The Last Two Weeks Changed Hosting – Seb de Lemos, CEO of hosting.com

Hosts Del Mar happened right after a rough security wake-up call for the hosting industry. Recent issues around cPanel, Linux, and Apache showed how quickly core infrastructure can become exposed, and how big the difference is between “a server” and a properly managed hosting environment. With Seb de Lemos, CEO, and Darren Lingham, Co-founder of hosting.com, we talked about why the last two weeks proved the value of managed hosting, why “semi-managed” is a dangerous grey area, and how AI may make security incidents faster, louder, and harder to ignore.

Konrad: First of all, how do you like Hosts Del Mar this year?

Seb: This is my second time at this event, and it is great to be here. What I really like is that it does not feel like a pressured event.

There are so many people from the hosting industry in one place, but everyone is relaxed. You can sit down, have a beer, and talk about things properly. There is not too much schedule, there is not too much formality, and that makes the conversations more useful.

It is also good timing, because it has been a busy couple of weeks for everyone. A lot of people have been stressed. Now they are here, thinking about what happened and what it means for their focus.

Konrad: When you say it was a busy couple of weeks, you mean the recent security issues around cPanel, Linux, Apache, and the wider hosting stack?

Seb: Yes. There was the cPanel vulnerability, and then there were other issues as well. It has been a stressful week, or really a stressful couple of weeks, for a lot of people in the industry.

We were very quick to respond. Luckily, we had teams ready straight away, and they were on it.

I also want to say that I have full sympathy for WebPros and for any software company in that situation. I run software companies too, so I understand what it is like when something like this happens.

The reality now is that LLMs can detect issues much faster than people could before. There are many people in the world looking for vulnerabilities. Some are after money. Some are just doing it for fun. There are people who would take pleasure in destroying a business or putting ransomware on a website that has been online for 15 years.

That is just the state of the world now, and that is what we have to deal with.

Konrad: What exactly did hosting.com do when the cPanel issue became public?

Seb: We found out at the same point as everyone else, when it was posted publicly. Once we understood which ports were involved and that it was going after WHM and cPanel, we blocked those ports.

Then we very quickly blocked the other relevant ports as well. We also blocked the proxy subdomains and followed the recommended mitigations.

After that, we waited for the patch. When the patch came out, we rolled it out. Once the patch was rolled out, we unblocked the ports.

For our managed customers, we were in a very good position. There may have been a couple of exceptions, but overall, we were on it. It was stressful, but the managed side worked well.

With unmanaged servers, we managed to protect most of them, but some customers had issues because their servers were unmanaged and not patched.

Konrad: So did the last two weeks prove the value of managed hosting?

Seb: Very clearly, yes.

It showed the value of being a managed provider, and it showed the value of having a host manage your server.

Someone who does not have experience, or someone who only manages this part-time, cannot stay on top of this in the same way a host can. We have teams whose job is to monitor security, understand what is happening, and fix things quickly.

Even if someone is a very good sysadmin, if they are managing their own server, they usually cannot move as quickly as a company like us. We have security teams, monitoring, a SOC, and processes around this.

So yes, there is a reason you want your server managed. This kind of incident makes that very obvious.

Konrad: Do you think the industry has been too unclear about the difference between managed and unmanaged hosting?

Seb: Yes, and this is a big point.

There has historically been a blurred line in hosting between managed and unmanaged. At hosting.com, we are an M&A business, and we buy a lot of hosting companies. Quite often, we come across servers that were sold to customers as something like “managed with root”.

The customer has root access, but they also expect help from the host. They ask the host to install things or fix things. That may be fine in some normal situations, but in a security incident like this, it does not really work.

You can have fully managed, or you can have unmanaged. The middle ground is dangerous if people do not understand what it really means.

From the outside, a customer may think it is just a server from hosting.com, with or without management. But those are completely different products. The difference between our management and a customer managing it themselves is a million miles apart.

That includes backups, security, monitoring, support, and response. We need to be much better at distinguishing those things.

Konrad: Does that mean hosting companies need to change how they name or position unmanaged servers?

Seb: Yes, we are thinking about that.

The product itself can still be a great product. I do not want to minimize it. But if you are not a full-time sysadmin, or if you do not have a team, you need to think very carefully about what you are running.

For example, with UpMind, I use unmanaged servers from hosting.com. But I have two full-time sysadmins who know what they are doing. They spend their time thinking about resilient backups, security, and all the operational details.

That is very different from a customer who just takes an unmanaged server and assumes the host will always protect them.

So we need a clearer distinction. Maybe the naming changes. Maybe the positioning changes. But we need customers to understand what they are buying and what risks they are taking.

Konrad: You mentioned LLMs finding vulnerabilities faster. Does this mean the next year will be rough for software vendors and hosts?

Seb: I think we are going to see more and more patches over the next six months to a year.

Software companies are already engaging companies to scan their code. Everyone is doing it. We are doing it with UpMind as well. Security-focused LLMs and tools can look for chains of issues and find things that traditional testing may not catch.

