy. It is the count of vulnerabilities his teams have found and quietly helped patch before anyone got hurt, a number that keeps climbing past a thousand.