When Gal Elbaz decided to hack Instagram, he didn’t need much convincing.
“We wanted to hack Instagram because they’re Instagram, right? We don’t need a lot of motivation,” the co-founder and CTO of Oligo Security told me in a recent interview. What followed was a lesson in how modern cybersecurity actually works - not through confrontations with shadowy figures, but through the quiet exploitation of a single overlooked library buried deep inside one of the world’s most downloaded applications.
I’ve spoken to many cybersecurity companies over the years, each of which addresses safety and protection in different ways. Usually, I hear about how they try to prevent attacks. This was the first time I had heard from a white-hat hacker.
For those unfamiliar, a white hat hacker (or ethical hacker) is a cybersecurity professional authorized to identify security vulnerabilities in systems, software, or networks. By using ethical methods like penetration testing and scanning, they strengthen security before malicious hackers can exploit weaknesses.
Today, the company’s mission is to redefine how application security works in modern software environments. This is achieved by focusing on what’s actually happening at runtime, rather than just scanning code or assessing theoretical risks. Its Application Detection and Response platform now protects Fortune 500 companies and recently secured a partnership with AWS. The company was founded in 2023 and has raised approximately $80 million to date, backed by Lightspeed Venture Partners, Ballistic Ventures, and TLV Partners, as well as security veterans like Shlomo Kramer, Adi Sharabani, and Eyal Manor.
Elbaz and his team didn’t brute-force their way into Instagram. They found a vulnerability in an open-source image compression library built by Mozilla Firefox — the kind of invisible, unglamorous code that powers millions of apps without anyone realizing. The result was total access.
“The moment that we can literally execute code, you can take over the flow of the application, we control the application,” he said. “We are Instagram - and we have everything that we want over your phone. We have every permission that exists. We have access to the camera, to the gallery, to the memory, to your contacts, to everything.”
One thing that adds intrigue to my conversation with Elbaz is the way he thinks about what hacking actually is. For him, breaking into a machine and reading a person operate on the same fundamental logic. “Hacking is the art of controlling someone else’s mind, so to speak,” he explains. “Hacking is the manipulation of human beings who are behind the software. Phishing is the thing that brings them together because you trick people with technology.”
He carries that philosophy into how he runs his company. “As a founder, you sell to employees, to customers, to investors, to everything around you — you sell, sell, sell, sell. And people don’t get it, that it’s very similar to talking to a machine. A very random machine. But it is a machine.”
That mindset was forged early. Elbaz grew up in elite IDF intelligence units alongside his co-founders, CEO Nadav Czerninski and CPO Avshalom Hilu — childhood friends whose parents were themselves childhood friends — before going on to Check Point Software, where he spent years hacking the world’s biggest applications and presenting findings at black hat conferences and DEF CON.
The Instagram hack wasn’t just a headline. It was the founding insight behind Oligo. What struck Elbaz was that the entire security industry was oriented around catching attackers after they’d already won. He wanted to catch them at the moment of entry. “We thought, what about detecting the act of the breach? What if you can detect the root cause? What if you can catch the hacker when they’re trying to get in? Because after they got in, you lost.”
The urgency behind that mission has only intensified. The same open-source vulnerability problem that Elbaz exploited manually against Instagram can now be discovered and weaponized by AI agents in a fraction of the time. “It used to take 30 days to weaponize a zero-day by the most sophisticated attackers. Today it’s minus one. Agents can actually find zero days and exploit them so they can do the zero to one by themselves.” The defender’s margin for error, already razor-thin, is disappearing entirely.
When I asked Elbaz which side of that equation feels more natural to him, the hacker or defender, he doesn’t hesitate. “Definitely the hacking one, a lot more fun. When it’s hacking, it’s pretty easy, right? It’s about yes or no, could I hack you or not? The proof is in the pudding.”
The man who spent his career finding holes in systems — digital and human alike — is now in the business of closing them.
