Back to All Insights

The Business of Containment: Governing the Offensive Cyber Enterprise

Published on

At 2,013 words, this post will take 8 minutes to read.

A high-contrast silhouette of a figure walking through a corridor of vertical light and shadow.

The current offensive cyber market is an uncontrolled experiment in containment.

Without meaningful governance, we citizens of the world (the subjects of this experiment) will pay the consequences. Much like DuPont poisoning the water supply or Purdue testing the limits of addiction with the useful (though destructive) technology called opiates, these offensive cyber entities generate private profit by forcing potentially toxic externalities onto a public that lacks the power to refuse them. They occupy a volatile intersection of geopolitical risk, technical innovation, and moral hazard, wielding capabilities few private actors possess while facing scrutiny few can withstand.

We need a governance blueprint for the Offensive Cyber Enterprise: private firms that design, operate, or sell offensive capability to sovereign clients.

The market is real, growing, and the technology works.1 The question remains: where is the governance? Human judgment currently bears the weight of these controls: the ethics of leadership, the discretion of engineers, the goodwill of clients. Those informal systems fail predictably once profit and performance incentives pull against restraint.

Expansion rewards profit. Clients reward performance. These incentives run counter to the caution that offensive power demands. Every company believes its culture will hold. History shows otherwise. Even principled executives face quarters where restraint looks like failure. Human virtue can steady a company for a while, but it rarely survives sustained pressure from market gravity. When the product itself is a form of power, relying on virtue alone becomes a structural flaw.

We have seen this movie before. Consider OpenAI. The organization engineered a governance structure specifically designed to arrest commercial drift: a non-profit board with the power to fire the CEO of the for-profit arm to protect the mission.2 It worked in theory. It failed in practice. The structure held only until the valuation hit eighty billion dollars.3 When the board exercised its power in November 2023, the market (investors and employees) revolted.4 The board purged. The mission recalibrated. If a capped-profit model can’t hold back commercial gravity in generative AI, it has zero chance of doing so in the shadows of offensive cyber.

This sector faces a singular risk: Advanced capability governed by ineffective oversight. The combination creates mechanical drift and an inevitable ethical failure mode. Like a snake eating its tail, it may also destroy the market itself.

Design offers the remedy. Structure must make restraint rational.

The Risk Model

The risks facing any offensive firm are structural, distinct from intent. They emerge when advanced capability scales faster than the systems built to govern it. Three drivers compound this risk.

First, capability scale outpaces control. The economics of offense have inverted. While a high-equity iOS zero-day now commands up to $7 million on the white market5, the “low-equity” alternative (administrative access via stolen credentials) sells on the dark web for as little as $500.6 Why spend millions on a bespoke exploit when you can buy the login for the price of a laptop? As the marginal cost of power falls, boutique tradecraft becomes a commodity. Speed kills oversight.

China provides the structural warning. In 2025, Beijing mandated “Attack-Defense Labs” for commercial testing firms, dissolving the barrier between research and warfare.7 Consider Integrity Tech, a leading commercial cyber-range developer in China. Their internal research unit, ‘KRLab,’ breached the bounds of defensive testing. Forensics linked it to ‘Sparrow’, a botnet used by the state-sponsored Flax Typhoon actor to execute file transfers and remote commands.8 Scale turned a vendor into a combatant.

Second, a capital mismatch bifurcates the market. Venture capital chases returns that pure service models cannot deliver. Cybersecurity SaaS companies trade at 28x EBITDA (roughly 8x-12x revenue)9, while traditional defense services lag far behind, often valued at 17x EBITDA (roughly 1.2x revenue).10 To bridge this valuation gap, investors pressure firms to “productize” their tradecraft, turning human-led consulting into push-button software platforms. Productizing the kill chain removes the human judgment required to say “no.”

Finally, opaque channels obscure reality. As distributors and integrators multiply, the firm loses sight of the end user. Informal trust replaces verified compliance.

These drivers trigger predictable failure modes. The Raven Effect (named for the infamous Project Raven) remains the graveyard of good intentions. In 2014, CyberPoint International deployed American contractors to the UAE for a State Department-approved defensive mission.11 By 2016, operations migrated to DarkMatter, a local entity with annual revenue in the hundreds of millions. The mission drifted from counter-terrorism to surveillance of human rights activists. Operatives deployed the ‘Karma’ exploit because the client owned the oversight structure. With engineers earning up to $1 million annually tax-free, the paycheck justified the target, overruling engineer intent.

Feature drift occurs when engineering teams optimize for performance, quietly eroding original safeguards. DBAPP Security, another Chinese firm, offers the warning. Their Starfire Lab developed “VShell” in 2021 as a defensive remote access tool designed for research. By 2025, European analysts identified it as a fully operational backdoor used by state-nexus threat actors.12 The code remained static; the mission shifted. Without governance, every defensive tool is one patch away from a weapon.

Once this drift begins, lawful customers inevitably misuse tools for surveillance beyond the agreed scope. Engineering teams tune for performance, quietly eroding original safeguards. The consequences are fatal: sanctions exposure, procurement bans, and reputational lockout. Once trust collapses, the firm becomes radioactive. NSO Group offers the definitive case study. By hiding behind secrecy, they invited collapse. In 2021, the firm held a valuation of roughly $2.3 billion.13 Months later, following public fallout and blacklisting, financial assessments deemed the equity effectively “valueless.” The technology remained strong; the business evaporated.

The Design Lens

The objective is a constitution for private enterprise.

Constitutions emerged when early republics learned that good Generals make poor judges. We often mistake governance for bureaucracy, but in high-stakes environments, they are opposites. Bureaucracy slows motion; governance stabilizes it. The founders of modern republics understood this distinction. When James Madison wrote in Federalist No. 51 that “ambition must be made to counteract ambition,” he was describing a mechanical necessity.14 He argued that because men are not angels, external controls must supply the defect of better motives.

