Insights from an Interview with Roni Carta
Dawn Liphardt: In 2023, you founded Lupin & Holmes. How would you describe your company’s position within the cybersecurity market?
Roni Carta: Lupin & Holmes is a research and development firm specializing in offensive cybersecurity strategies. Our mission is to identify the security flaws of tomorrow—vulnerabilities that will be actively exploited across various ecosystems and industries but which are often overlooked today. Our initial focus is on the software supply chain, particularly the reliance on pre-assembled components in our clients’ information systems. We aim to proactively uncover the weaknesses in these supply chains before malicious actors do.
Dawn Liphardt: Can you provide an example of a software supply chain compromise?
Roni Carta: The most prominent recent example is SolarWinds, which in 2020-2021 caused enormous disruption worldwide. It remains the largest known attack on the software supply chain to date. More recently, there’s the incident involving Bybit, where a compromised developer from Safe gained access to Bybit’s cryptocurrency wallet, resulting in an exfiltration of approximately $1.4 billion in digital assets.
Dawn Liphardt: Your company has launched Depi, a SaaS platform, to tackle these issues. What kinds of problems does Depi address?
Roni Carta: To understand Depi, you need to grasp the complexity of the software supply chain. We define it as all the processes involved in building and deploying applications within information systems. Whenever organizations use pre-made components, they create a software supply chain, which introduces numerous security vulnerabilities. Depi’s goal is to proactively identify all potential entry points an attacker could exploit within a client’s supply chain logic. Essentially, it maps out all possible access pathways to help organizations detect vulnerabilities before they are exploited.
Dawn Liphardt: What types of clients are you targeting with Depi? Are you focusing on multinational companies that frequently acquire other firms?
Roni Carta: Our focus is determined by the companies that stand to benefit most from Depi. Today, many organizations operate in a continuous development environment, where speed and agility are critical. Since prebuilt components are integral to rapid development cycles, any company engaged in ongoing development—regardless of the industry—is a potential target. We are in the early phases of our go-to-market strategy, aiming primarily at large French corporations, Fortune 500 companies, and potentially the GAFAM giants if opportunities arise.
Dawn Liphardt: Lupin & Holmes has a unique way of financing its creation. Can you tell us more about this?
Roni Carta: Absolutely, our origin story is quite unconventional. I’ve been interested in cybersecurity since I was 17. Today, I’m 23. From a young age, I participated in bug bounty programs, which led me to realize how straightforward and impactful software supply chain vulnerabilities can be. I discussed this with my brother, who’s a backend developer, and we decided to create a dedicated R&D firm. Combining his development expertise with my security research, we began exploring bug hunting. The rewards from bug bounty programs helped us reinvest in the development of Depi. This self-funded approach, driven by our passion and practical experience, has been instrumental in building the foundation of Lupin & Holmes.
Closing Remarks: Lupin & Holmes positions itself as a forefront innovator in offensive cybersecurity, focusing on the vulnerabilities that could threaten the software supply chain of organizations worldwide. Through proactive research and innovative development, the company strives to anticipate and mitigate future security risks before they materialize into full-blown crises.