Some of these vulnerabilities may not be in the wild. The vendor may find them internally before anyone exploits them. But they still need to patch them, and hosts need to roll those patches out.

On one hand, that is scary, because vulnerabilities exist. On the other hand, many of those vulnerabilities may have existed for 10, 15, or 20 years already. So it is good that they are being found and closed.

I think we will have a safer hosting environment for mature hosts. Every vulnerability that gets closed is a good thing. But the process of getting there may be stressful.

Konrad: Darren, from your point of view, what does this mean for the next year?

Darren: All of this software is going to be audited in the next 12 months. I think there is going to be a really sharp increase in discovered vulnerabilities. The next 12 months could be a really scary time.

But after that, I think it should get calmer. Some of these vulnerabilities have existed for years and years. There is a limit to how many can be found. It will get scary, but it will get better.

Some of these issues may even have been exploited for years without being detected. You have bad actors, including nation-state-level actors, who may know about vulnerabilities and keep them private because it gives them an advantage.

AI changes that. It puts more of this information into the open. These vulnerabilities get discovered, reported, patched, and closed. In the long term, that should help.

Konrad: Does this give bigger software companies an advantage?

Seb: I think it probably does, at least at the beginning.

A company like cPanel can afford to pay for these kinds of development checks and security audits. Smaller software companies may find that harder.

Darren: In the beginning, yes, it gives bigger companies an advantage. But over time, people will point these tools at other pieces of software too.

Even if you do not develop the software yourself, someone in the supply chain may say: “We want to run this audit tool against your systems.” It will become part of the audit process. Smaller companies will have to pass that process if they want to supply services to bigger companies.

So I think this becomes standard.

Konrad: How does AI change security testing itself?

Seb: I think it will have a big impact on penetration testing.

I remember doing a pen test for UpMind because we needed it for ISO compliance. I went to what looked like the most advanced pen testing company I could find. I expected them to do advanced logic checks, but a lot of it was just automated scans and brute force attempts.

The real value is in finding chained logic issues. For example, a user has certain privileges, then calls one API endpoint, then combines it with another action, and suddenly they can access data they should not be able to access.

That kind of logic is hard for a human to find manually, especially in API-first applications. That is what I worry about. You can build something where a specific endpoint gives access to an object in a way it should not, and the logic is so complicated that realistically, a human may never find it.

Darren: And in the future, because things are now being coded together with AI, you will run these tools during development.

It will not be something that happens months or years after the fact. You will develop an endpoint or a feature and run AI-driven security tests against it during the development process.

That is a very different model.

Konrad: So could AI actually make hosting safer in the long run?

Seb: I think it can make mature hosting environments safer.

Every vulnerability that gets closed is better. The more these issues are found and patched, the safer the environment becomes.

But there is another side to it. People are now vibe coding. They are building scripts, websites, and applications very quickly. When I vibe code something, even if it is just a script, I am not always thinking through all the logic in detail. Sometimes the AI misunderstands something and does it slightly wrong.

You might have a security agent running next to it, but will that agent really understand your context? And if it gives you a huge amount of feedback, will you even read it?

For customers who are vibe coding or building things with AI, I do not know how many of them will be able to create software that is free of vulnerabilities if they do not understand the context of what they are building.

Konrad: Apart from security, what is happening in hosting right now?

Seb: We are excited.

From a hosting.com point of view, the market just got much bigger. People who were not thinking about building a website or an app before are now thinking about it because AI and no-code tools make it easier.

Everyone has stories about trying to get a family member to build a website and watching them fail. But now, with no-code builders and AI tools, someone like that may have a real chance of building something half-decent.

That creates new demand. But it also creates new questions. Are we selling web hosting with no-code tools? Are we selling credits with websites? What is the role of domains in this new model? Nobody knows exactly yet.

If you were bored of hosting a year ago, you are definitely not bored now.

Konrad: Is this the biggest disruption the hosting industry has seen?

Seb: Yes, 100%.

I would say maybe 80% of hosts are worried. They are concerned about what is happening to their market, their business, and their growth. They are not sure where they fit.

But maybe 20% are really excited.

For us, it is an exciting time to be in an industry that touches millions of customers around the world. If you are capable, you can be ten times more capable now than you were six months ago.

Inside our own business, one of the most incredible things is what we are doing with AI in support and sales. The quality of what it allows us to do is mind-boggling.

Konrad: What is the main risk with AI adoption inside hosting companies?

Seb: The risk is enabling people to use AI while doing it securely.

We want everyone in the company to use AI tools as much as they can. But it is hard to educate people properly about data, access, and security.

You have to be very careful with company data and customer data. You cannot just connect everything to every tool and assume it is fine.

That is one of the big challenges. AI gives people power, but you need the right controls around it.

Konrad: So the opportunity is bigger, but the responsibility is bigger too?

Seb: Exactly.

AI is making the hosting market bigger. More people can build things. More people can experiment. More businesses can get online or create apps.

But the responsibility on hosts also increases. We need to help people build safely, not just quickly.

The winners will be the companies that understand both sides: the growth opportunity and the security risk.