Duncan Thomas on Disrupting Enterprise Security Through Transparent Pricing and AI-Powered Virtual Patching

In an enterprise security industry notorious for hidden pricing, restricted trials, and sales-driven qualification processes, Duncan Thomas has positioned Innoculator as a revolutionary force that challenges traditional vendor practices through radical transparency and customer empowerment. As CEO and Co-Founder of the Melbourne-based cybersecurity company, Thomas brings 15 years of experience in cybersecurity sales during which he witnessed how vendors typically “maximize hype, hide the cost, and hide the software from the customer for as long as possible.” This insider perspective drove him to create a fundamentally different approach with Innoculator, an AI-powered application protection platform that provides virtual patches for any known vulnerability, including legacy software, through a combination of AI-generated virtual patching, distributed architecture, and centralized management to deliver network-based protections for CVEs. Breaking industry norms, Innoculator offers free 30-day trials with no obligation or sales qualification, transparent monthly subscription pricing published directly on their website, and a simple cancellation policy that reflects Thomas’s confidence in their solution’s ability to deliver measurable value. The platform addresses one of cybersecurity’s most persistent challenges by enabling organizations to protect vulnerable systems without waiting for official patches or dealing with the complex deployment cycles that leave networks exposed to known threats. Through this customer-first approach that prioritizes accessibility and transparency over traditional sales tactics, Thomas is demonstrating how cybersecurity companies can build trust and market share by simply allowing customers to evaluate solutions on their merits rather than through high-pressure sales processes and hidden costs that have dominated the enterprise security market for decades.

Q.You’ve spent 15 years in cybersecurity sales witnessing how vendors “maximize hype, hide the cost, and hide the software from the customer for as long as possible,” which led you to create Innoculator with completely transparent pricing and free trials. What specific experiences during your sales career most influenced your decision to challenge these industry practices, and how do you balance the need for revenue growth with your commitment to transparency in a market where competitors may use traditional high-pressure sales tactics to close deals faster?

Duncan Thomas:There is two aspects to what drove this decision for us. The first is rooted in my own experience over the past 15 years as you pointed out. We have seen so many great tools that everyone could benefit from, but unfortunately are priced in such a way that only large enterprises can afford them. But we feel the problem we are solving needs to be solved for everyone, otherwise the industry is stepping backwards. Attackers are using new tools that are allowing them to exploit vulnerabilities faster in their target environments, so defenders need tools that can keep up, regardless of your size.

On the flip side, we are also frustrated that so many organisations that are breached these days really have not put in the effort to avoid it, and have often used cost as an excuse. We wanted to take that excuse away.

So our approach became a No B.S., No Excuse and No Surprises approach to licensing. Simple and easy to understand for everyone at a price everyone can afford.

Q.Innoculator combines AI-generated virtual patching with distributed architecture and centralized management to deliver network-based protections for CVEs, addressing the critical gap between vulnerability discovery and official patch deployment. As someone who understands both the technical and business sides of cybersecurity, how do you explain the advantages of virtual patching to enterprise customers who may be skeptical about AI-powered security solutions, and what specific use cases or legacy software scenarios demonstrate the most compelling ROI for your platform?

Duncan Thomas:When I first learned about Virtual Patching, it was from someone in the industry solving a very specific problem they had, namely when Log4J was first discovered. They explained how they had used a specific signature they created to block any attempts to exploit it for the 10 workloads they had which were potentially exposed. And it worked well for them. It made me ask the question, “why is this not done more often?”.

Looking into this the answer was that a number of issues mean it is not used as an approach very often. First was that inspecting all traffic for known exploit signatures caused network bottlenecks and associated latency. The second was needing a dedicated team working 24/7 to create new signatures on demand. And on top of this, you needed a way to manage it all.

Innoculator solves these issues. First we use a distributed model for our software based inspectors. We do not charge for these so encourage you to install as many as you like. Be it a 1 to 1 or 1 to many, however you want to deploy it is up to you and costs nothing. And this is all centrally managed from a single point.

The second issue is where A.I comes in. I am as sceptical as most when it comes to A.I. and its shortcomings, but we really focused on using it for what is its greatest strengths: Consuming vast amounts of information quickly, and following a set of instructions.

So combining this approach meant we could deliver virtual patches for new and emerging CVE’s but also very old ones. This is where talking to experts really opened our eyes to the problem of legacy systems. Most organisations have some legacy systems, and generally the way this is dealt with is to “accept the risk”. The business function of the system is far too important to get rid of, and the price to upgrade it is prohibitive. So typically the approach becomes one of hiding and hoping. Hide the system on your network, and hope an attacker doesn’t find it.

This is where virtual patching comes in. It is network based, so nothing needs to be installed on the end system. So with our approach, you are inspecting for someone trying to exploit known vulnerabilities on the end point at the network level.

The best example of this would be the Log4J / Log4Shell vulnerability (CVE2021-44228). Many organisations have this still unpatched on their network and it is still in the top 10 most exploited CVE’s each year. Using Innoculator you can have this solved very quickly with no impact on your applications (as well as any other unpatched network deliverable CVE’s).

