Charles Lyons-Burt 
Debbie Gordon has been building companies for nearly three decades, launching and leading a series of technology ventures — including guiding one through a successful acquisition — long before she entered the cybersecurity arena. She began her career in the technical education sector in the mid-1990s, a time when IT certifications provided a direct path into the workforce. As cyber threats intensified and traditional training models proved insufficient, Gordon saw an opportunity to rethink how practitioners build real-world readiness.
She founded Cloud Range in 2018 to fill that gap, creating a platform that gives cyber defenders hands-on, simulation-based experience against live, realistic attacks. Today the company supports public- and private-sector organizations worldwide as they work to strengthen their security teams’ preparedness.
Gordon spoke with ExecutiveBiz recently for her first Spotlight interview, discussing the future of AI in cyber defense, overlooked vulnerabilities in operational technology and critical infrastructure, and the workforce experience challenges that continue to shape the cybersecurity landscape.
Join elite GovCon founders and CEOs like Debbie Gordon at Potomac Officers Club’s first-ever 2026 GovCon Executive Leadership Summit on Feb. 26. At the event, industry leaders will compare notes and develop strategies for pressing topics like defense tech, acquisition reform and more. Register now!
ExecutiveBiz: Where do you think AI is headed next?
Debbie Gordon: Our platform is what’s called a cyber range. It’s a safe environment, like a driving range or a shooting range, where you can go practice something. In our case, Cloud Range is a cloud-based cyber range that represents a complex enterprise network. It has traffic, network activity and live cyberattacks in it, and we’re constantly developing new scenarios.
AI plays a huge part in this for a couple of reasons. First, there are AI-generated attacks. A lot of people don’t fully understand what that means or how it’s different from a human-generated attack, but AI-driven attacks can move much more quickly and, unfortunately, more effectively on offense. It’s important that defenders know how to defend against AI-based attacks because they will be faster and more effective for the bad actors. That makes it even more critical for defenders to know what to look for, how to recognize those attacks, and how to respond.
Second, AI is being used as a tool for defense. There are many ways AI is being integrated into security operations centers and incident response processes to expedite, facilitate, and increase the efficiency and effectiveness of cyber defense. Cyber professionals know there are thousands of alerts on a company’s network at any given time, much of it noise. There have been tools for years to aggregate data and filter certain things out, but AI takes that to the next level. It helps people get to the real issues they should be looking at rather than spending time sifting through noise.
At the same time, using AI requires critical thinking. Charles, you probably use ChatGPT all the time. You have to know whether its response is accurate or a hallucination. If you just put a query into ChatGPT, take the answer at face value, and run with it, you’re going to have problems, because we’ve both seen it be wrong. The same goes for cybersecurity. People can’t simply depend on AI. It’s a tool, not a replacement for what humans need to do. It makes the work easier and reduces the time it takes to do specific tasks, but people still have to apply critical thinking, both when they evaluate what AI produces and when they decide how to structure and run their queries in the first place.
EBiz: What is an area of your business (or the services and products you provide) that could benefit from autonomous tech or automation?
Gordon: Oh, we use automation all over the place. We use it in coding, documentation, product acceleration, and of course in general business functions. I was actually on a webinar this morning where they were talking about how to make sure people use AI safely — what you should or shouldn’t put into ChatGPT to stay secure. A lot of people don’t know that. So it’s important for any organization to make sure employees understand how to use these tools responsibly, not just in product development but in everyday tasks like figuring out how to do something or getting help with a presentation.
You want to be sure they’re not putting confidential information into a system or feeding models with data that shouldn’t be exposed, because that can lead to incorrect information coming out the other side.
EBiz: You started the business in 2018. Were you already using automation then? And when chatbots and generative AI really hit the market a few years ago, was that a major pivot point for the business, or more of an incremental shift?
