in Executive Spotlights, News

Mitchell Sipus & North Star Labs Are Tackling Cybersecurity’s ‘Dwell Time’ Problem

Photo: Mitchell Sipus / North Star Labs
Mitchell Sipus. The North Star Labs CEO sat down for Spotlight interview to talk data, IT, OT, cyber and advanced threats.
Dr. Mitchell Sipus CEO North Star Labs
  • North Star Labs CEO Mitchell Sipus’ experience building data collection businesses from developing nations taught him the value of providing high-quality data to decision-makers.
  • As a White House Presidential Innovation Fellow, he developed an expertise realizing mission outcomes, even if the approach is different from what was first envisioned.
  • Sipus sat down with ExecutiveBiz to talk AI, operational technology, IT and how ‘dwell time’ is shifting traditional cybersecurity operations.

Dr. Mitchell Sipus has always taken creative approaches to solving difficult problems. The North Star Labs CEO got his start in GovCon building ground-verified data for global government agencies and engineers from a refugee camp in east Africa.

This experience taught him the importance of high-quality data for government decision-makers. Over seven years, he expanded his data collection business into Afghanistan, Somalia, Iraq and Syria.

As a White House Presidential Innovation Fellow under presidents Obama and Trump, Sipus developed an expert understanding on how to navigate the complex regulations and frameworks of GovCon and how to realize needed mission outcomes, even if the approach is different from what an agency first envisioned.

Sipus’ appearance at the Potomac Officers Club’s 2026 Cyber Summit on Thursday is a milestone for Sipus and North Star Labs—it’s the company’s public breakout moment in GovCon. North Star Labs, since its 2024 founding, has eschewed the typical press releases and marketing performed by GovCon startups. Instead, it has focused on building an exceptional team hailing from Massachusetts Institute of Technology and Carnegie Mellon University with proven experts in federal compliance and acquisitions.

The end goal Is to deliver an extraordinary technology to federal customers and let the results, not the marketing, sell North Star Labs. Sipus sat down with ExecutiveBiz for his first Spotlight interview to discuss how federal technology officials should respond to AI applications that can identify zero days, which parts of government infrastructure are more exposed to cyber vulnerabilities and how dwell time is causing major cybersecurity shifts.

ExecutiveBiz: As advanced AI applications evolve like Anthropic’s Mythos, which can reportedly identify zero-days and other cybersecurity vulnerabilities, how should federal agencies respond to these advancements?

Mitchell Sipus: In addition to our work with the federal government, we spend a lot of time speaking with leaders at major telecom companies, global financial institutions and large cybersecurity firms. Everyone is asking the same question right now because these frontier AI models have started directly impacting cybersecurity over the last several months.

One thing we keep finding is that the underlying problems haven’t fundamentally changed. The AI solutions matter immensely to help before the breach, but they can’t save you if your system is compromised. As always, it still comes back to whether your data is ready for these models.

Even with frontier AI systems, structured and accessible data still matters because the cost of running these models at scale is enormous unless you have a more efficient way to work with them.

Another important point is that these models, so far, are finding variations of existing vulnerabilities rather than discovering entirely new categories of threats. That’s actually encouraging for the government, because it suggests there are still boundaries to how revolutionary these tools are in the near term. It gives federal leaders time to adapt and learn.

We’ve also discovered that the infrastructure, compute and storage requirements are somassive that these systems remain inaccessible for most organizations, whether government or private sector. In the near future, we’ll probably see smaller cyber frontier models tailored toward specific use cases that are more cost-effective.

In many ways, nothing has fundamentally changed—yet. From our research at the highest levels of banking and telecom, we’ve found that the shift is more incremental than people have been led to believe, at least relative to the last few years.

EBiz: What federal cyber vulnerability needs more attention from industry partners and integrators?

Sipus: I don’t think it comes down to one specific vulnerability. What we do know is that certain parts of government infrastructure are more exposed than others. Operational technology, or OT, systems are the easiest example.

More importantly, though, we need to ask what it is about the way federal organizations are structured—the way they buy technology, scope projects and manage acquisition—that creates vulnerabilities in the first place.

There was a recent example involving the planned lunar base where people pointed out there was no dedicated office for OT cybersecurity in that environment. I don’t know every detail of that story, but it highlights a broader issue: many vulnerabilities are created by organizational processes, not just by the technologies themselves.

That’s why it’s important to work with companies that focus not only on delivering technology, but also on helping organizations rethink how they approach the problem. It has to be a collaborative partnership based on trusted expertise and experience, not just tech or key performance indicators.

EBiz: Interesting perspective. What cyber risks are customers more worried about today than they were even a year ago?

Sipus: One issue that’s increasingly coming up, especially among chief information security officers at major financial institutions, is the concept of “dwell time.”

