Breaking
Paul Paget - CEO, Black Kite Joined 2019, CEO shortly after Mass TLC CEO of the Year, Growth Stage Bowdoin College - B.A. History Prior CEO: PwnieExpress, Savant Protection, Core Security $36M total funding at Black Kite Third-party cyber risk quantification, in financial terms Boston, MA - 800 Boylston
The Executive Desk / Vol. IV

Paul Paget

A history major from Bowdoin who has spent thirty years in the cybersecurity business. He has been CEO of at least four of its companies. The current one is Black Kite, and it rates the cyber risk of everyone else's vendors.

Paul Paget, CEO of Black Kite
Paget, at rest. The CEO of Black Kite between the parts of the day where he is not the CEO of Black Kite. Boston, present day.
RoleCEO, Black Kite
Since2019
CEO ToursFour (so far)
Alma MaterBowdoin
The Story

The operator's operator

The clarifying detail about Paul Paget is that his Twitter handle is @normshield. NormShield was the name of Black Kite before Black Kite was the name of Black Kite. He has not changed the handle. This is either sentiment or, more likely, the reasonable position of someone who has spent enough time inside cybersecurity companies to know that the name on the door is less durable than the person sitting behind it.

Paget runs Black Kite, a Boston company that quantifies third-party cyber risk. If your business depends on 400 vendors, and one of them is one phishing email away from ransomware, Black Kite is the thing that tells you which one. It scores them, translates the score into financial terms using the Open FAIR model, and presents the result to a CISO or a board committee that would prefer not to be surprised. Paget joined in 2019. He became CEO shortly after. The company has since become the number-one recommended vendor in the security ratings space, which is a category that did not exist in a durable way ten years ago and now has analyst coverage, a taxonomy, and competitors with billion-dollar valuations.

Before Black Kite there was PwnieExpress, which under Paget became the first SaaS IoT threat detection player. Before PwnieExpress there was Savant Protection, later acquired into what is now Fortra. Before Savant there was Core Security Technologies, also later part of Fortra. Before Core there was Baltimore Technologies, where he ran the Americas. Before Baltimore, GTE CyberTrust, which is now part of Verizon. This is roughly the entire commercial history of enterprise cybersecurity, and Paget has been inside a boxed section of it for the whole run.

Some CEOs collect boards. Some collect tenure. Paget collects categories, and each one has been slightly further up the stack than the last: PKI, then network security, then endpoint, then IoT detection, and now third-party risk quantification. It is not a random walk. It is the same problem - what is the actual risk here, how big is it, and who owns it - rephrased for each new architecture layer that enterprises started depending on.

The Black Kite thesis, as Paget and co-founder Candan Bolukbas described it in their Volition Capital founder story, was that the vendor risk category had become qualitative and stale. Ratings vendors would give you a letter grade and a report. The letter grade would not tell you what a breach at that vendor would cost your business, in dollars, next quarter. Black Kite's differentiator was to quantify the cyber component - Bolukbas ran offensive security research; a co-founder named Bob Maley brought third-party risk experience from PayPal; Paget brought the go-to-market. It is a fairly clean split of responsibilities, and it worked. A $22M Series B landed in October 2021, bringing total funding to about $36M. Employee count is around 200. The Massachusetts Technology Leadership Council named Paget CEO of the Year for a growth-stage company. Inc. put the company on its Northeast Regionals list for 2025.

None of this is quite the interesting part. The interesting part is what it takes to keep agreeing to be a cybersecurity CEO. The rate of turnover in the top job at security companies is punishing. Boards over-rotate on new categories. Founders reclaim the seat. Products get technically obsolete inside of an 18-month acquisition cycle. Paget has been through several of those cycles at close range. He also ran, in between operator gigs, a consultancy called Loud Rumble, which advised early-stage cyber startups on go-to-market. The name is charming - the kind of name you pick when you have already made enough money to name things for fun - and it hints at what Paget is actually paid for: not to invent the science, but to package it in language a buyer will fund and a regulator will accept.

