If there’s one thing Zakir Durumeric has earned through a career split between academia and the front lines of cybersecurity, its precision. He doesn’t just talk about “vision” the way founders are supposed to. He treats it like an engineering constraint: something you protect, measure, and reinforce especially when the market is loud.
So when Zakir explains how Censys stayed true to its technical thesis while customers, investors, and industry narratives pulled them in every direction, you lean in.
Because this is the part of building companies most people skip: not the idea, not the funding, not even the product. The part where you’re forced to decide whether you’re building what’s requested, or what’s needed.
And those are rarely the same thing.
The Two-Lens Problem: Customer Pain vs. Company DNA
Zakir frames the entire challenge through two lenses: the “what” and the “how.”
The “what” is the customer problem - what security teams are actually trying to solve. That requires deep listening: customers, prospects, domain experts, people with a view into where the market is going.
But the “how” is the company’s DNA - what you uniquely bring to the table and refuse to compromise on.
At Censys, that DNA is uncompromising: data quality and internet visibility at extreme fidelity. Not as an engineering best practice, but as a strategic pillar. Zakir makes the point bluntly: you can’t solve customer problems without elite data, and you can’t build elite data without staying anchored to the real problems.
So Censys built the organization to enforce it. One side of the house benchmarks and improves accuracy, latency, and coverage relentlessly. The other side lives with customers, extracting the real pain behind what they’re asking for. And the magic is in the bridge between them: constant, intentional collaboration.
That’s how conviction becomes operational.
From University Research to a Company the Market Kept Pulling On:
Censys started as a research project at the University of Michigan, built around a deceptively ambitious question: how do you scan the entire internet at scale?
That became ZMap - an internet-scale network scanner inspired by Nmap, but designed to operate across everything, not just a range. Initially, it served academic curiosity: patching patterns by country, insecure infrastructure, trust relationships across certificate authorities.
But the moment the industry got hold of it, the demand shifted.
Security teams. Pen testers. Threat hunters. Defensive VM teams. Even market analysts measuring cloud adoption trends across AWS, Google, Oracle, IBM.
Everyone wanted visibility.
So the company did what “good startup advice” tells you to do: pick one use case and go deep. They focused hard on attack surface management - shadow IT, perimeter exposure, internet-facing infrastructure - helping defensive teams answer the urgent question: what’s exposed, what’s risky, and what do we fix first?
But here’s the tension: while the paid product narrowed, a free community product remained wide open - anyone could query any asset on the internet.
And over time, that open surface kept growing… even without heavy R&D investment.
That growth was the early signal of something most founders miss: the market was telling them the platform wanted to exist.
The Data Was the Product (Even When Everyone Told Them It Wasn’t):
Zakir shared a critical detail: early advice from the outside world was almost universally the same:
“Leave the data behind. The data isn’t valuable. Nail one use case. You can’t do two.”
And that’s the trap. Because the advice isn’t wrong - it’s just incomplete.
What Censys saw over time was something more structural: every time they built a feature for one persona, another persona needed it immediately. Data quality problems raised in one area would later surface in a completely different workflow. The same infrastructure relationships kept reappearing across use cases.
Eventually, the realization clicked:
Every security persona has a slice of the internet they care about - first-party assets, third parties, supply chain dependencies, critical infrastructure sectors, adversary infrastructure. Different missions, same map.
So Censys didn’t pivot into “being a data provider.” They did something smarter:
They built a platform that lets every persona make sense of their slice - using a shared foundation of best-in-class internet visibility.
That’s not a shift away from focus.
It’s a shift into architecture.
The Product Lesson: Don’t Build What Everyone Asks For:
Zakir’s view on the product is refreshingly honest: if you build exactly what customers ask for, you end up with a messy hodgepodge - features without a coherent story.
The job isn’t just listening.
The job is pushing past the surface request to find the kernel underneath:
● What problem are you actually trying to solve?
● Why does this matter right now?
● What’s the pain you’re failing to articulate?
And yes, there are table-stakes realities. Splunk integrations aren’t exciting. ServiceNow isn’t glamorous. But you build them because that’s how production works.
