• Cybersecurity veteran Mark Kennedy says innovation often comes from spontaneous insight, but planning is what turns those ideas into sustainable breakthroughs.
• Learning from experienced professionals like Mark can spark new opportunities for innovation that go beyond what any one team could achieve alone.
• Threats may seem to drive cybersecurity, but the community and the standards it sets are what truly define resilience and protection. 

The strength of the cybersecurity community lies in how openly we all share what we learn. Threats constantly evolve. The best way to stay ahead is through the collective intelligence of experts who’ve seen it all and are generous enough to pass their knowledge on.  

Few share intel like Mark Kennedy, a Distinguished Engineer at Broadcom and, as he jovially calls himself, “the old man” of Security Threat Analysis and Response (STAR)—Broadcom’s cybersecurity SWAT team whose insights have helped give rise to countless groundbreaking protections. Mark is the longest-tenured employee at Symantec, his 35-year career spanning nearly the entire history of modern cybersecurity. In that time he’s mentored up-and-coming analysts, dismantled emerging threats, and helped shape the very industry he’s served.

I sat down with Mark to talk about the sparks of innovation that led to the development of Adaptive Protection, a unique defense against living-off-the-land (LOTL) and other attacks, and his reflections on his early career, meaningful innovations, and the tests that prove it.

Begin at the beginning

What drew you to engineering as a calling?

When I was in high school, my cohorts sort of assumed that I knew computers, just because I was kind of mathematical, but I didn’t. But then, as I hit my senior year, I thought it would be irresponsible for me to go to college not knowing what I was going to do. That bothered me. 

The weird thing about computers at that time was that the colleges were actually lagging. The professors had just come through the early days of computing (50s and 60s) and didn’t quite reflect the reality of the world. All the advancements were out there happening in the real world.

When did you realize your classes lagged behind the real world? 

While I was in college, I had jobs programming, so I knew what was happening with cutting-edge stuff and techniques in the real world. In some of those early courses, the languages they were teaching weren’t really in operation anymore. It’s always funny when later in my career I’d use something I learned in college. It was very rare.

A journey through the rise of modern cybersecurity

What were the early years of your career like?  

My first job coming out of college was working for Mattel Electronics writing video games for the Intellivision console. I thought, “I’m going to be working at such a highly sought-after position. I’m going to be working with the best of the best.” It was a lot of fun until the video game industry as we knew it crashed in 1984…which is when I knew I had to get a real job. 

I then moved through a number of startups. In my first nine years I worked for five and a half companies before I joined Symantec. It’s sort of been the norm for engineering—people move around, get some expertise, market it, and move on to the next one.

What made you stick with Symantec?

I told my kids when they were growing up that there’s what you’re good at, what you enjoy, and what you get paid for. I’ve been fortunate that I have all three. And that’s why I’m still doing it. It’s like a perpetual hobby that I’m getting paid for.

Is there anything from your time in cybersecurity that you’re particularly proud of?

In the early 2000s, cybersecurity was dealing with the transition from files being infected to machines being infected. We came up with a fundamental change in the way that security should be handled. We’re only now beginning to realize the system we envisioned 20 years ago—we were pretty ahead of our time. It’s one of those interesting what-ifs that make you appreciate the innovation that started it all.

The making of Adaptive Protection

How did Adaptive Protection, one of your standout projects, emerge as a solution?

Much as it chagrins me, Adaptive Protection sort of came out of the open seating arrangement that Symantec had adopted—which I was very opposed to.

I was sitting at my desk, and some people were talking. Something clicked in my head about what they said. I was like, “Wait a minute. What if we could learn what behaviors were used in an organization and make the policy adapt to those normal behaviors, and block abnormal behaviors that could be signs of malicious activity?” 

That’s when I realized we needed to break the one-size-fits-all paradigm of traditional security. Since we couldn’t block these actions for everyone, we needed to mold protection to reflect how each organization actually behaved. The idea is if a behavior is unused in the organization, or has specific patterns, our default is that we don’t allow that behavior, or we limit that behavior using exceptions. It all just came together.

When you were developing Adaptive Protection, how did you decide what to remove from systems?

A computer system is like a toolbox. It's got all these tools that do good things, but they can also be used for bad things (such as with LOTL attacks). Our goal was to kick things out of the toolbox that you didn't need. Like, if your house only has screws, then you don’t need a hammer. There’s nothing wrong with a hammer, but a hammer can break a window.

If you don’t need it, let’s take it off the table.

MRG Effitas found Adaptive Protection was able to identify malware activity 4 seconds sooner. Why does that matter?

In that time, how much critical data could be exfiltrated? How many files could be destroyed? And could the threat escape to another machine before it can be stopped. Adaptive Protection breaks traditional security testing because it’s designed to adjust to an organization’s unique configurations.

Why is the right kind of testing so important?

Testing has to reflect real-world environments. If you just run a file against one configuration, you’re missing the point. Malware behaves differently across setups, and Adaptive Protection is built for that reality.

Redefining standards for a more secure future

Why is your work with standards organizations like AMTSO and IEEE ICSG so critical?

Testing isn’t just about internal validation. It has industry-wide implications, which is why testing standards are so important. Being able to influence stuff like testing standards is… something I feel I made a real contribution to not only the company, but also to the industry.

What trends in cybersecurity are more likely to drive innovation next, aside from AI? 

If I could fast-forward to the end of where we would be, we would not be needing to write proactive signatures. We would have a system that takes all of these disparate events from everything, with an engine that quickly starts contributing to it. We want to make it as difficult as possible for attackers to circumvent. This is what drives innovation.

Experience shapes our community and our security

In cybersecurity, no one has all the answers. Progress happens when we pool our knowledge, challenge our assumptions, and look out for one another. With Broadcom’s R&D engine (the company spent over $11,000 a minute on R&D in fiscal 2025), Symantec and Carbon Black strive to ask the important questions and share what we’ve learned—across teams, companies, and the community at large. 

After decades in the trenches, experts like Mark remind us that protection must evolve as quickly as the threats do. Breakthroughs like Adaptive Protection embody years of insight, collaboration, and innovation across Symantec’s legendary team.

Read the Putting Adaptive Protection to the Test whitepaper to see how Adaptive Protection stops LOTL attacks and other threats without disrupting day-to-day operations for end-users.