Mike Wiacek is the CTO and Founder of Stairwell. He is passionate about security and building a team culture rooted in collaboration, honesty, and a dedication to helping customers outsmart attackers. Before founding Stairwell, Mike was the co-founder and Chief Security Officer of Alphabet’s Chronicle and also founded Google’s Threat Analysis Group.
Stairwell is a cybersecurity company that helps organizations detect and respond to threats using a data-first approach. Its platform continuously collects and analyzes files across time, enabling real-time monitoring, retrospective threat hunting, and AI-powered insights. With advanced static and behavioral analysis, Stairwell equips security teams to identify zero-day threats and make informed decisions faster.
You founded Stairwell after leading security efforts at Google TAG and Chronicle. What gap did you see in the cybersecurity landscape that convinced you it was time to build something new?
After leading security at Google TAG and building Chronicle, I saw the same broken pattern play out everywhere: threat intel teams worked pre-attack, SOCs during, and IR teams afterwards, all trying to answer the same fundamental question with different tools, different data, and completely different mindsets. No continuity. No shared truth. It wasn’t that the idea was wrong — it’s that the implementation was.
Most of the industry is built around logs. But logs are bespoke measurements. They’re interpretations. Observations. They’re brittle, and they’re built to answer yesterday’s questions. If the log didn’t capture it, you’re out of luck. And worse still, log volume growth is costly and unsustainable.
Enterprises forget about its most important asset – the raw files. The executables, scripts, DLLs, that’s where the truth lives. Files don’t lie. They don’t change depending on who’s observing them. And if you have the raw artifacts, you can do something no log-based tool ever could: match similarity, detect variants, discover relationships, and answer every question across all time.
So I built Stairwell to unify all of this. One platform. One source of truth. Continuously analyzing what’s actually running in your environment — not just what’s being logged about it. When every team works from the same evidence, they all get better. Faster triage. Smarter detection. Deeper investigations. That’s how we stop fighting yesterday’s breach and start getting ahead of the next one.
Stairwell aims to give defenders the ability to think like attackers. How does your platform practically enable this, and what types of organizations benefit most from that approach?
Attackers don’t wait for alerts. They don’t operate in silos. They don’t care about your log retention policy, risk appetite, or budgetary concerns.
They learn your tools, evade your controls, and chain together files, infrastructure, and timing to quietly reach their goal. Defenders need to do the same — think in relationships, not alerts. That’s the mindset Stairwell gives you.
Practically, this starts with visibility into everything that runs. We collect and preserve raw artifacts — executables, scripts, loaders, payloads — and continuously analyze them. Not just when they’re first seen. Forever. That means you can hunt like an adversary: find a dropped file, pivot to its variants, identify the loader, trace it to infrastructure reuse, and uncover every stage of the campaign.
You don’t need to reverse engineer every sample. Stairwell automates that. You don’t need to guess what a file is doing. Stairwell’s Intelligent Analysis tells you. You don’t have to wonder what else looks like it. Stairwell’s Variant Discovery shows you.
Who benefits? Anyone tired of flying blind.
If you’re a high-value target — critical infrastructure, finance, defense — you can’t afford guesswork. If you’re a lean team, Stairwell turns you into a force multiplier. If you’re drowning in alerts, we help you cut through the noise and run every alert to ground.
Bottom line: attackers think in relationships. Now defenders can, too – with a bird's eye view of everything, always.
Your background includes work at the NSA, Google, and Chronicle. How did those experiences shape your understanding of nation-state and persistent threats, particularly in relation to protecting critical infrastructure?
I think about security as a data search problem. Let’s collect, store and analyze as much data as possible and find answers to questions within that data. The missing piece of data for most organizations is its actual files. Your files are your most valuable asset. Security teams at enterprises can’t answer the most basic question–Is any of your threat intelligence found on your CEOs laptop? Stairwell lets you know immediately and continuously thereafter.
Stairwell manages over 8 billion file sightings using Google Cloud Bigtable. What were the biggest engineering hurdles in building a threat analysis system that operates at this scale?
One of the things we are most proud of is that we have found an engineering solution to efficiently gather, store, and analyze every executable file in an enterprise. We continuously analyze these files against our malware corpus, YARA rules, threat reports. Any new file is investigated–within seconds. Interestingly, the process is so lightweight that customers often ask to check if the files are being collected. When we show them it is working they are often surprised how little CPU it occupies.
You’ve said you want Stairwell to do for cybersecurity what Google did for search. What does that mean in terms of user experience and product direction?
