As part of the Hall of Fame series, Industrial Cyber has a chance to catch up with Bryson Bort, founder and CEO at SCYTHE, co-founder and organizer of ICS Village, and chairman and founder at GRIMM Cyber. He is a two-time CEO and three-time founder, having founded services, products, and non-profit companies. He is also an angel investor in several pre-seed and seed-stage startups.
Whether as an author, instructor, or keynote speaker, as an Army veteran and cybersecurity leader who served on the nation’s front lines of cyber innovation, Bort has emerged as an inspiration whose rise from West Point to the forefront of cyber strategies is as thoughtful as it is fascinating.
A former Battle Captain and Brigade Engineer Officer in Operation Iraqi Freedom, Bort transitioned from the military to creating cybersecurity tools and organizations. He set up GRIMM, a boutique cybersecurity consultancy, thereafter, and SCYTHE, a next-generation attack emulation platform, and is now co-founder of ICS Village, a nonprofit advancing awareness of industrial control system security.
Bort knows about more than technical innovation. He is also a Senior Fellow at the National Security Institute and on advisory boards for organizations such as the Army Cyber Institute, the Atlantic Council, and R Street.
This interview peels back Bort’s vision, dissects how military discipline, policy intuition, and adversarial emulation intersect to pave the future of industrial cyber resilience.
Origins and ethos
Industrial Cyber: Having started in tactical communications during Operation Iraqi Freedom, then transitioned from military intelligence into offensive security and cyber entrepreneurship. What would you say drove that shift, and how does your operational mindset still shape your approach today?
Bryson Bort: High-profile incidents like Colonial Pipeline and Oldsmar shone a spotlight on critical infrastructure security, but awareness alone doesn’t create resilience. True, sustained action requires moving beyond headlines to disciplined, systemic change. A forward-leaning resilience strategy isn’t just about technology; it’s about people. I went to West Point to join the Army to serve; the Army is about people at its core. And it should be the same for any organization.
The largest gap I see in security is the failure to incorporate people: users are the largest risk surface area, and security professionals are more important than tools in defense.
You’ve said your passion for cybersecurity is rooted in protection and service. How has that instinct evolved now that you are placed at the intersection of national defense, critical infrastructure, and public policy?
My passion for cybersecurity began with a desire to protect and serve, and it has naturally expanded as I have stepped into roles where national defense, critical infrastructure, and public policy intersect.
Today, my focus isn’t just on protecting systems, it’s on building resilience at the national and global level. That means anticipating emerging threats, aligning public and private efforts through events like the Critical Effect conference, and shaping strategies that keep essential services secure for every community, like Undisruptable 27 with the Institute for Security and Technology. Leadership in this space is about translating deep technical expertise into actionable, real-world solutions that safeguard the country while empowering the people and organizations who rely on these critical systems.
Building institutions and rising influence
You’re a former senior fellow for cybersecurity and emerging threats at the R Street Institute. From that vantage point, what’s still missing from how Washington is addressing the unique nature of industrial and cyber-physical risk?
During my time advising at the White House and the Cybersecurity Infrastructure Security Agency (CISA), I saw firsthand how conventional approaches often fail to address the realities of industrial and cyber-physical risk. For example, in a critical infrastructure discussion, the focus was still on simplistic control levers for water utilities, a solution that simply doesn’t scale or match the complexity of today’s threats. I’ve consistently pushed the message within the government: ‘no more paper.’ The ‘not haves,’ the vulnerable asset owners, don’t even have the time to read the deluge of paper, no matter how valuable the guidance might be. They need capabilities. And that should be the provenance of the government defending its people.
Having advised the Army Cyber Institute, the NSA, and the Cybersecurity and Infrastructure Security Agency (CISA), how do you balance your dual role of pushing innovation across the industrial space while helping steer federal cybersecurity strategy? What factors do you keep in mind as you wade through their positions?
Advising the Army Cyber Institute, NSA, and CISA has shown me that advancing innovation and shaping federal cybersecurity strategy aren’t opposing goals—they’re deeply interconnected.
My role is about bridging perspectives and fostering collaboration: bringing real-world industrial experience to government decision-making while ensuring policy evolves in step with emerging threats and legacy infrastructure. I focus on practical impact, what will actually strengthen resilience, and I weigh positions through the lens of national security, operational feasibility, and the long-term sustainability of our critical systems.
ICS Village brings OT to life for security professionals and policymakers. What misconceptions have you seen fall away when people engage hands-on with these demos? Also, how has the ICS Village matured since 2017?
