Aviatrix : Securing the Cloud-First Future

In this exclusive interaction with CiOL, Doug Merritt, Global CEO of Aviatrix and former CEO of Splunk, provides valuable perspectives for CXOs navigating the evolving cloud landscape. He highlights the growing urgency around network security, the critical need for enterprises to adopt advanced security frameworks, and the role of Generative AI in reshaping IT operations. Doug explains how Aviatrix’s unique position and advanced solutions are empowering enterprises to tackle modern cloud security challenges. Additionally, he outlines the company’s strategic vision for India and shares his top priorities as CEO for 2025—key takeaways for any CXO planning cloud-security for the future. Scott Leatherman, CMO at Aviatrix, also shares insights on the growing security concerns in the cloud and how the company is addressing them. Excerpts.

Can you give a quick overview of Aviatrix?

Doug: Aviatrix is a 10-year-old company focused on cloud-native networking and network security. While we initially concentrated on delivering advanced networking services within the cloud, we quickly realized through our customers that network security posed an even greater challenge.

Cloud providers are gradually improving their core networking capabilities, but there's still a long way to go. The way workloads move within the cloud—and the fact that nearly every cloud service is accessible via the internet—dramatically changes the dynamics of security. It increases the surface area and exposure of applications, along with the critical services they rely on.

What drew you to Aviatrix? You've worked at several leading tech companies—what inspired you to take on a leadership role here?

Doug: When I was at Splunk, the primary initiative I led was transforming the company from a traditional on-premises software provider—typically run inside data centers and managed by enterprise IT teams—into a cloud-native offering. This required a complete re-architecture of Splunk and a deep understanding of how the cloud operates and why it's fundamentally different from legacy data centers. Interestingly, Splunk is a customer of Aviatrix.

Even during my time at Splunk, I became increasingly aware of how critical the network is—and specifically how underdeveloped network security is in the cloud compared to what we've achieved in proprietary data centers.

That combination of personal experience, market need, and Aviatrix’s unique position in the space made it a compelling opportunity to lead and make an impact.

Cloud adoption began with a shift from on-prem to off-prem, and financial services were initially cautious due to security concerns. How do you balance innovation with security today, and how has the cloud evolved—especially with the move from CapEx to OpEx—over the last two decades?

Doug: COVID was a major turning point. Even the most reluctant financial services organizations were forced to rethink their strategies when they struggled to staff data centers and acquire hardware. That situation pushed them to explore how they could maintain their security requirements while leveraging the benefits of public cloud infrastructure.

That said, financial services—especially the larger players—remain among the most cautious adopters. While major investment banks are taking steps, it was the mid-tier banks globally that were forced to move to the cloud a bit earlier. One of the biggest reasons for hesitation is the fundamental difference in security architecture—clouds don’t have a traditional perimeter.

That’s where Aviatrix comes in. We’re a key enabler for these organizations, helping them achieve not just comparable but often better network security in the cloud than they had on-prem. A big part of that is our unique technical architecture, which is designed to deliver truly distributed network security.

Initially, the cloud was all about elasticity—helping organizations become more nimble and agile by allowing them to focus on their core business instead of managing infrastructure. 

Over time, as the cloud evolved, we hit certain inflection points. One of the biggest was around security. For example, Google’s acquisition of Wiz highlighted how security became a critical element—sometimes even more important than functionality. How did that shift happen? How did the emphasis move from cloud capability to cloud security?

Doug: It’s a logical evolution if you think about it. If you go back to the early days of public cloud, AWS and Amazon were the true evangelists of this new architecture.

Their mission was to empower development teams to move at the speed they needed. In traditional data centers, that was hard. Developers had to wait on the storage provisioning team, the networking team, and the security team before they could get the environments they needed. There were so many gates and processes that slowed everything down.

AWS came in and said, “Let’s blow that up. Come to our elastic, scalable public cloud. Developers, you don’t need to worry about those roadblocks anymore. Just build—move fast.”

And it worked. In the beginning, there weren’t many production workloads in the cloud, so the focus was all about speed and agility. AWS succeeded in getting developers to build and deploy at their pace. But as critical workloads began moving to the cloud—and as next-generation applications were built directly in the cloud—that’s when enterprises started taking a step back. From around 2018 to 2022, we saw a major shift. Enterprises began saying, “Hold on, speed is great—but now we need to think seriously about security.” These are mission-critical applications, and we can't afford to leave them exposed.

That’s where Aviatrix comes in—and the timing has been just right. We're seeing growing awareness among CIOs and CISOs that the traditional data center security models don’t translate directly to the cloud. A new architecture is needed—one that brings pervasive, distributed network security into these modern environments.