Gordon: We’ve used automation from the beginning. Very little of what we do has ever been manual. All of our attacks are built to be automated. What’s changed recently is the speed. Automation and AI have expedited our ability to be more proactive. If we learn about a new attack, a type of malware, or a threat group, we can replicate it much faster than we could even a year ago. That means our customers get access to very advanced attacks sooner. We can test, QA and deploy faster. It really improves everything across the board.
EBiz: Pivoting to the cyber landscape, what’s a federal cyber vulnerability that is under-discussed and needs more attention from industry partners and integrators?
Gordon: Operational technology and critical infrastructure — which overlap but aren’t always the same — are major areas of vulnerability that don’t get enough attention. In OT environments especially, there are countless vulnerabilities simply because many organizations don’t have complete documentation of their assets. They don’t always know what all their endpoints are or where their weak points lie.
Critical infrastructure takes that to another level. Most OT touches critical infrastructure in some way, and when that’s compromised, human lives, public safety and basic functioning are at risk. So while you referred to it as a federal vulnerability, it’s really a global one that affects all of us.
Another challenge is ownership. In many organizations, there’s still confusion over who’s responsible for cybersecurity in OT environments. Is it the OT teams on the plant side? Is it the IT or cyber teams? Until organizations clearly define that responsibility, the risk will continue because people default to thinking, ‘that’s not my job.’
The third piece is lack of understanding about how attacks on critical infrastructure actually happen. Many people don’t realize that an attack can originate on the IT side and move into OT, or vice versa. That’s where we come in. We can show a live simulation of an OT attack and give teams hands-on opportunities to detect, respond and defend. That visibility — seeing how an OT attack unfolds and practicing responses — is what truly reduces risk for organizations that operate critical infrastructure.
EBiz: What’s one anecdote or example from a government customer where you felt the impact was especially significant, maybe in OT or critical infrastructure?
Gordon: Honestly, every single one. The nature of what we do is that the impact is immediate; it’s not something where you wait years to see improvement.
One example that stands out is a two-week military exercise we supported in the Midwest. It included military personnel, critical infrastructure operators and regional stakeholders. Watching the “aha” moments in real time — seeing people understand something for the first time and immediately apply it — was incredibly powerful. They were working together to solve what are essentially complex cyber puzzles, and they succeeded.
We saw immediate improvement in time to detect and time to respond. That’s hugely gratifying for us because in government, military and critical infrastructure environments, this is truly a life-safety issue. Being able to help them strengthen those skills in real time matters.
EBiz: What’s the most significant workforce shift you’ve seen over the last decade and how has it impacted Cloud Range?
Gordon: The biggest workforce shift has been the massive talent shortage in cybersecurity. I actually think of it less as a skills shortage and more as an experience shortage. Plenty of people have skills. They graduate from university programs or earn certifications, but they still can’t get a job because they don’t have real experience. I get messages on LinkedIn all the time from people saying, “I just graduated from X” or “I just earned this certification, but I still can’t find a job — what should I do?” And at the same time, organizations have empty seats they can’t fill. It’s a real conundrum.
One of the biggest trends we’re seeing is in higher education. Cloud Range has two parts of the business: we work with public and private organizations to proactively upskill their cyber defense teams, and we also implement that same cyber range platform into higher-ed curricula. Students get the opportunity to build hands-on experience so they can walk into an interview and say, “I’ve done this before.” Yes, it was in a safe environment on the Cloud Range cyber range, but they’ve defended against distributed denial-of-service—or DDoS—attacks, supply chain attacks, man-in-the-middle attacks, ransomware — you name it. Those investments from higher education programs are making a huge impact by actually preparing students to get jobs.
The other major shift over the last eight to 10 years is that security leaders now recognize they have to retain the people they already have. It’s much harder to replace someone than to keep them. So they’re asking how they can invest in ongoing training, build meaningful career paths, and keep people engaged and effective. In the public sector especially, it’s tough because someone can leave and make significantly more money in big tech. But many people are deeply mission-driven and love serving in government. With the right tools and planning, organizations can really retain and grow their talent.