ICS Village, a 501c3 non-profit, brings operational technology to life in a way that no slide deck ever could. When people engage hands-on with the exhibits or the Capture the Flag challenges, long-standing misconceptions quickly fall away; suddenly, the complexity, interdependence, and real-world risk of industrial systems become tangible. The Village began as a small initiative, carried forward by Tom VanNorman, and I joined him to co-found it as a non-profit.
Since 2017, it has grown exponentially, thanks to passionate volunteers who bring it to life, from workforce development initiatives launched with the support of the Gula Foundation in 2023 to stronger collaboration with manufacturers. The space itself has matured dramatically: before Colonial, industrial cybersecurity barely registered in the public consciousness, and now we see critical engagement through bug bounty programs we’ve done with manufacturers and forums like the Critical Effect conference. ICS Village has become a proving ground, a learning platform, and a bridge between policy, industry, and the next generation of OT defenders.
Startups, innovation and adversarial thinking
SCYTHE evolved out of your belief that emulation is the best way to validate defense. What’s the biggest mistake you see security teams make when trying to adopt an adversarial mindset?
Security is defined by the threat, so the ability to test defenses with high fidelity is critical. The biggest mistake I see teams make when trying to adopt an adversarial mindset is prioritizing convenience over operational value. Many get lost in technical rabbit holes, chasing clever exploits or defense-evasion techniques that ultimately contribute little to real protection. The industry is caught in an arms race of evasion, but there are an infinite number of ways for a threat’s attack chain. What matters is focusing on the tests and insights that actually strengthen your defensive posture and reduce dwell time. True impact comes from disciplined, threat-informed validation, not cleverness for its own sake.
You’ve argued that Red Team vs. Blue Team is no longer enough and that the real challenge is building repeatable validation. What does a modern purple team look like to you?
Everyone who graduated from kindergarten knows that Red + Blue = Purple. But the requirement is bigger than that; it should be a collaborative, milestone-driven exercise. It is more than security teams that should be collaborating, including finance if that’s the scope, and it is more than simulating threat attack logic.
Milestones can be business objectives or controls-focused testing, i.e., evaluate a defensive control against a comprehensive set of threat behaviors. The modern purple team is the foundation of defensive understanding; start with purple to establish visibility and time to respond (dwell time has the greatest correlation to impact) with a simple red signal and build your way to a red team run by human operators and human imagination.
You once described GRIMM’s initial days as scrambling ‘from odd job to odd job. I was basically a cyber janitor. If you needed it, we did it.’ For founders trying to bring bleeding-edge security ideas to market today, what pitfalls should they watch out for?
I left the government to found GRIMM and, overnight, found myself an Army of One. I remember sitting at my coffee table on the morning of that first day, suddenly no longer important, and thinking, ‘okay… now what?’ I had big ideas I wanted to do to help advance cybersecurity into being an equal as the fifth warfighting domain. Big ideas don’t put food on the table; money does, which is why I took any job I could get to keep the fire going until we earned a seat back at the table. And, it is easy to lose sight of that, as witnessed by the cybersecurity growth market coming back to Earth after 2022.
I started an annual series where I talk with fellow founders about all of the things that have gone wrong on their way to success. And it is manifold. There are three factors that dictate the success of a start-up: founder/idea, team, and timing. The founder has to continually navigate a hostile ocean with three factors: founder/idea, team, and timing, ensuring smooth sailing or a shipwreck.
OT/IT complexity and the human factor
Based on your experience, how does the convergence of IT and OT expose blind spots in enterprise security? Also, why must emulation and threat-informed defense be paired with cultural shifts to address the socio-technical challenges of achieving sustainable cyber resilience in industrial environments?
The convergence of IT and OT, driven by financial reasons, expands the attack surface, and it exposes the critical seams where operational efficiency and cost pressures collide with operational and national security. In industrial environments, organizations are often in one of two states: striving for centralized visibility and controls to bring cybersecurity into focus, or constructing defensible architectures capable of mitigating threats.
But technology alone will never be enough. Real, sustainable resilience demands pairing threat-informed defense and emulation with a cultural transformation, embedding security as a shared responsibility, aligning incentives, and instilling a mindset where operational goals and proactive risk management reinforce each other. Industrial cyber resilience isn’t achieved through tools or processes in isolation; it emerges when people, technology, and strategy operate as a unified force.
