Subscribe
Share
Share
Embed
Unfiltered conversations with public and private company CEOs. Navigating the AI shift. How they lead themselves and others. The people who gave them a chance.
Clint Betts: Varun, thank you so much for coming on the show. You’re the founder and CEO of Endor Labs. Tell us what Endor Labs is.
Varun Badhwar: Great to be here, Clint.
My background is really about building cybersecurity products at the intersection of major technology shifts.
Back in 2010, the big shift was moving from customized enterprise applications to SaaS. Then around 2015, it was the move from data centers to cloud platforms like AWS. I built a cybersecurity company called RedLock that became a leader in cloud security.
Then in 2021, I started Endor Labs because I had a thesis that software development is actually a misnomer. We should really call it software assembly.
Most developers don’t write most of their software anymore. They assemble it from open-source components. And today, in 2026, a huge amount of that code is generated by AI models.
Developers are increasingly acting as orchestrators, making sure all the pieces come together to solve a business problem.
Our belief was that we were heading toward a world where more people would produce more software than ever before, but much of that software would come from untrusted sources. Historically, that meant Stack Overflow, GitHub, and open-source repositories. Today, it also means AI-generated code trained on software from across the internet.
Some of that code is excellent. Some of it contains serious security problems.
For years there’s been a tradeoff between shipping software quickly and shipping it securely. Security has traditionally been expensive, time-consuming, and easy to deprioritize.
We wanted to change that.
Our goal was to make it possible to ship fast and ship securely. We wanted security to become a natural byproduct of software development instead of an obstacle to it.
And today, with AI-generated code becoming the norm, cybersecurity has become one of the biggest conversations in software development.
Clint Betts: We’re talking at a fascinating moment.
Anthropic recently talked about a model called Mithos that supposedly finds software vulnerabilities so effectively they won’t release it publicly.
How important is cybersecurity becoming in the age of AI?
Varun Badhwar: It’s incredibly important.
Historically, organizations often chose speed over security because there was always some hope that vulnerabilities might never be discovered.
That world is gone.
The reality today is that advanced AI systems will find virtually every security issue hidden inside software.
Anthropic deserves credit for the work they’re doing, but Mithos isn’t unique. OpenAI has similar capabilities. Google has similar capabilities. Some open-source models coming out of China are getting surprisingly good as well.
As defenders, we have to be right all the time.
Attackers only have to be right once.
They don’t need to find every vulnerability. They just need to find the one you missed.
And there’s still plenty of low-hanging fruit out there.
The big shift is that organizations can no longer assume vulnerabilities will stay hidden. Software has to be secure from the beginning.
Whether Anthropic releases Mithos or not doesn’t really matter. The capability already exists.
Clint Betts: Talk about software supply chain security. What does that mean?
Varun Badhwar: It goes back to the idea of software assembly.
Imagine a car manufacturer.
Every component in that vehicle comes from another supplier, but the manufacturer knows exactly who supplied each part, where it came from, and how it was built.
Software doesn’t work that way.
When developers build applications, they’re pulling together databases, logging frameworks, authentication libraries, and countless other components—many of them open source.
The problem is that we often have no idea who built those components.
We don’t know their motivations.
We don’t know whether they’re maintaining the software.
We don’t know whether their accounts have been compromised.
And yet we trust them.
There’s a famous Harvard study that estimated open-source software contributes over a trillion dollars of economic value.
That’s incredible.
But it also means critical infrastructure around the world depends on software maintained by individuals we’ve never met.
Sometimes that’s literally one person working out of a garage somewhere.
If that account gets compromised, or if someone malicious takes over the project, the impact can cascade across thousands of organizations.
That’s software supply chain security.
Attackers increasingly understand that compromising one widely used component is far more effective than attacking individual organizations one by one.
Clint Betts: It sounds like the attackers have a huge advantage.
How do companies defend themselves?
Varun Badhwar: One of the biggest lessons from projects like OpenClaw is that security can’t be an afterthought anymore.
Historically, companies would build something, find success, and only later think about security.
That model no longer works.
Today, security needs to be embedded directly into the software development workflow.
The good news is that AI can help.
The same technology making it easier to create vulnerabilities can also help prevent them.
At Endor Labs, we focus on giving developers security intelligence while they’re building software so secure development becomes the default behavior.
Clint Betts: Some people think the answer is keeping everything on-premises and avoiding the cloud entirely.
What’s your reaction to that?
Varun Badhwar: I think it’s largely a false sense of security.
I saw this firsthand during the transition to cloud computing.
Many organizations tried to avoid public cloud platforms because they were afraid of the risks.
Most eventually realized they couldn’t remain competitive that way.
I think AI is similar—but with even higher stakes.
Trying to slow down adoption isn’t a viable strategy.
The better approach is to embrace AI and build the right security controls around it.