The concern is that organizations know there are vulnerabilities and risks buried somewhere in their networks and data, but they can’t realistically process or store everything. The fear is that seemingly small risks can persist over time and eventually compound into major threats.

Some chief information security officers are starting to ask: How long has a vulnerability existed? Was it introduced 30 days ago, three years ago or even nine years ago? At what point does a passive risk become an immediate threat?

This represents a shift from traditional cybersecurity operations, which are heavily focused on triaging alerts. ‘Dwell time’ thinking is more focused on understanding long-term patterns and advanced persistent threats where adversaries move slowly and quietly while leaving small breadcrumbs behind.

EBiz: So dwell time is basically a threat lurking in a system until the right moment?

Sipus: More or less. Something may not seem important until suddenly it is.

EBiz: Is there a threshold where dwell time becomes especially concerning?

Sipus: I’m not sure you can define it with a simple threshold. Most endpoint cybersecurity systems today generate thousands of alerts and people often dismiss them as false positives.

Our perspective is different because we can actually translate an entire network into linear algebra. We see everything with extreme detail and can do it with incredible efficiency. This was never possible before. Historically, organizations relied on network sampling because it was computationally impossible, or too expensive, to process everything.

So we changed the math, because we see the entire data environment and we know these alerts are not false positives. They’re indicators of emerging activity that may evolve into larger events over time. Dwell time is only a problem when you have limited network visibility and have to rely on AI guessing engines.

If you throw AI at incomplete or sampled data, the AI will always have limitations. That’s why people today struggle with false positives and dwell time calculations.

That’s why we moved from a probabilistic system toward a deterministic system. Instead of guessing, we can directly identify the exact threats that truly matter while also tracking lower- level activity that could become significant later as more context develops. All this happens in a fraction of a second.

That’s a major shift in cybersecurity thinking, and I expect government agencies will increasingly move in that direction as well.

EBiz: How do you decide which cyber tools are worth investing in?

Sipus: There are really two major shifts happening in cybersecurity right now.

The first is the convergence of IT and OT systems. The second is the rise of generative AI and large language models.

The challenge with both is balancing value against cost. If you want to deploy LLMs across a massive enterprise environment like the Department of War, the compute and storage costs become staggering. Organizations have to ask whether the benefit justifies the expense.

This is where our company is focused. Our approach not only makes all network data visible, it makes all networks AI-ready. Since we can dramatically reduce the cost and complexity of implementing the new AI technologies, organizations can actually use them at scale.

Right now, the DOW would struggle to implement many of these systems simply because of the infrastructure costs involved. Yet there’s tremendous pressure, both public and private, to adopt AI capabilities.

So the key question becomes: How do we gain the benefits of AI without bankrupting ourselves in the process?

EBiz: What are the differences between traditional IT systems and OT systems and how are they starting to intersect?

Sipus: Traditional IT systems generally follow standardized architectures and protocols. Everything has metadata and structure around it.

OT systems are very different. They’re often stripped-down environments with specific protocols different from IT networks, and they sometimes can be inconsistent by device manufacturer. We found devices even labeled with informal names like “My Endpoint,” instead of standardized identifiers like a media access control or IP address. The range of specializations and the inconsistencies create enormous complexity.

At the same time, OT systems create both risk and opportunity when they connect to IT systems. That intersection point is where many cyber vulnerabilities emerge.

Historically, people believed every OT protocol required a unique custom solution, which made OT cybersecurity seem impossible. The traditional approach was to work with every protocol on its own terms. But we’ve done the work and found that’s not entirely true.

While there may be thousands of protocol names, there are really closer to 600 unique protocols underneath them. Many are simply rebranded versions of the same core structures.

By aggressively reviewing every protocol out there, and by working at the lowest levels of signal, we developed a solution that is protocol-agnostic. It works everywhere.

While it sounds strange to say, at the end of the day, OT systems are still computation. For us, they’re just not fundamentally different from IT systems at the machine level. When information is purest, but complexity is lowest, you’re most likely to detect malicious activity early.

Prioritizing the lowest levels of electrical signal and machine-level processing, then working algebraically, we have all the data structured so it just shows us the bad guy. There’s nowhere to hide.

ExecutiveBiz Logo

Sign Up Now! ExecutiveBiz provides you with Daily Updates and News Briefings about Executive Spotlights

mm

Written by Pat Host

Photo: Photo: Christian Ferreira/LinkedIn
Christian Ferreira. The CEO of Procurement Sciences commented on the HigherGov acquisition.
Procurement Sciences Acquires HigherGov
Photo: Arcfield
Arcfield logo. Arcfield received a follow-on contract from the Navy
Arcfield Lands $75M Contract to Support Navy’s Combat Control Systems