Q.Your platform provides virtual patches for any known vulnerability, including legacy software that organizations often struggle to protect due to vendor support limitations or complex update requirements. How does Innoculator’s approach differ from traditional vulnerability management solutions, and what technical capabilities allow your AI system to generate effective virtual patches for diverse software environments without requiring deep integration or system modifications that might disrupt business operations?

Duncan Thomas:Our focus with Innoculator was to really fix the issue with Vulnerability Management. Namely, getting protection in place as quickly as possible. Currently, an organisation runs a vulnerability scan and they will have a list of everything they need to patch. These can be extremely long lists. And before the team tasked with applying the patches can start, there is a process they must follow. First, they need to prioritize which vulnerabilities they need to patch the quickest. Typically they will decide based on business impact , CVSS score, availability, downtime requirements etc. Then they will need to test the patches. Make sure that applying it doesn’t break anything. Then they need to apply it, and document what has been done. All up, this process takes considerable time. The average amount of time it currently takes for this process to run on critical vulnerabilities only is over 70 days!

So with Innoculator, we wanted to make sure we fit into this process, but we are putting virtual patches in place in minutes. Take your vulnerability scan, feed it into Innoculator, and it will do the rest. Simple and effective. I should point out that you are still better off applying the patch, but if that is going to take you 2 months, then get virtual patches in place ASAP!

Now when it comes to our AI generation of virtual patches, there are some caveats. We have 3 main rules: the AI will evaluate any CVE submitted. First, Is this CVE in the CISA KEV list? Secondly, is this a network exploitable CVE? And finally, is there a public exploit or proof of concept available? When we have these, the AI can generate. We then have a bunch of checks and balances within the AI, and we augment this with some Human oversight as well.

Q.Breaking from industry norms, you offer 30-day free trials without sales qualification and monthly subscription pricing with simple cancellation policies, essentially letting the software sell itself. How has this transparent approach affected your sales cycle and customer acquisition compared to traditional enterprise security sales processes, and what challenges have you faced in educating potential customers who may be conditioned to expect complex procurement processes and long-term contracts in the cybersecurity space?

Duncan Thomas:As we have only just launched, it is far too early to tell! But the expectation is that it will not affect the sales process initially, but it should as we gain traction. Initially, as with any new technology, you have to educate the market. That takes time. But once people understand the benefits Innoculator brings, we wanted to remove any doubts or concerns they might have. And what better way to do that than by laying all your cards on the table for all to see? We want people to be able to quickly get Innoculator in place as quickly as Innoculator can get virtual patches in place, and we do this by removing a lot of the processes and risk that organisations face with any solution.

Q.Based in Melbourne and serving businesses worldwide, you’re competing against established cybersecurity vendors with significantly larger marketing budgets and sales teams. As you continue scaling Innoculator’s reach while maintaining your commitment to transparency and customer empowerment, what’s your strategy for building market share in the competitive enterprise security space, and how do you see the industry evolving as more customers demand accessible trials and transparent pricing models?

Duncan Thomas:At the risk of showing my age here, I started out selling software based on the number of CPU’s a system had. Please note, not Cores, but CPU’s, as multicore wasn’t a thing yet. The point being , licensing and pricing are always evolving. When subscription licensing models first came out, I was sceptical. Seemed at first like a chance for vendors to charge a little less upfront, but many times more in the future. So it seemed like a bad deal for the customer. But I was wrong. Subscription licensing is the best friend of the customer! It holds the vendor to account. So if you dont like the product, dont like the roadmap, aren’t happy with the customer service etc etc whatever it may be, you have the power to cancel. So for my mind it really is the best for the customer as they retain the power in the relationship dynamic.

I also think that with the rapid change we are seeing in software development, business admin and general business tools in general, that Sam Altman is correct: we are very close to seeing a 10 person company hit a billion dollar valuation. Small teams can achieve big things, and one of the benefits to everyone else will be utilising methods such as transparent pricing and licensing to really speed up that process. So I would expect more of this in the future.

Conclusion

Duncan Thomas’s approach with Innoculator represents more than just a different business model—it embodies a fundamental challenge to the trust deficit that has long plagued the enterprise cybersecurity industry. His willingness to offer free trials and transparent pricing reflects genuine confidence in his AI-powered virtual patching solution while addressing real customer frustrations with traditional vendor practices. By leveraging his insider knowledge of sales tactics that prioritize revenue over customer success, Thomas has created a platform that allows organizations to evaluate cybersecurity solutions based on technical merit rather than sales pressure. His focus on solving the critical vulnerability management challenge through AI-generated virtual patches addresses a genuine pain point for enterprises struggling to protect legacy systems and rapidly deploy security updates. As cyber threats continue evolving and organizations demand more agile security solutions, his transparent approach may force the broader industry to reconsider how cybersecurity products are marketed and sold. The success of Innoculator’s customer-first model could signal a shift toward more honest, accessible cybersecurity solutions that prioritize solving real problems over maximizing sales complexity and vendor lock-in.

To explore AI-powered virtual patching and access transparent cybersecurity solutions, visitwww.innoculator.com