What’s also happening is that cybersecurity teams, who were somewhat sidelined during the initial rush to the cloud—because everything was "shift left," and developers were expected to handle it all—are now being brought back into the conversation. Senior leadership is realizing that, in our efforts to move fast, we may have skipped a few critical steps.

What kind of offerings do you provide? Could you walk me through a typical use case with a customer? Also, what types of customers do you primarily serve—mid-sized enterprises or large enterprises?

Doug: We generally work with relatively large organizations. Our ideal customer is typically a company with over a billion dollars in revenue and a substantial cloud footprint. It's especially valuable if we can engage with them early in their cloud journey, but more often, we're brought in once they've already moved some workloads to the cloud and have started to realize that network security in the cloud is fundamentally different.

In terms of verticals, our customer base is quite evenly spread across industries. Financial services is our largest segment, followed by software, manufacturing, retail, healthcare, and pharmaceuticals. But really, we operate across all major industries.

To give you an idea of the diversity: we work with BHP, a major mining company in Australia; AB InBev, a leading global beverage company in Europe; and top retail brands like Nike and Lululemon. So, it's not just the tech-native companies—we’re also seeing strong adoption in sectors that may not traditionally be considered tech-forward.

As you know, no conversation today is complete without touching on AI. How is AI reshaping cloud security and networking architectures? Is it making things more complex, or is it fostering more collaboration? 

Doug: Coming to Generative AI—most companies are currently taking a heterogeneous approach. Instead of moving all of their enterprise data to a single cloud (which can be costly and limiting), they’re becoming more selective. They’re deciding which data should go to traditional hyperscale clouds, which should go to newer GenAI-focused providers, and which data should stay on-premises. This hybrid approach reflects the complexity of the current AI landscape.

Many organizations are still figuring out how to extract real value from GenAI—particularly how to boost employee productivity in meaningful ways. At the same time, they’re wrestling with foundational architectural decisions:

•    What data should remain on-prem vs. in the cloud?
•    How do we enrich and secure that data?
•    How can we ensure that sensitive information isn’t leaked or exposed?

That’s where our cloud data encryption offering becomes critical. We hold a patent for software-based, high-performance encryption, which eliminates the need for hardware lead times. Our customers can download our edge capability directly to their data center, and we establish a secure, encrypted pipe from the data center to any cloud—or even between multiple clouds.

For a CIO or CISO reading this, what would your advice be when selecting the right cloud security vendor? What are the key criteria they should evaluate before making a commitment?

Doug: Cloud is a phenomenal shift in technology, offering elasticity, horizontal scalability, and an ephemeral, dynamic infrastructure that’s transformed the way we build and run applications. These benefits are undeniable—and companies need to continue leveraging them.

However, with that transition, you also need to adopt a cloud-native approach to network security. Traditional perimeter-based security models don’t apply in the cloud. There is no fixed perimeter anymore—every service is exposed on the public internet by design.

So, the real question for any CISO becomes: What’s your strategy for securing this borderless world? How will you maintain robust, high-visibility network security while still embracing the flexibility and scale that the cloud offers.

 Scott: We’re seeing this demand accelerate due to several triggers—whether it’s attacks from groups like Salt Typhoon or Medusa, evolving regulations like DORA (Digital Operational Resilience Act), or changes from cloud providers themselves. For example, Azure is shifting responsibility by phasing out NAT gateway availability, which puts more burden on enterprises to secure their own environments.

What are you doing in India? What's your India strategy? 

Doug: Our primary focus in India so far has been twofold: supporting multinational customers with large cloud teams based here and investing in India as a critical talent hub for Aviatrix. Today, around 25% of our global workforce is in India, and nearly 50% of our engineering team is based here. It’s a full-stack operation—we have marketing, engineering, and leadership functions across the board.

Scott: I’d add that the only thing outpacing India’s digital growth is cyber risk. The scale and speed of transformation over the past 10 years is extraordinary. But unfortunately, cyber threats are rising just as fast, if not faster. And that’s the reality of the world we live in today.

How are you pivoting your ACE program for talent development?

We've had over 10,000 people in India go through the Aviatrix Certified Engineer (ACE) training program so far. In fact, we were just here conducting the program with AB InBev. The program is essentially a Massive Open Online Course (MOOC), but it also includes a hands-on lab component, especially at the professional certification level.

As a CEO looking ahead at 2025, what are the two key priorities you plan to focus your energy on? 

There are two core priorities we’re really focused on.

First, we’re continuing to enhance the completeness of our coverage with our Cloud Firewall product. A recent example is the Kubernetes Firewall release we announced a few months ago, which we showcased at KubeCon. Our goal is to ensure that wherever a cloud workload resides, our cloud firewalling capabilities can be effectively deployed to protect it.

Second, we’re aggressively pushing forward on integrating generative AI to make our offerings more autonomous, adaptable, self-healing, and self-revealing. That’s a major area of focus for us.