"Trust Me, Bro" Isn't a Security Strategy: One Founder's Mission to Fix Cybersecurity

There's a moment in every career where the puzzle pieces fit, where scattered experiences suddenly reveal a pattern you can't unsee. For Maxime Lamothe-Brassard, founder and CEO of Lima Charlie, that moment came after nearly two decades of watching cybersecurity promise the world, yet deliver black-box systems with little transparency.

His journey from Canadian signals intelligence to building what he calls the "hyperscaler for cybersecurity" is a story about the tension between how security should work and how it actually does, and the stubborn belief that such a gap doesn't have to exist.

In the second episode of Full Metal Packet, Control D founders Yegor Sak and Alex Paguis sit down with Maxime to learn more about his journey and the future of AI-driven cybersecurity.

The Government Years: Going Deep with No Guardrails

Maxime's career in cybersecurity started in 2007 at Canada's Communications Security Establishment (CSE), the country's signals intelligence agency. He first joined as a university co-op student, stepping into a world most people only encounter in fiction.

What he found wasn't the bureaucratic machine he might have expected. It was a greenfield. Cybersecurity education barely existed at the time. If you wanted to learn reverse engineering, your options were a handful of obscure Russian websites and a copy of IDA Pro. There was no Ghidra, no YouTube tutorials, no structured curriculum.

But the agency's culture rewarded exactly the kind of person Maxime is: self-driven, obsessive about depth, willing to go hard into a problem with minimal direction. The mandate was simple: here's the goal, here's the legal framework, now find a way. He dove into C programming and disassembly, then moved on to kernel-mode debugging and BIOS internals. Each layer revealed another layer beneath it, and the feeling was addictive.

"I went from 'this is cool, I can do programming' into 'there's so much depth to all of this that I will never reach the bottom,'" he recalls.

He rose to team lead, managing up to 10 people, having progressed from software development into operations. But the most lasting takeaway from those years wasn't a technical skill. It was a worldview.

Working in national defense taught him the uncomfortable truth that shapes his thinking to this day: if a major government wants to compromise you, they will. No product, no vendor, no configuration will stop that. And if it's not a government coming after you? You're probably not as interesting as you think.

That realization would later become the foundation of his entire philosophy on security: the idea that defense isn't binary. It's an equation. Who's the threat? What are they willing to spend? What are you willing to spend? Match those, and you've found your actual security posture. Everything else is theater.

The Breaking Point: A Classroom That Never Was

For six years, Maxime thrived. But the same self-driven nature that made him excel eventually ran headlong into institutional inertia.

He wanted to teach. Reverse engineering knowledge was becoming more publicly available, and he saw an opportunity to develop a training curriculum. He spent countless hours documenting every piece of content, meticulously verifying that nothing was classified; that every bit was already public.

It didn't matter. The agency's mentality, rooted in an era when SIGINT meant satellite dishes and proprietary compression algorithms, held firm: if you work here, nothing you know could possibly exist on the outside. The answer was a flat no.

"That just kind of soured me," Maxime says. He wanted to do more. The walls that had once felt like freedom — all that room to explore — now felt like a cage.

Capitalism Whiplash: The CrowdStrike Days

Maxime left for CrowdStrike, becoming employee number 100, before the company even had a product. It was the polar opposite of government work: the APT narrative was being built, the marketing engine was revving, and the startup energy was palpable.

He calls it "capitalism whiplash."

In government, the mission was real and reinforced daily. You were protecting the country, and you felt it. At CrowdStrike, he found brilliant people who genuinely loved cybersecurity. But zoom out far enough and the picture changed. It was a company. It happened to be in cybersecurity because the valuations were good.

He tells a story that captures the shift perfectly. At a different company during that era, a colleague with a background in the government and military was working on a government contract bid. They'd calculated costs, added margin, and arrived at a price roughly double their actual expenses. There was a quiet moment on the call. Then the ex-military colleague spoke up: "I don't know how I feel about this. We're about to charge the government for things that don't exist."

A beat of silence. Then the room gently reminded him: they weren't in government anymore. Profit had to come from somewhere.

The reflex faded instantly. But the moment stayed with Maxime. It was a small, human window into the cultural chasm between public service and private enterprise.

Google X and the Taste of Something New

After CrowdStrike, Maxime moved to Google's internal security team, where he was eventually exposed to Google X, the company's "moonshot factory." He describes it as halfway between a real startup and a massive corporation.

It didn't have the financial stakes of true entrepreneurship, but it gave him something just as important: the taste. Coming up with new ideas, refining them through conversation, and then pushing them forward. When his internal project (Project Lantern) spun out into Chronicle Security, he saw his window.

There was no better intermediate step. It was now or never.