After high-profile OT breaches like Colonial Pipeline and Oldsmar, visibility into industrial cybersecurity risks has clearly increased, but is that awareness translating into sustained action? What would a serious, forward-leaning resilience strategy actually look like if implemented at scale across critical infrastructure sectors?
Chris Krebs, then CISA DIR, and I gave a talk at RSAC in 2020 predicting the impending scourge of ransomware as a threat to national security. High-profile incidents like Colonial Pipeline and Oldsmar shone a spotlight on industrial cybersecurity, but awareness alone doesn’t create resilience. True, sustained action requires moving beyond headlines to disciplined, systemic change.
A forward-leaning resilience strategy isn’t just about technology; it’s about visibility, architecture, and governance operating in lockstep. At scale, it would combine integrated monitoring and action beyond the asset owners’ perimeter with threat-informed defensive tuning of assets, architecture, and operators with cross-sector collaboration, embedding security as a shared responsibility across operations, engineering, and executive leadership.
Workforce development is critical, equipping people with the skills to anticipate, respond, and adapt. Resilience at this level transforms organizations from reactive to proactive, reducing dwell time, limiting cascading impacts, and creating a foundation where industrial systems can endure and adapt under pressure.
Risk, resilience and the road ahead
As SCYTHE continues to grow, what new threat scenarios or industry verticals are you focusing on next? What excites you about where emulation can go from here?
We announced the research and development we’ve been doing with the DoD/Defense Innovation Unit on artificial intelligence in threat emulation. This is a from-scratch offensive AI model that enables users to specify goals (i.e., ‘disrupt power generation’), and the platform will build an implant and attack logic to complete those goals.
In addition, it will function as an orchestration capability to enable comprehensive, stateful testing, which means it is hypothetically possible to definitively quantify cybersecurity: a score that means the same thing today that it means tomorrow for defense. In addition, we have been working to build ICS-specific capabilities, beyond what’s already in the platform, to help asset owners safely scale testing down to the lowest levels of the Purdue model with embedded device architecture and specific communication protocols.
Having said that, “Together we will succeed, individually we will continue to struggle and fail.” What are the most important trust-building moves security leaders can make across sectors—public, private, and academic?
I gave a keynote talk titled, ‘From Me to We,’ about the why and how we need to do this together. The reality of cybersecurity in critical sectors: no organization can go it alone. Building trust starts with transparency, sharing insights, incidents, and lessons learned openly across public, private, and academic spheres. It requires consistency, government, and people delivering on commitments. And it demands respect for expertise, acknowledging the knowledge and constraints of each partner while aligning on shared objectives.
Leaders who invest in these trust-building behaviors don’t just protect systems; they create networks of resilience where innovation, agility, and defense amplify each other.
If you could rewrite a piece of national cyber policy or remove a major industry misconception with one stroke, what would it be, and why?
If I could rewrite one piece of national cyber policy, it would be the assumption that compliance equals security. Too often, policy treats checklists as the end goal, but real resilience is operational and dynamic; it’s about visibility, adaptability, and the ability to respond before impact. I’d replace that misconception with a focus on measurable, threat-informed outcomes and repeatable validation across sectors.
The message would be clear: security isn’t a static requirement; it’s a living discipline that demands collaboration, technology, and human judgment working in lockstep. That shift would transform how both government and industry approach risk, and ultimately, how we protect the systems that society depends on.
From West Point to the Hill, from DEF CON to the boardroom, what do you want your legacy to be in the industrial cybersecurity field? What still keeps you up at night?
From the AI research on top of what I learned with my time leading integrated cyber operations for the counter-terrorism mission, it is possible that we could definitively solve part of the cybersecurity problem. That is a bold statement, but I fully believe it will come to fruition in the next 1-2 years of research. I would like my technical legacy to be that advancement for humankind.
My personal legacy: I hope to have inspired, helped, and taught as many people as I can to be kind and to help each other in whatever capacity they can.
What keeps me up at night: Taiwan will fall to China. And, it is going to be the interdependence of critical infrastructure and force projection that is the vulnerability that will be exploited to enable this outcome. I saw this risk via the Army Cyber Institute’s Jack Voltaic exercises. Then, we will be in a new international paradigm with shifts in the security and economic order. And, the proverbial ‘red line’ of what is tolerated for cyberattacks could be lowered, leading to an increase in chaos for citizens everywhere.
Ensuring our preparedness, resilience, and response isn’t optional; it’s a responsibility. That responsibility drives everything I do, from innovation and policy to building the talent and partnerships that will safeguard our nation.
