The Old Way to Sell Security in Hosting Just Broke – Oliver Sild, CEO of Patchstack

Hosts Del Mar happened in the middle of a security shift the hosting industry has not finished absorbing. For twenty years, providers have sold security the same way: a customer’s site gets hacked, a malware scan finds the damage, the customer buys a cleanup. That model is now breaking. Frontier LLMs are in the hands of hackers before they reach defenders, time from disclosure to active exploitation has dropped to a few hours, and the volume of new vulnerability reports has jumped 10x in months. We sat down with Oliver Sild, CEO of Patchstack, to talk about why the post-breach sales model is broken, why fixing vulnerabilities was never the real problem, what the convergence between vibe coding and hosting means for customer distribution, and what changes for hosts when 90% of customer websites already have at least one open vulnerability.

Konrad: This is the second edition of Hosts Del Mar. What are your impressions so far?

Oliver: I like that you come together for business, not to make business. Many people here are already our customers, so there is no reason to push business. Instead you get to know the people behind the companies. When you take that pressure off, the discussions get more interesting. People talk about how they see the industry going, what challenges they have, what their plans are for the next six to twelve months. You do not get that at conferences, because everyone is pitching. Here people think out loud. That is more valuable than any pitch.

Konrad: What is the strongest pattern you have noticed in those conversations?

Oliver: I have a strong conviction that vibe coding companies are turning into hosting companies, and the other way around. Every hosting company here is exploring how to bring vibe-coded applications onto their platform. And the vibe coding companies are becoming hosting companies because they have to. The bigger point is that the market is expanding faster than anyone could go and take share from someone else. A year ago, if I asked ten of my friends how many could build a website, maybe two would say yes. Now it is five or six. That increases the number of websites going online and the number of domains being bought. We thought the industry was already so big that it could not really grow. It clearly can.

Konrad: Do hosting companies stand a chance against the AI-native players like Lovable?

Oliver: Hosting companies have leverage. Not every customer is an early adopter. Most Lovable customers are. But a lot of people do not care about cutting-edge features. Vibe coding will become a standard way of building things, and hosting companies have a very good understanding of the price-conscious segment that will end up using it. They also have something Lovable does not have yet: an understanding of what a customer needs around the website. I can almost predict the timeline. In three to six months, Lovable will introduce email. Then backups. Then they will realise the sites need to be maintained, and start hitting security issues. Then they will need managed hosting. Hosting companies have already gone through all of that.

Konrad: And they already have the customers.

Oliver: Yes. Hosting companies have customers who bought a domain because they had an idea. Those domains are already sitting somewhere. When that customer decides to actually build the site, it is much more convenient to do it where the domain already lives. That distribution is real. The catch is that hosting companies have to move fast, and the industry has never been known for moving fast.

Konrad: Let’s get to security. The cPanel issues were the loudest topic at this event. What is your read on it?

Oliver: Fixing vulnerabilities has never been the issue. With the cPanel thing as well, the fix exists. The problem is that people are not applying the fixes. Security has always been a people problem, not a technology problem. That is unchanged. What has changed is the speed. Frontier LLMs are very good at finding security vulnerabilities. The tools are not distributed equally. Hackers get the powerful tools first because they have something monetary to get out of using them. People on the defending side think they are not the target. They are not spending the way they should to keep up. So the volume of vulnerabilities found is going to keep going up.

Konrad: Are you already seeing that volume increase at Patchstack?

Oliver: Massively. Patchstack runs an open bug bounty program. We are the security point of contact for the largest plugins in the WordPress ecosystem. If someone finds a vulnerability in Elementor, for example, they report it through us. We then ship a protection rule to our customers before the vulnerability is even publicly disclosed. In the past three to six months, the number of vulnerability reports we receive has gone up roughly 10x. February alone was close to 3,000 reports in a single month, compared to a few hundred a month at the end of last year. We had to rebuild our internal system to handle the load. A lot of these reports are already AI-found.

Konrad: What does that do to the time between a vulnerability becoming public and being exploited?

Oliver: It has dropped to a few hours. A vulnerability gets published, hackers feed the diff between the vulnerable and the fixed version into an AI, and the AI writes them the exploit. Then they spray it across anything they can reach without picking victims, and look at what they hit afterwards. The old model of “just update the plugin” is broken. By the time the customer gets around to updating, the site may already be compromised.

Konrad: How does Patchstack handle that?

Oliver: We do virtual patching. We eliminate the vulnerability on the application level without touching the underlying code. Customers panic if you actually modify their code, so we do not. The fix is applied accurately and precisely, the moment the vulnerability appears, before the customer has time to react. We also just announced a partnership with GoDaddy. All of GoDaddy’s customers can see our threat intelligence and vulnerability information for free. If a vulnerability is reported through our system, every GoDaddy customer running the affected plugin is notified. They can either fix it themselves or enable Patchstack to apply the protection rule automatically. This is going to become a default for every hosting company.

Konrad: How is that changing how security gets sold?

Oliver: It flips the model. For twenty years, the hosting industry has sold security after the customer gets hacked. The site gets compromised, a malware scan finds something, the customer buys a cleanup. The model works because the customer has a pain. But you are only ever selling to the small percentage of customers who have already been breached. With Patchstack we surface the vulnerabilities on the websites before anything has happened. When a new hosting company comes to us, we run a free scan on their infrastructure. Roughly 90% of websites at any given moment have at least one vulnerability. So now your sellable audience is not the 2% who got hacked. It is the 90% who could be. We see roughly 20% attach rates on the vulnerability notifications we send out. The market for proactive security is a different size than the market for cleanup.

Konrad: There is also a regulatory layer coming with the Cyber Resilience Act.

Oliver: The Cyber Resilience Act is European law that will make vulnerability management mandatory depending on what kind of company you are. We are preparing for it. The next thing Patchstack is rolling out is making vulnerability disclosure programs available for every single website. If someone visiting a site finds a security bug, they can report it directly through that site. The report flows into Patchstack and we process it the same way we process everything else. Protection gets applied automatically. We are also extending Patchstack to vibe-coded applications, including Horizons, Lovable, Bolt, and Replit. A customer running any of those will be able to install Patchstack with one click and get the same coverage as a WordPress site.