Erin Luper heads cybersecurity at LuperIQ.
Background and role
Erin Luper heads platform-wide cybersecurity work at LuperIQ. The function exists because the founder believed a serious platform deserves a named owner for its security posture and roadmap, not a checklist owned by nobody. Erin owns that work.
Erin came to security work the long way. She founded the Galveston College Computer Science Club and served as its first president, then went on to lead the same college's chapter of Phi Theta Kappa, the international honors society for community-college students, also as president. From there she pursued computer engineering at the University of Houston Clear Lake, and stepped away from the program to focus on family and work. She returned to school years later, specifically to study cybersecurity.
All of that happened alongside raising a family with her husband of twenty-five years, Dave Luper II. The four kids found their own tracks early. Hope, their oldest, has been a network analyst at a WISP for a couple of years, a role she started in her teens. Rebekah, their second daughter, graduated college at eighteen; she had been managing a cell phone repair store since sixteen, and now runs her own cell phone repair business with two locations. Brooke, their third daughter, founded an AI robotics company aimed at bringing manufacturing back to America. Davey, their son, was reading by three and counting in binary by two, and his favorite thing to do is learn about circuits.
The work at LuperIQ breaks into three layers. Threat modeling against actual adversaries, not theoretical ones. Defense-in-depth review of every release before it ships. And the long horizon project of getting the codebase ready for verticals where the bar is much higher than what service-business websites get held to.
Nothing ships without her sign-off. That includes the dependency upgrades, the route additions, the auth-boundary changes, and the quiet refactors that touch a security-relevant code path. The guarantee is simple. If a release weakens a defense Erin set into the platform, the release does not go out.
Current research program
The active research bench, in the order each item is shouting the loudest at the moment.
Threat modeling against state-level adversaries. Foreign intelligence services and well-funded organized crime get treated as first-class adversaries, not edge cases. The work assumes the patient, motivated attacker who already has a foothold somewhere on the customer's network.
Supply-chain provenance. Reproducible builds, signed releases, and a software bill of materials that any customer can independently verify against our public source. The goal is a platform where you do not have to take our word for anything you can verify yourself.
Tamper-evident audit trails. The Merkle-chained event log already detects internal tampering. The current work extends it so an external auditor can prove no record was altered after the fact, on demand, without having to trust our infrastructure.
Key management. Per-tenant key separation. Hardware-backed signing where the deployment supports it. Rotation policies the customer drives, not the platform.
Each item above feeds directly into one of the four hardening tracks below.
E-commerce cybersecurity hardening
E-commerce is the easiest category to attack because the payoff is immediate cash. The work in this track is the gap between "Stripe handles the card" (true, and good) and "the full purchase flow is secure" (the harder problem).
Account takeover defenses. Behavioral signals on login. Breached-password checks before a password change is accepted. Step-up authentication on high-risk actions like address changes, payout edits, or first-time large purchases.
Cart and price tampering defense. Server-authoritative pricing on every step of checkout, with cryptographic binding between the cart the customer sees in the browser and the cart that gets charged at the gateway.
Refund and friendly-fraud detection. Pattern matching on dispute behavior across a customer's history, exposed to the operator so they can act before the dispute lands.
Bot mitigation that does not ruin the legitimate-buyer experience. No CAPTCHA walls on the path to purchase. Behavioral fingerprinting that lets real shoppers through and slows the bots down.
This track ships incrementally. None of it requires the customer to install a third-party plugin or sign up for an external fraud-screening service.
Hospital and clinic cybersecurity defense layer
Healthcare is where the worst breaches happen and where the human cost is highest. The hospital track is about getting LuperIQ to a state where a hospital CISO can deploy us without an architectural-review red flag, long before any HIPAA paperwork is signed.
Field-level encryption. Any field flagged as patient-identifying gets encrypted at rest with a key the institution can rotate, and the plaintext never sits in a database column accessible to a generic "all read" admin role.
Audit logs that prove who saw what. Read-side audit, not just write-side. When an auditor asks who pulled a chart at 2:14 AM on a Tuesday, the answer comes back in seconds.
Role separation enforced at the type level. A billing user cannot, by any path in the codebase, see clinical notes. The compiler refuses to let that data flow happen, which is stronger than a runtime check that could be bypassed.
Break-glass procedures with mandatory after-the-fact review. Emergency access stays available, but every break-glass event triggers a second-human review within 24 hours, recorded in the same audit log as the access.
LuperIQ is not running any hospital today. The platform is being engineered as if it will be, so that when the conversation starts, nothing has to be retrofitted under deadline.
Banking-class cybersecurity controls
Financial institutions live under continuous regulatory examination. The banking track is about being able to answer the regulator's questions on demand, with controls that are documented, demonstrable, and live on every release.
Cryptographic controls aligned with FIPS 140-3 module expectations. Where a deployment requires it, key operations move into a module that has been through the validation process.
Privileged-access management with mandatory dual control. Production credentials and signing keys require two humans to release, with an audit trail the customer keeps.
Continuous-monitoring telemetry exportable to the SIEM the bank already runs. Splunk, Sentinel, Elastic, whatever the institution standardized on. The platform writes structured events that drop into the existing pipeline.
Disaster-recovery runbooks that get exercised, not just written. Every quarter, somebody on the team runs the failover path end to end. The runbook gets updated against what actually happened, not against what should have happened.
Same caveat as healthcare. No banks are deployed on LuperIQ today. The work is the work.
Government agency cybersecurity posture
Public-sector procurement asks hard questions about supply chain, code provenance, and accountability. The government track is about being able to answer all three without flinching.
Reproducible builds. A third party can take our public source and verify that the binary we shipped came from exactly that source, with nothing inserted by the build pipeline.
Software bill of materials published with every release. Every dependency, every version, every license, machine-readable.
Vulnerability disclosure policy aligned with CISA's coordinated-disclosure expectations. Researchers know how to reach us, what timeline to expect, and what credit they will get.
Code review and change control documented at a level that holds up under federal procurement scrutiny. Who reviewed what, when, and what they signed off on, kept in a tamper-evident log because the platform happens to provide one.
Contact
Security researchers, regulated-industry buyers, and journalists covering the cybersecurity beat: email security@luperiq.com. That inbox routes directly to Erin and gets read every day.
Disclosures get credited in release notes, with the researcher's permission. We do not lawyer up first, and we do not silence good-faith research.