The Kid Who Got Hacked in Five Minutes
Murphys, California has fewer than 2,500 people, one main street lined with wine tasting rooms, and - in the late 1990s - the kind of dial-up internet connection that required weeks of fiddling with PPP settings just to connect. Zane Lackey was the kid who did that fiddling. He saved money from odd jobs to buy a second hard drive. He installed Linux on it. He spent months configuring the connection manually, packet by packet, until it finally worked.
Then he got hacked within five minutes of logging on.
Most people would have taken that as a sign to stop. Lackey took it as a curriculum. That humiliation in rural California set the trajectory for everything that followed: a career spent understanding how attackers think so he could build things they couldn't break. The hard, lonely work, as he calls it, turned out to be the only kind worth doing.
Two decades later, he's a General Partner at Andreessen Horowitz, one of Silicon Valley's most influential venture firms, writing checks ranging from $10K seed bets to $100M growth rounds. His focus: enterprise infrastructure, developer tools, and security - particularly the emerging wave of AI-native security companies that are building defenses from scratch rather than retrofitting old approaches to new threats. He doesn't just evaluate these companies. He's built one that sold for three-quarters of a billion dollars.
Three Acts, One Thesis
After studying Economics with a Computer Science minor at UC Davis - where he ran an elaborate honeypot operation out of the university's security lab - Lackey joined iSEC Partners as a security consultant. This was the era when "security" mostly meant pen testing: you broke in, wrote a report, and hoped someone read it. He was good at it. But breaking things only gets you so far.
The pivot came when he joined Etsy as Director of Security Engineering, eventually becoming CISO. This was around 2008, when Etsy was in the middle of its famous DevOps transformation - moving from slow, infrequent releases to continuous deployment. The engineering culture was changing faster than security practices could adapt. Lackey's job was to make security something developers wanted to engage with, not something that blocked them from shipping.
At UC Davis, Lackey built a completely fake university departmental website as a honeypot. A group of South American teenagers took the bait - and promptly used the access to install a Counter Strike server. He catalogued the whole thing. The security researcher in him was delighted. The sysadmin in him was furious.
That tension - between the security team's instinct to lock everything down and the engineering team's instinct to ship fast - became the defining problem of his career. He saw it everywhere: at Etsy, in conversations with CISOs at Fortune 500 companies who refused to authorize cloud migrations while CIOs pushed hard for them. The organizational dysfunction wasn't a technology problem. It was a culture problem. "Technology is the easy bit," he has said. "Culture is the hard bit."
Signal Sciences was his attempt to solve both at once.
Technology is the easy bit. Culture is the hard bit.
- Zane LackeySignal Sciences: Building the Thing He Needed
He co-founded Signal Sciences in 2014 as Chief Security Officer. The idea was straightforward in retrospect, radical at the time: web application security tooling that worked with how developers actually built software, not against it. No friction. No false positives that caused security teams to disable alerts. Actionable signals that engineers could actually use.
They built it over nearly seven years. By the time Fastly acquired Signal Sciences for $775 million in 2020, the company had 150 employees and was defending tens of thousands of web applications and trillions of requests globally. Lackey spent a year post-acquisition as Fastly's Global Head of Security Product Strategy before making his next move.
Martin Casado, a General Partner at a16z, has described Lackey as "typifying the original mold of an a16z GP" - the kind of operator who built a real company, scaled it through real problems, and ended up on the other side of a major acquisition. The credibility wasn't manufactured. It came from being the person responsible when things went wrong.
The Investor Who Reads the Incident Reports
Lackey joined a16z in 2021, landing on the Enterprise/Infrastructure team. His thesis is specific: the best security companies are ones that get embedded into how developers work, not imposed on top of existing workflows. A WAF that alerts but doesn't help is worse than no WAF at all - it trains teams to ignore alerts. Security has to earn the right to be in the critical path.
That view shapes which founders he backs. His portfolio includes Socket (supply chain security for open source), Doppel (brand protection), Truffle Security (secrets detection), Material Security (email security), Elevate Security (human risk management), Promptfoo (AI application security), and Inspectiv. He sits on the boards at Socket, Doppel, and Sprig, and serves as an advisory board member of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund.
His investment range - from $10K to $100M - is unusually wide for a security-focused GP. That flexibility reflects how a16z thinks about the space: security isn't one stage of maturity, it's a pervasive problem that needs capital at every level from early experiments to scaling infrastructure.
The current area of focus is AI-native security. Not traditional security vendors adding AI features, but companies rebuilding their approach from the ground up around how AI systems are built and deployed. The attack surfaces are different. The defenders need to think differently too. Lackey has spent time on a16z's podcast exploring what foundation models mean for cybersecurity and what DeepSeek's emergence signals for the field - questions that were hypothetical two years ago and are now operationally urgent.
Building a Modern Security Program
Before the a16z chapter, before Signal Sciences, Lackey co-authored a book with Rebecca Huehls for O'Reilly: Building a Modern Security Program: Adapting Security for DevOps and Cloud. It's a practical manual drawn directly from his time at Etsy - how to think about security when your engineering team ships code fifty times a day, when your infrastructure is someone else's cloud, when the old perimeter model is functionally fiction.
When it came out, he called it "the nerdy dream I've had since high school." That combination - the nerd who dreamed about writing a security book as a teenager in Murphys, California, who built and sold a company, who now writes $100M checks - is the through-line. The dream never changed. The scale did.
On Stage and On Record
Lackey has spoken at practically every serious security conference: Black Hat USA (2014 and 2017), RSA Conference, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, QCon. He's been invited to lecture at Facebook, Goldman Sachs, IBM, and the Federal Trade Commission. The circuit follows the expertise.
Unlocking the Secrets of Cybersecurity Entrepreneurship
A Q&A with a16z's Zane Lackey - YouTube →
His podcasts tend toward the technical and the concrete. He's discussed how foundation models change threat modeling, what DeepSeek's architecture means for defensive tooling, and the organizational dynamics that make security programs fail even when the technology works. He's also talked at length about what it actually felt like to go from hacker to CISO to founder - a path most people only take one step of.
The Long Game
The Record
-
Co-founded Signal Sciences, which Fastly acquired for $775 million in 2020 - one of the largest security acquisitions of that year.
-
Served as CISO at Etsy during its landmark DevOps transformation, establishing a model for how security can work at scale inside a modern engineering organization.
-
Published Building a Modern Security Program with O'Reilly - a practitioner's guide that is still used by engineering and security teams navigating cloud-first operations.
-
Speaker at Black Hat USA (2014, 2017), RSA Conference, USENIX, SANS, OWASP, Microsoft BlueHat, and QCon, as well as invited lectures at Facebook, Goldman Sachs, IBM, and the Federal Trade Commission.
-
Advisory Board member of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund - two organizations working at the intersection of security research and public interest.
-
Board member at Socket, Doppel, and Sprig; board observer at multiple additional portfolio companies across the a16z security portfolio.