And he had an ace in his back pocket. While at Google, he'd open-sourced an EDR (Endpoint Detection and Response) agent, the original Lima Charlie. When he left, Google granted him the invention assignment, which is unusual. But to Google, it was a piece of C software for OS telemetry on endpoint machines. "I think they kind of went, 'We don't know any of those words. Just take it and go.'"

Building Lima Charlie: The Hard Pivot

Maxime knew he had something valuable. But he also knew, even in 2018, that "EDR" alone wasn't enough. The market was already commoditizing. Starting a pure-play EDR company from scratch was a losing bet.

So he went back to first principles. What had IT figured out that cybersecurity hadn't? The answer was the hyperscaler model; the concept behind AWS, Azure, and GCP. Take the undifferentiated heavy lifting that everyone reinvents, and provide it as flexible, accessible, neutral infrastructure.

Cybersecurity needed the same thing. Organizations needed access to core capabilities without being locked into opaque vendor ecosystems. They needed transparency, flexibility, and the freedom to build on top of a platform without signing a 5,000-page MSA.

Lima Charlie would be the AWS of cybersecurity. The open-sourced EDR agent would be their EC2, the cornerstone service that everything else builds around.

But the early days were brutal. The first customers, mostly MSSPs, didn't want a cloud platform. They wanted a syslog pipe.

It was the classic innovator's dilemma: customers asking for a faster horse when you're trying to sell them a car. These early prospects had no skin in making the platform better long-term. They weren't aligned with the vision. Maxime had to keep turning them away.

He also made the painful decision to move the EDR from open source to a managed model. Open source carried expectations (PRs, community support, maintenance) that a startup couldn't afford when it was trying to build something fundamentally different.

The ideals of open source had to be put aside to focus on the realities of running a startup. 

"Trust Me, Bro" Security and the Bridge That Has No Blueprints

If there's one hill Maxime is willing to die on, it's the concept of provable security, and it's simpler than it sounds.

He believes organizations should know what they're protected against and how. That's it. No cryptographic proofs. No fancy equations. Just: tell me what you're doing, and help me verify it works.

He paints the picture with WannaCry. When it hit, it was trivially easy to detect: same executable name, same domain, every time. But millions of organizations woke up that morning unable to answer a basic question: are we protected? They had to call their vendor, wait on hold, and hope for a straight answer. What they usually got was: "Yeah, you're good. We've got AI."

No details. No mechanism. Just blind trust.

He compares it to hiring an engineering firm to build a bridge. Imagine the firm saying, "It'll be the best bridge. Don't worry about how." Any city would walk away from that conversation. Engineering solved this problem centuries ago with math, blueprints, and inspections. Cybersecurity hasn't, and the industry's incentive structure actively resists it.

Vendors gatekeep knowledge. Documentation is hidden behind sales calls. Data belongs to the platform, not the customer. SSO becomes a leverage point for forced bundle upgrades. It's not capitalism, Maxime argues. It's the opposite. Energy is wasted on extraction instead of creating real value.

The AI Contrarian: Why Current Implementations Won't Last

When it comes to AI in security operations, Maxime's take is sharp and specific: it's not that AI won't transform cybersecurity. It's that almost everyone is implementing it wrong.

The fundamental value of AI, LLMs in particular, is its boundless flexibility. You can ask any question, learn any topic, connect to any tool. It resists being boxed in. And yet, that's exactly what most cybersecurity vendors are doing: building proprietary AI widgets with secret models, hidden prompts, and rigid feature sets.

To Maxime, this is counter-directional to AI's actual value. A vendor-locked AI skew slows everyone down. A new model drops with incredible capabilities? Too bad. Wait for your vendor to integrate it into next quarter's release.

His alternative vision: AI becomes the glue between tools, not a tool itself. CLI tools like Cloud Code, Gemini CLI, and Codex are the new browsers. Nobody asks "what's the role of a browser in cybersecurity?" because it's just the medium through which work happens. AI agents will become the same: invisible infrastructure that makes humans dramatically more effective across every tool they already use.

The next few years, he says, will prove him right or wrong.

One Piece of Advice: Know What You Have

Asked for a single recommendation to security leaders for the next 90 days, Maxime's answer is deliberately unglamorous: spend time understanding your actual security posture.

Not your vendor's marketing claims. Not your compliance checklist. Your real posture: what your tools actually cover, where the gaps are, what you're protecting, and what you're not.

"Without that information, you can't make any of the other decisions," he says. "Don't purely rely on a vendor. That's the thing that's not going to be forgiven in the future."

It's the same lesson from the signals intelligence days, repackaged for the boardroom. Security is an equation. And you can't solve an equation if you don't know what's on both sides.

Maxime Lamothe-Brassard is the founder and CEO of Lima Charlie, a cybersecurity infrastructure platform. This post is based on his appearance on the Full Metal Packet podcast.