The differentiation isn’t in the plumbing.
The differentiation is in the core problem - visibility, attribution, accuracy, relationships, real-time context.
Or as Zakir’s philosophy implies: integrations keep you in the game; foundations win the game.
PMF, According to a Founder Who Doesn’t Romanticize It.
When I asked Zakir when he knew Censys had product-market fit, he gave the answer I trust the most:
It’s not a switch. It’s not an endpoint. It’s not “you have it or you don’t.”
It’s repeatability.
It’s when you can describe the problem and buyers feel it viscerally:
● “Yes, that’s us.”
● “Yes, we’ve got budget for that.”
● “Yes, we didn’t budget for it, but now we have to.”
And even then, it doesn’t end - because security changes constantly. Five years ago, VPN endpoints weren’t the breach epicenter. Now they’re a leading initial access vector for ransomware groups. The product must evolve with the threat surface.
PMF is a moving target.
The only way to keep it is to keep earning it.
AI: Not “AI vs AI,” But Humans Superpowered by AI
Zakir’s stance on AI is pragmatic. He doesn’t believe we’re in a world where AI is “magically hacking unknown vulnerabilities.” He believes we’re in a world where AI accelerates what humans already do - faster, more targeted, more scalable.
Better phishing. More tailored social engineering. Faster reconnaissance. Wider democratization of attacker sophistication.
On the defense side, the opportunity is equally clear:
● help junior analysts see patterns sooner
● connect disparate signals across tools
● automate the tedious work that drains security teams
● gradually build trust toward safer automation (including remediation)
But he’s candid about reliability. Hallucinations are real. Bad outputs happen. Trust isn’t binary - it’s earned through controlled use cases and gradual gating.
The first wave is augmentation.
The later wave might be automation.
First Principles: The Skill That Becomes More Valuable as Code Gets Easier
One of the most useful parts of the conversation was Zakir’s answer to a market narrative I hear constantly: “AI will eliminate junior engineers.”
He doesn’t buy it.
What AI replaces is the tedious work - the scaffolding, the templates, the glue code, the searching through unfamiliar codebases. But the hard problems remain:
● designing abstractions
● scaling systems
● testing boundaries
● building secure interfaces
● making tradeoffs with performance and reliability
● evolving systems without breaking them
That’s first principles thinking: not a buzzword, but the ability to understand what’s invariant beneath the tools.
And in a world where AI can generate code, the human value shifts upstream: design, judgment, architecture, and intent.
The Future of Security Is Less Dashboard, More Data Platform
Zakir described something I think every security founder should tattoo onto their roadmap:
Why is every security company reinventing Tableau?
Security organizations have dozens, sometimes hundreds of tools. Historically, everything dumps into a SIEM and humans stitch meaning across “15 tabs open.”
What’s changing now is bidirectionality. Customers don’t want Census to be a one-way data source. They want control over:
● how assets are discovered
● how ownership is defined
● how external signals inform internal prioritization
● how tools speak to each other through newer interfaces (like MCP-based APIs)
This is a profound platform shift: from black box product to extensible system where customers can interrogate decisions, view evidence, and integrate insight into their own ecosystems.
Less “here’s our dashboard.”
More “here’s the truth; use it your way.”
Closing Thoughts
Zakir’s story is a blueprint for founders building deep tech in noisy markets.
He didn’t win by chasing every request.
He won by holding a technical line: data quality, fidelity, real-time visibility and letting use cases accumulate on top of a shared foundation until the platform became inevitable.
It’s a reminder that the best companies don’t just listen.
They translate.
They interpret.
They decide.
And then they build with enough conviction that when the market finally catches up, it looks obvious in hindsight.
Until next time,
Firas Sozan
Your Cloud, Data & AI Search & Venture Partner
Find me on Linkedin: https://www.linkedin.com/in/firassozan/
Personal website: https://firassozan.com/
Company website: https://www.harrisonclarke.com/
Venture capital fund: https://harrisonclarkeventures.com/
‘Inside the Silicon Mind’ podcast: https://insidethesiliconmind.com/