Thirty Years of Failing Closed

Thirty Years of Failing Closed

By Ken Phelan
Posted in Security
On July 16, 2026

Last night I had the privilege of introducing Check Point's Dan Taney to a room full of New York CISOs. Preparing that introduction sent me down a memory lane that turned out to be less about nostalgia and more about strategy. I want to share some of it here, because the story of our oldest partnership says a lot about how Gotham thinks about technology — and about what's coming next.

The Original Partnership

Myself and the rest of the Gotham leadership were Check Point partners from the beginning. When we were building this firm twenty-plus years ago, Check Point's FireWall-1 was the product that had effectively invented the security industry. Founded in 1993, shipping in 1994, built on Gil Shwed's stateful inspection patent — the technique every firewall on earth still uses. We sold it, deployed it, and supported it across the New York enterprise landscape when "network security" and "Check Point" were close to synonyms.

That matters to me for a simple reason: we've always prided ourselves on bringing new technology to our customers before it's obvious. In 1996, a firewall was new technology. Somebody had to walk into a bank and explain why the internet connection they were so excited about needed a gate with a guard on it. That was us.

What a Breach Costs

Here's the part of the Check Point story I find most instructive, and it's not about products. It's about pedigree.

Check Point's founders came out of Unit 8200 — Israel's signals intelligence corps, and arguably the most effective technology accelerator ever built. But the thing Unit 8200 instilled wasn't just technical skill. It was a risk calculus. In the world those founders came from, a breach doesn't cost money. It costs lives. A missed intrusion means a soldier dies, an operation is blown, a source is executed. There is no insurance policy, no breach-notification budget, no risk-acceptance memo.

Corporate security grew up differently. We grew up on the language of acceptable loss.

You can see the difference in the architecture. Every security product eventually faces the same moment: traffic it can't classify, a file it can't prove safe, a decision that has to be made at wire speed. The question is which way the product leans. Most of the industry leans open — when in doubt, let it through, log it, don't interrupt the business. Check Point's design instinct has always been to fail closed: if you can't prove it's safe, stop it. Prevention at the gate, not forensics after the fact.

That's not a feature choice. It's an inheritance. People who learned security in a place where a wrong "allow" kills someone don't build systems that default to "allow."

The Math Got Worse

I told the room last night that the uncomfortable math of our industry is this: the threat curve is geometric, and our response curve is linear.

Every doubling of connectivity roughly squares the attack surface. Metcalfe's law works for attackers too. And AI just bent the curve again — attack tooling that used to require a nation-state team is now a subscription. Phishing at machine scale. Vulnerability discovery at machine speed. The marginal cost of an attack is collapsing toward zero.

Meanwhile, defense scales linearly at best: headcount, budget cycles, annual pen tests. We are bringing arithmetic to an exponential fight. The attackers are compounding. We're budgeting. That gap is the real vulnerability, and closing it requires something closer to 8200's structural urgency than to our quarterly review cadence.

“Good enough” is no longer good enough.

The Story Comes Full Circle

Which brings me to why this partnership feels new again.

Check Point's CEO today is Nadav Zafrir — a man who didn't just serve in Unit 8200, he commanded it. Between the military and Check Point, he co-founded Team8, the Tel Aviv venture foundry that builds security companies from a blank whiteboard. Gotham has been fortunate to have a relationship with Nadav and the Team8 organization for years, watching the next generation of security get built up close. Category leaders like Claroty and Sygnia came out of that engine, with exits to PayPal, Cisco, and others.

Now that engine is running inside the original company. Since early 2025, Check Point has made five targeted acquisitions, nearly all in AI security — runtime protection for AI applications, governance and discovery of autonomous agents, exposure management, and validation technology for the AI agents that will increasingly run security operations themselves. Five deals, one architecture: protect the AI you deploy, map what you're defending, and automate the defense with agents you can prove safe.

Fail closed, applied to AI. The philosophy hasn't changed in thirty years. The attack surface has.

Why This Matters To Our Clients

Every enterprise we serve is now deploying AI agents — copilots, chatbots, autonomous workflows — with credentials, autonomy, and access that traditional security tooling was never designed to govern. If fail-closed was the right instinct when the thing you were deciding about was a packet, it matters far more when the thing you're deciding about is an agent that can act on its own.

Gotham built its reputation on bringing new technology to customers when it was still new — and standing behind it for decades afterward. We did it with the firewall in the nineties. We intend to do it with AI security now, alongside the same partner we started with.

Simple is covered. We're here for the rest.

Ken Phelan is Chief Technology Officer of Gotham Technology Group. If you want to talk about securing your AI transformation — or just argue about firewall history — reach him at KPhelan@gothamtg.com.

Ken Phelan

Ken Phelan

Ken is one of Gotham’s founders and its Chief Technology Officer, responsible for all internal and external technology and consulting operations for the firm. A recognized authority on technology and operations, Ken has been widely quoted in the technical press, and is a frequent presenter at various technology conferences. Ken is the Chairman of the Wall Street Thin Client Advisory Council.