Charles Lyons-Burt 
Jay Wallace’s path into cybersecurity wasn’t linear, but it quickly became mission-focused. After transitioning from finance into cyber and working with companies like Duo Security, he found himself increasingly involved in government-facing work, where the impact of cybersecurity extends beyond enterprise risk to national security outcomes.
Today, as vice president of global go-to-market at VulnCheck, Wallace helps drive adoption of the company’s vulnerability and exploit intelligence platform, which is used by government agencies, enterprises and cybersecurity providers to better understand and prioritize risk. VulnCheck’s focus on delivering timely, actionable data, including through a widely adopted community edition, reflects a broader push to make high-quality threat intelligence more accessible across the cybersecurity ecosystem.
In this Spotlight interview, Wallace discusses supply chain risk across the defense industrial base, the evolution of CMMC compliance, VulnCheck’s community-driven approach to threat intelligence and the company’s global growth strategy.
Learn about the current state of CMMC, the latest threat vectors in government and the most critical topics in federal cybersecurity at Potomac Officers Club’s 2026 Cyber Summit on May 21. Speakers hail from the Department of War, the White House’s Office of the National Cyber Director, the FBI and more. Make sure your organization is represented!
ExecutiveBiz: Can you talk about a key national security priority VulnCheck is helping support right now?
Jay Wallace: I think where we find ourselves is somewhere between the defensive and offensive mission cycle. Recent events and conflicts highlight something that’s been going on for many years, which is cybersecurity directly supporting mission operations inside government.
One of the biggest priorities we see is supply chain risk across the defense industrial base. You’ve got a huge number of small and mid-sized contractors that meet very specific requirements to support government missions, but they don’t have large cybersecurity teams or mature mitigating controls in place.
That creates a real risk. It could be something as simple as an HVAC contractor working on a military base, all the way up to large integrators. Either way, they’re part of the mission, and vulnerabilities in that ecosystem can have national security implications.
That’s why you’ve seen initiatives like CMMC. The government recognized that this is a broad, systemic risk and that cybersecurity across the supply chain needed to be strengthened.
EBiz: You mentioned smaller contractors. How should they be thinking about cybersecurity affordability and access?
Wallace: The affordability challenge is very real, especially for smaller supply chain vendors. Many of them don’t have hundreds of thousands or millions of dollars to invest in a full-scale cybersecurity program or a large threat intelligence platform.
That’s part of why we launched a community edition of VulnCheck. We’re approaching about 15,000 community members today, and that includes government agencies, managed service providers, independent researchers and small consulting firms.
A lot of these organizations aren’t looking for something massive. They’re looking for very practical answers, like, “I own a lot of Cisco. Are there vulnerabilities I should be aware of, and are they being exploited?”
So we provide a known exploited vulnerability list with reference URLs, evidence of exploitation in the wild and access via API or offline data. It’s designed to be usable, whether you’re integrating it into a platform or working in a more constrained environment.
There’s a lot of talent out there that just doesn’t have big budgets, and we’re trying to meet those users where they are and give them something actionable.
EBiz: What advice would you give contractors navigating CMMC requirements?
Wallace: The biggest piece of advice is to understand what level of CMMC you actually need. Not everyone needs to comply with the same level, and that’s where a lot of confusion comes in.
For example, level one is essentially a basic NIST audit. It’s not overly complex, and if you’re already SOC 2 compliant, you’re likely already close. You just need to map your controls to the framework.
There are also companies now using artificial intelligence to help automate parts of that process. It can be faster, more affordable and still meet the government’s requirements.
If you’re working in top secret environments, though, that’s a totally different situation. CMMC is just one of many requirements you’ll have to meet.
I think CMMC 2.0 is a reflection of the reality that not every contractor can be treated the same. With budget constraints and payment delays, some organizations simply can’t implement the same level of controls.
So it’s good to see it broken into tiers. But overall, I’d say start with education, understand your requirements and then look for resources or partners that can help you close the gap.
EBiz: How are you seeing organizations approach threat intelligence and vulnerability data today?
Wallace: There’s been a noticeable gap in the market for reliable vulnerability data, especially with some of the disruption around traditional sources.
Organizations don’t just want a list of vulnerabilities anymore. They want to know what’s actually being exploited and what matters most in their environment.
One of the challenges is fragmentation. A single threat actor might have multiple names depending on the vendor, which creates confusion for defenders trying to respond.
What we focus on is normalizing that data. We map aliases, identify which vulnerabilities are being targeted and provide context on who those actors are going after.
By the time it reaches our customers, it’s clean, structured data that can be piped directly into their tools. The goal is to remove the guesswork and make it easier to take action.
EBiz: How are you supporting VulnCheck’s growth strategy in your role?
Wallace: We’ve been focused on growing responsibly. We didn’t follow the “grow at all costs” approach that a lot of the industry went through over the last decade. Instead, we’ve been very deliberate about scaling the business.
Right now, about 60 to 65 percent of our revenue comes from North America, around 30 percent from EMEA and the rest from APAC.
We’re expanding internationally based on those market signals. We recently announced a UK headquarters and have built out a team in Singapore, where we’re also seeing strong customer growth.
We’re continuing to invest heavily in research and development. That’s core to what we do. At the same time, we’re scaling the go-to-market team to keep pace with demand, but doing it in a way that’s sustainable.
We believe we have a strong product, and the focus is on continuing to innovate while growing the business in a disciplined way.
Who Is Jay Wallace?
Jay Wallace is the VP of global go-to-market at VulnCheck, where he leads global revenue strategy and market expansion. He has held leadership roles at runZero, Sqreen, LightStep and Duo Security, building and scaling cybersecurity sales and go-to-market organizations. Wallace began his career in finance before transitioning into cybersecurity, where he now focuses on supporting mission-driven security efforts across government and enterprise environments.
What Is VulnCheck?
VulnCheck provides vulnerability and exploit intelligence that helps organizations outpace adversaries by identifying and prioritizing the risks that matter most. Its platform delivers data on known exploited vulnerabilities, threat actors and attack activity, enabling government agencies, enterprises and cybersecurity vendors to act quickly and effectively. VulnCheck supports billions of assets worldwide and offers both enterprise and community editions to expand access to actionable threat intelligence.
