When Shanker left a senior post at Symantec to found Assembly, he thought he understood hard problems. He had managed billion‑dollar product lines, helped design the iPhone 3G modem, and spent years mapping out Symantec’s IoT strategy. Yet the moment he stepped away from corporate infrastructure—“me, myself, and PowerPoint slides,” as he jokes—he discovered something tougher: bringing order to the chaotic, heterogeneous world of connected devices that power hospitals, factories, and entire cities.
Today, Asimily is one of Gartner’s highest‑ranked vendors for medical‑ and industrial‑IoT security, but the path there reveals as much about the state of critical‑infrastructure security as it does about start‑up grit. Below are five takeaways from Shankar’s recent appearance on Startup Project podcast—and why they matter to anyone watching the next wave of connected systems.
1. Healthcare Is the Ultimate “System of Systems”
Asimily’s origin story begins in hospitals, where device diversity and regulatory complexity collide. A single facility may run MRI scanners, infusion pumps, HVAC controllers, and paging systems—all from different manufacturers, all speaking their own arcane protocols, and all subject to HIPAA or GDPR restraints that forbid tampering with patient data. Shankar calls it “the most challenging environment in any vertical.” By focusing first on healthcare, Asimily forced itself to solve for the hardest edge cases—passive network monitoring that never interrogates a life‑critical device, on‑prem deployments for data sovereignty, and integrations with everything from CMDBs to SIEMs. If it works in an ICU, it will probably work anywhere.
2. Visibility Still Beats AI Hype … But Context Is King
Five years ago hospital CISOs wanted one thing: a real‑time asset inventory. They still do, yet visibility alone can no longer keep pace with ransomware crews that treat unpatched ultrasound machines the way pickpockets treat unlocked cars. Asimily’s answer layers device‑aware context over classic network telemetry: Which vulnerabilities are actually reachable from a given subnet? How would malware laterally move through an OR? When every medical device vendor warns that patching voids the warranty, prioritization and compensating controls—micro‑segmentation, firmware‑level mitigations, or even simple network throttling—matter more than a tidy CVE list. That depth of analysis, Shankar argues, is where Assembly now outpaces look‑alike scanners.
3. Smart Cities Are Less Sci‑Fi, More Plumbing
“Smart city” once conjured Jetsons‑style streets that anticipate traffic and locate parking spots. The reality, Shankar says, is prosaic: wastewater plants, traffic lights, environmental sensors—all suddenly IP‑addressable. At 5 percent connectivity the risk felt hypothetical; at 40 percent it is an urgent operational question. A stalled sewage pump or frozen signal grid cripples civic life faster than a consumer website outage. Asimily ports its healthcare playbook here: passive collectors, cloud or fully on‑prem analytics, and APIs that enrich the municipality’s existing SOC. The lesson is simple: critical infrastructure rarely needs bleeding‑edge features; it needs tools that respect uptime, safety, and long equipment lifecycles.
4. Hardware Is Just a Delivery Vehicle
Despite shipping its own appliance, Asimily thinks of itself as a pure‑software firm. Off‑the‑shelf boxes (or virtual machines) sit inside a customer’s network, siphon mirrored traffic, strip out any patient or personally identifiable information, and forward only device metadata for analysis. Where policy forbids the cloud, everything runs on‑prem. That architectural choice—commodity hardware plus software smarts—keeps margins healthy while side‑stepping import‑control nightmares and silicon shortages. It also lets Assembly pivot quickly when customers ask for AI‑assisted incident forensics or automated compliance reports; new modules roll out as firmware updates, not forklift refreshes.
5. Sales Motions Mature, but Trust Stays Personal
Shankar closed Asimily’s first deal himself, armed with a demo and a handful of Symantec‑era relationships. Today the company runs a channel‑first model, complete with solution engineers and VAR partners. Yet decision makers remain largely the same: CISOs who balance MRI uptime against cyber risk, wastewater supervisors who fear midnight phone calls, operations chiefs who know that a security product which bricks a CT scanner on day one will be ripped out on day two. For all the talk of AI copilots and self‑healing networks, enterprise buyers still reward vendors that obsess over patient safety, regulatory nuance, and the gritty details of packet capture in a 15‑year‑old PLC.
Asimily’s roadmap hints at where industrial security is heading. New modules for configuration control and richer forensic replay will appear this year, and the company is quietly weaving generative‑AI techniques into both engineering workflows and customer‑facing features. Shankar is cautious—no customer data touches public LLMs—but optimistic that the technology can shrink incident‑response time without adding headcount.
The bigger story, though, is that critical‑infrastructure security is far from “solved.” Hospitals, factories, and cities are still climbing Maslow’s hierarchy: first inventory, then analytics, then autonomous defence. Ten years from now, winners will be the platforms that layered innovation upon pragmatic foundations—partners who remembered that a traffic signal or infusion pump is not an endpoint but, quite literally, a lifeline.
Nataraj is a Senior Product Manager at Microsoft Azure and the Author at Startup Project, featuring insights about building the next generation of enterprise technology products & businesses.
Listen to the latest insights from leaders building the next generation products on Spotify, Apple, Substack and YouTube.