He is a Boston person. Boston Latin School, then Bowdoin. History major. The pipeline from Boston Latin to Bowdoin to a Route 128 cyber CEO seat is not a pipeline anyone put in a brochure, but it exists, and Paget is on it. History majors, incidentally, are useful in cybersecurity for the reason they are useful in most fields where technology moves faster than institutions: they are trained to notice that the current crisis rhymes with an earlier one, which makes it easier to charge for a solution.

Black Kite's public research output - a Third-Party Breach Report, a Ransomware Susceptibility Index, a Supply Chain Vulnerability Report - is the kind of thing a CEO signs off on but does not personally write. What he does personally is take the podium in the media rounds that come after. Fox Business has him on for ransomware segments. He posts research summaries on LinkedIn. He does not tweet very much, but when he does, it is from the account that used to be the company's.

The current company will presumably be acquired at some point, because that is what happens to companies in this category, and Paget will presumably then do it again. Or he will not, and the last name on the door will be Black Kite. Either outcome is coherent with the record.

"He collects categories, not titles."
— A working theory about Paul Paget
The Résumé

Thirty years, mostly one industry

2019 -
CEO, Black Kite
Joined in 2019, CEO shortly after. Third-party cyber risk intelligence.
Pre-2019
CEO, PwnieExpress
Repositioned as the first SaaS IoT threat detection platform.
2018
President & CEO, Savant Protection
Endpoint protection. Later part of Digital Guardian / Fortra.
Interim
Principal, Loud Rumble
Go-to-market advisory for early-stage cyber founders.
2000s
President & CEO, Core Security Technologies
Penetration testing and vulnerability management. Later part of Fortra.
Early 2000s
SVP Americas, Baltimore Technologies
PKI and identity in an earlier era of enterprise crypto.
1990s
VP Sales & Marketing, GTE CyberTrust
Now part of Verizon. Present at the founding of commercial trust services.
The Timeline

Selected chapters

1990s
Sales and marketing leadership at GTE CyberTrust, an early commercial certificate authority.
Early 2000s
Runs the Americas at Baltimore Technologies during the PKI wave.
Mid 2000s
CEO of Core Security Technologies. The company later becomes part of Fortra.
2018
Takes the CEO seat at Savant Protection.
Pre-2019
Repositions PwnieExpress as a SaaS IoT threat detection platform.
2019
Joins Black Kite (then NormShield); becomes CEO.
2020
NormShield rebrands as Black Kite. The Twitter handle does not change.
Oct 2021
Black Kite closes a $22M Series B, bringing total funding to about $36M.
Recent
Named CEO of the Year, Growth Stage, by the Mass Technology Leadership Council.
2025
Black Kite on Inc.'s Regionals: Northeast list.
Notes in the Margin

Small facts, in no particular order

Boston Latin, then Bowdoin

Both institutions where he studied History. The through line: reading a lot, then arguing about what it meant.

The handle is the tell

He still tweets, occasionally, from @normshield. It is Black Kite's old name.

Loud Rumble

The between-jobs consultancy. Named better than most consultancies. Advised early-stage security founders.

Fortra, twice

Two of his prior companies - Savant Protection and Core Security - are now inside Fortra.

Volition on the cap table

Volition Capital led growth-stage backing at Black Kite and interviewed him on their Founder Stories series.

The Fox Business rounds

He shows up as a talking head after ransomware news. Practical tone, not alarmed.

Frequently Asked

Questions people actually ask

Who is Paul Paget?

CEO of Black Kite, a Boston-based third-party cyber risk intelligence company. He has been the CEO of several cybersecurity companies before it.

When did he take over Black Kite?

He joined in 2019 and became CEO shortly afterward. The company was previously known as NormShield.

Where did he go to school?

Boston Latin School and Bowdoin College, where he took a B.A. in History.

What other companies has he led?

PwnieExpress, Savant Protection (later Fortra), Core Security Technologies (also Fortra), with executive roles at Baltimore Technologies and GTE CyberTrust before that.

Any recognition?

Named CEO of the Year for a growth-stage company by the Massachusetts Technology Leadership Council.

Elsewhere

Where to find him

LinkedIn Twitter / X Black Kite About Black Kite Crunchbase The Org Fast Company Volition: Black Kite Story Fox Business: Ransomware segment