The organizations that try to stop AI entirely are likely putting themselves at a competitive disadvantage.
Clint Betts: How much software needs to be rewritten because of AI and modern security concerns?
Varun Badhwar: Honestly, hundreds of billions—possibly trillions—of lines of code.
The scale is enormous.
To put it in perspective, a typical large financial institution often has between five and ten million known security findings across its software.
That sounds terrifying, but there’s an important caveat.
Not every finding represents a real risk.
The challenge is figuring out which vulnerabilities actually matter.
Traditionally, that process has been painfully manual.
Now we can use AI to triage those findings, identify the small percentage that truly matter, and focus efforts accordingly.
The next challenge is fixing them.
That’s where AI becomes important again.
We need agents that can understand old codebases, reason about vulnerabilities, and help automate remediation.
Because no organization has enough human developers to manually fix everything.
Clint Betts: Let’s talk about data centers.
Why are people pushing back against them?
Varun Badhwar: There are legitimate concerns.
Data centers consume enormous amounts of electricity.
They require significant water for cooling.
Many electrical grids are already operating near capacity.
That’s not discussed enough.
When you combine increasing energy demand, environmental concerns, water consumption, and local infrastructure impacts, it’s understandable why communities have questions.
At the same time, there’s tremendous pressure to build more capacity because AI demand continues growing.
We’re seeing companies explore nuclear power, new energy infrastructure, and even unconventional ideas to support future demand.
What’s interesting is that a few years ago everyone thought hardware was becoming less important.
Now hardware is arguably one of the hottest sectors in technology.
Clint Betts: You mentioned token costs becoming a major issue.
Can you elaborate?
Varun Badhwar: Absolutely.
For the last couple of years, many organizations have been treating AI as essentially unlimited.
But that won’t last forever.
Companies are beginning to realize they don’t know how to forecast AI spending.
I recently heard an example where an organization exhausted its annual AI budget within a few months simply because usage exploded.
Eventually companies will start asking tougher questions:
Which use cases generate value?
Which models should be used?
Where should smaller models replace larger ones?
Right now, everyone is experimenting.
The next phase will be optimization.
And that optimization will directly affect data-center utilization as well.
Clint Betts: What does winning the AI race against China actually mean?
People talk about it constantly, but it’s often unclear.
Varun Badhwar: I don’t view it primarily as an AI race.
I view it more as a supply-chain and infrastructure question.
AI requires massive amounts of compute.
Compute requires data centers.
Data centers require power.
The concern is that if the U.S. can’t build sufficient infrastructure quickly enough, that capacity will be built elsewhere.
China has demonstrated an incredible ability to build infrastructure rapidly.
From that perspective, there’s a strategic argument for maintaining critical AI infrastructure domestically.
Especially when you consider broader concerns around data privacy, security, and geopolitical risk.
Clint Betts: What does a typical day look like for you as CEO?
Varun Badhwar: These days, much more of my time is spent on product.
A few years ago, my time was split fairly evenly between product, go-to-market activities, and people.
Today, it’s probably 50% product.
Product-market fit evolves incredibly quickly now.
What worked six months ago might not work today.
So I spend a lot of time with our product teams, thinking about roadmap decisions, technology strategy, and partnerships.
I also spend a lot of time helping leaders challenge their assumptions.
One of the biggest mistakes organizations make is assuming that because something didn’t work six months ago, it still won’t work today.
AI is moving too fast for that mindset.
Clint Betts: How do you think about leadership in this environment?
Varun Badhwar: I’m a big believer in giving people opportunities to grow.
Just because someone hasn’t led at a certain scale before doesn’t mean they can’t.
I also think leaders today need to be both strategic and hands-on.
The old model of purely visionary leadership isn’t enough.
You need people who can think strategically and execute.
And perhaps most importantly, you need adaptability.
The leaders who assume yesterday’s playbook will continue working indefinitely are going to struggle.
The willingness to unlearn and relearn has become a critical leadership skill.
Clint Betts: We end every interview the same way.
At CEO.com, we believe the chances one gives are just as important as the chances one takes.
Who gave you a chance that helped get you where you are today?
Varun Badhwar: When I graduated with a computer science degree in 2006, I became fascinated with cybersecurity.
The problem was that very few companies hired recent graduates into security roles.
Most people entered the field after spending years in IT.
I joined KPMG in consulting and worked hard to get involved in security-related projects.
A manager named Vijay Jaju gave me that opportunity.
He allowed me to work on cybersecurity projects at large enterprises and helped launch my career.
That chance changed everything.
We still stay in touch today.
Clint Betts: Varun, thank you so much for joining us.
You’re working on what may be one of the most important challenges of the AI era. I really appreciate you taking the time.
Varun Badhwar: Thanks, Clint. Great chatting with you. See you soon.