The offensive cyber industry is currently relying on angels. It needs a Madisonian correction.

In economic theory, this is known as a Commitment Device: a binding mechanism that forces a rational actor to stick to a long-term plan, even when short-term incentives scream to defect. We see this in engineering as well. A conductor’s virtuosity has no bearing on the safety of a train. It is safe because a “dead man’s switch” automatically arrests momentum when human control fails.

The same logic applies here.

A healthy offensive cyber company must mirror a constitutional democracy: execution drives capability, leadership sets law, and oversight interprets limits. Without this separation, velocity turns into instability.

A credible constitution requires a mission-locked charter connecting profit to lawful purpose and a guardian share to enforce non-negotiable boundaries. It demands independent committees with the power to veto and cryptographic systems that translate policy into code.

Incentives must align culture with control. This framework allows scale without moral drift. It converts ethical aspiration into operational reality.

The Control Architecture

We must translate the constitutional framework into operational controls. I propose four mechanisms: independent authority, technical verification, aligned incentives, and structured transparency.

First, sever the command chain through independent authorities. Effective oversight requires genuine separation between growth and governance. The Thomson Reuters Founders Share Company has held a single “Golden Share” since 1984.15 It works. We must adapt this for cyber through a mission-locked charter that binds directors to a dual mandate of profit and lawful public purpose. It requires a Guardian Foundation, a perpetual entity holding a control share with veto rights over sensitive actions like new country entry or capability expansion. These structures must be supported by independent committees with subject-matter depth in human rights and export control, exercising negative control over approvals.

Next, code the constraints with technical verification mechanisms. Legal independence means nothing without technical enforcement. Code formalizes principle with technocratic precision. The industry standard of relying on “end-user agreements” is dead. NSO Group and Candiru proved that export licenses are paper shields; both firms operated under strict oversight yet sold to clients who weaponized their tools against journalists.16 We must replace trust with code. Two-key operations require dual authorization (customer and trustee) executed through hardware security modules to prevent unilateral action. Immutable logging hashes every command into a write-once ledger, creating verifiable proof of conduct without exposing intelligence details. Finally, cryptographic kill-switches provide revocation capabilities to deactivate systems that breach policy.

Third, align incentives by taxing the risk. These controls will fail if the payout for breaking them is high enough. Culture follows compensation. If you sell to a gray-zone client, your bonus should evaporate. Oversight endures only when reward systems reinforce it. Executive metrics must tie bonuses to audit performance and incident closure speed. If material policy violations occur, bonuses must hit zero, scaling to the severity of the breach. The sales architecture must also weight revenue from approved markets higher than high-risk territories. Mechanism design turns integrity into routine behavior.

Finally, we must weaponize disclosure through intentional reporting. Use transparency to kill competitors who rely on secrecy. Visibility stabilizes ecosystems. This requires a tiered approach: full access for the board to policy attestations, aggregate reporting for regulators, and public summaries for the market. Firms that practice structured disclosure, like Palantir, build resilience. Firms that hide behind secrecy, like NSO, invite collapse.

Governance as Competitive Advantage

Power accelerates by nature. Ethics often resist acceleration. The future of this industry depends on mastering that tension.

We must stop viewing oversight as a cost center. Strong governance improves competition and enterprise performance. Ungoverned cyber firms are valuation traps. They command the revenue multiples of SaaS firms yet carry the tail risk of illicit arms traders. One sanctions listing can drive revenue to zero overnight. Proper governance secures the valuation. It lowers the cost of capital by capping that legal tail risk. It converts a toxic asset into a defense prime.

It also secures the talent. The “cool factor” of classified work no longer outweighs the stigma of surveillance. With 79% of developers citing ethical risks like misinformation, security, and illicit code use as a primary anxiety, retention becomes a function of mission legitimacy.17 Top talent votes with their feet. Governance creates magnetism, drawing high-end engineers who want to handle power responsibly.

Finally, it guarantees access. Government buyers favor vendors who document lawful control. When trust collapses, the firm becomes radioactive. Governance builds crisis resilience, providing evidence that outweighs assurances when pressure mounts.

An offensive-security company earns trust when its structure forces deliberate movement: fast when it must be, careful when it should be. The measure of integrity is the presence of brakes that work every time they’re needed. We measure maturity in this business by the discipline to slow down when power wants to accelerate.

References

Footnotes

  1. From Chaos to Capability - Dartmouth ISTS

  2. Our structure - OpenAI

  3. Inquiry Into Ouster of OpenAI’s Chief Executive Nears End - The New York Times

  4. Sam Altman to Return as OpenAI CEO With a New Board - Bloomberg

  5. Price of zero-day exploits rises as companies harden products against hackers - TechCrunch

  6. 2025 Global Threat Report - CrowdStrike

  7. Sleight of hand: How China weaponizes software vulnerabilities - Atlantic Council

  8. Flax Typhoon using legitimate software to quietly access Taiwanese organizations - Microsoft Security Blog

  9. State of the Cloud 2024 - Bessemer Venture Partners

  10. Enterprise Value Multiples by Sector (US) - NYU Stern Sector Data by Aswath Damodaran

  11. Project Raven: How ex-NSA operatives turned UAE into a hacking power - Reuters

  12. China’s Cybersecurity Companies Advancing Offensive Cyber Capabilities Through Attack-Defense Labs - Natto

  13. EY valued NSO Group at $2.3bn months before emergency bailout - FT

  14. Federalist Nos. 51-60 - Federalist Papers: Primary Documents in American History

  15. The Trust Principles - Thomson Reuters

  16. Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus - The Citizen Lab

  17. Stack Overflow Annual Developer Survey - Stack Overflow