Rick Fitz

Most application security tools sit outside the software they're supposed to protect. They scan. They probe. They send requests and wait for responses and catalog everything that looks suspicious. The result, as Rick Fitz has been saying since he took the CEO job at Contrast Security in April 2023, is a pile. A backlog. A queue of thousands of potential issues that developers have neither the time nor the context to triage properly.

Contrast Security plants sensors inside the application. Not scanning from outside - instrumented from within, watching how code actually behaves at runtime. When a vulnerability gets touched, Contrast knows. When production traffic probes a weakness, Contrast sees it first. Fitz describes this as inspecting "from the inside out," and he came to the role specifically because his background made him believe the approach is not incremental - it's a category shift.

He joined Contrast in April 2023 after more than six years running Splunk's IT Operations and Application Development Market Group as SVP and General Manager. Before that, 25-plus years building, selling, and scaling enterprise software. Two degrees - a BS in Computer Engineering from the University of the Pacific, and an MBA from Golden Gate University. The engineering degree came first. That sequence matters: Fitz thinks like an engineer, operates like an executive.

When Splunk acquired SignalFX in 2019 for $1.05 billion, Rick Fitz was in the room. As SVP and GM of the IT Operations and Application Development Market Group, he owned the division that would integrate the observability platform into Splunk's portfolio. It wasn't just SignalFX - his tenure included multiple acquisitions, each requiring him to manage integration, retain talent, and build go-to-market motion for products that hadn't existed inside Splunk the year before.

The Splunk job was not a simple one. The IT operations and application development market sits at a permanently contested intersection - every major cloud provider, every observability startup, and every legacy monitoring vendor competes there. Fitz had to hold ground on all sides while helping Splunk position for its eventual $28 billion acquisition by Cisco. He left Splunk in 2021, before the Cisco deal closed, having built the division into a significant part of the company's enterprise portfolio.

Battery Ventures' Dharmesh Thakker, who backed Contrast Security, cited Fitz's Splunk track record directly when endorsing his appointment. "Previous experience scaling large software companies" was the phrase used. That is investor-speak for: he has done this before, at a comparable company, and he did it well.

On April 10, 2023 - the day he actually started at Contrast, eight days before the press release went out - Rick Fitz made a public commitment. He would spend his first 90 days listening. Customers. Employees. Partners. Industry leaders. He wrote an open letter and published it, describing his intent before he'd done anything else. For a new CEO, that is a specific kind of statement: it signals that the playbook he's running is deliberate, not reactive.

The company he inherited had strong fundamentals. Contrast Security, founded in 2014, had grown its annual recurring revenue 25 times over and expanded its workforce 10-fold. It had raised $274 million in total, including a $150 million Series E in November 2021. The outgoing CEO, Alan Naumann, stayed on as President and board advisor to smooth the transition - an arrangement that said more about Naumann's confidence in Fitz than anything in the press release.

The RSA Conference in San Francisco came two weeks later. Fitz was there, at the Contrast booth, still in his first month. That is where enterprise security deals are made and market positions are publicly staked. Showing up at RSA in week two is not required. It is a choice, and it's the kind of choice that tells you something about how a new CEO is thinking about pace.

His core argument to the market is not new - Contrast has been making it since 2014 - but Fitz brings the Splunk credibility needed to deliver it to CISOs and CIOs who might have dismissed application instrumentation as too complex for their teams. When he says "I've seen what runtime data does for IT operations at scale," he is drawing on six years of watching Splunk customers do exactly that with infrastructure. The extension to application security is, from his perspective, logical.

In January 2025, Fitz sat down with Information Security Media Group and said something that ran against the grain of the moment. Application security, he argued, needs people - not just AI. The vulnerability backlog problem is not purely a data problem. It is a skills problem. Organizations don't have enough security engineers who understand application code deeply enough to triage findings, and no AI model changes the fundamental shortage of human expertise in that gap.

His logic is consistent with his runtime-first philosophy. AI can help process signals, but the signals have to be meaningful in the first place. A scanner that produces 10,000 findings gives AI 10,000 things to categorize. An instrumented application that produces 200 confirmed, runtime-verified vulnerabilities gives AI 200 things to actually fix. The starting material matters. Garbage in, garbage out - even with a large language model sorting the garbage.

Contrast Security offers managed services alongside its platform, precisely because many organizations don't have the staff to run a sophisticated AppSec program independently. Fitz frames this as accelerating security maturity, not a concession to customer weakness. The distinction is subtle but important for an enterprise sales motion: you're not selling a replacement for expertise, you're selling a shortcut to building it.