We are effectively a search engine for your executables and related files. We allow security teams to answer questions about their files. Questions like – is this file malware? Are there any variants of this file anywhere in our systems? Which endpoints have this malware? Is this recently identified vulnerable file on any of our devices? Is this file common? Does it have common siblings anywhere else? Where is it? And WHEN did it arrive?
One of Stairwell’s core strengths is its ability to conduct proactive and retrospective threat hunting—meaning it can both detect active threats and uncover past attacks that may have gone unnoticed. How does this approach differ from traditional security tools like SIEMs (Security Information and Event Management systems) or EDRs (Endpoint Detection and Response platforms), which often focus on real-time alerts?
Traditional tools like SIEMs and EDRs are built for now. They focus on real-time alerts and point-in-time detections. Useful in the moment, but blind to anything that didn’t trigger a rule, or that slipped past when no one was looking.
Stairwell works differently. We don’t just ask what happened. We ask what has ever been in your environment.
We preserve and continuously analyze raw files — every executable, every script — across all time. So even if something was deleted, renamed, repacked, or dormant, you can still find it. Still analyze it. And still run it to ground.
That means you can hunt proactively before the alert. And retrospectively after the breach — even months later, with full context and full history. Try doing that with a SIEM that aged out its logs or an EDR that only sees what’s running right now.
Stairwell gives you the power to ask: “Has this ever been in our environment?” And get a real answer, not just “not recently” or “we can’t tell.” That’s the difference.
With growing interest from federal organizations in AI and threat detection, how do you see Stairwell’s AI models contributing to defense at the national level?
Federal defenders don’t need more dashboards. They need faster answers, clearer intent, and tools that keep up with adversaries who iterate faster than the government procurement cycle.
Stairwell’s approach to AI isn't just bolted-on classifiers. It's built on top of a deep foundation of billions of real-world artifacts, global file prevalence, variant lineage, and years of threat behavior. We combine static and behavioral feature extraction with structured LLM prompting to explain why something matters — not just flag that it might.
That means we can give national-level defenders what they rarely get:
- Instant reverse engineer–level insight into suspicious files…all of them. We force attackers into a lose-lose scenario: Either be identical to ‘goodware’, or be unique and get caught. There’s no middle ground, and we exploit that.
- Context-rich answers about intent, functionality, and relationships
- Variant-aware detection that doesn’t break when adversaries repack or rename their malware. In fact the more adversaries pack, the more they stand out!
AI is hastily being used by vendors to automate what's always been done. We're using AI to solve problems in the way that they should have been solved in the first place, but we never had the technology to accomplish.
We already think like the adversary. Our models are trained to dissect, attribute, and pivot. That’s exactly what federal agencies need — not just more alerts, but the ability to understand and respond before the next campaign hits.
Security teams are often overwhelmed with alerts and false positives. How does Stairwell help reduce that noise while still surfacing the most critical threats?
Stairwell helps security teams operationalize their threat intelligence. One of the hardest parts of security is finding out which endpoints have been infected with malware. Stairwell identifies those devices in seconds. Stairwell Intelligent Analysis, our AI powered feature, makes file triage trivial. While our Run-to-Ground capability uses the prevalence of files within your enterprise and across all enterprises to make targeted malware almost impossible to operate.
Attackers are increasingly using AI to create more evasive and constantly evolving threats. How is Stairwell helping defenders keep pace with this shift in offensive techniques?
In a world where AI can be used to easily create ‘zero day’ malware that nobody has ever seen before, security approaches are being tested. Traditional tools like EDRs, that use signatures and behavioral signature approaches, are blind to new malware. Stairwell analyzes what the file is written to do. Stairwell is well placed to find never before seen malware created by AI because it uses file analysis and data search techniques to investigate.
What’s the most common misconception security leaders have about their threat posture—and how does Stairwell help close that gap?
The world has accepted the notion that EDRs are perfect. The reality is they provide a false sense of security. Unfortunately, EDRs rely on behavioral signatures, and must be updated every day. Their weakness is they don’t analyze the files on every device, every day. Stairwell is the next generation of security using signal intelligence, including your enterprise's files, to bring a data search approach to security to investigate malware in seconds.
Finally, how do you define success—not just in business terms, but in terms of impact on defenders and the cybersecurity community as a whole?
Success can be many things, but there is nothing better than getting a call from a customer saying that Stairwell found a piece of malware on a device, or USB, that the EDR or other security tools missed and prevented the malware from being transferred to another system.
Thank you for the great interview, readers who wish to learn more should visit Stairwell.
The post Mike Wiacek, Founder and CTO of Stairwell – Interview Series appeared first on Unite.AI.
