Who’s on the Line?

How TechJitsu founder Tracey Nyholt is closing the most human gap in cybersecurity: the help desk.

If you want to breach a fortress, you don’t always batter the gate, you call the front desk and ask them to unlock it for you. That’s the simple, uncomfortable truth driving Tracey Nyholt’s life’s work. As the founder and CEO of Calgary-based TechJitsu, Nyholt has built a company around the soft underbelly of modern security: the call center reset. When a convincing voice reaches a harried agent, armed with a few scraps of public data and the right tone, they can talk their way past knowledge-based questions, trigger a password or MFA reset, and walk out with the keys to someone else’s account. It’s an old con wearing a headset, and it still works.

TechJitsu’s answer is Caller Verify, a slim but sharp layer that turns the help desk from a weak link into a second factor. Instead of trusting birthdays, postal codes, or the name of a first pet, TechJitsu bridges the call to the enterprise’s existing MFA, Okta, Entra ID, and others, so the caller proves possession of a device or token before a reset proceeds. No new MFA to deploy. No parallel identity stack. Just a way to extend what organizations already rely on to the place criminals most like to probe: the phone.

Nyholt didn’t arrive at this problem from the usual route. She studied English literature, started her career in financial services, and found herself restless. Technical manuals became her late-night reading. She learned by doing and, more importantly, by documenting. “I would offer to write up the work of people a level above me,” she explains. “They hated documentation; I loved learning. It gave me access and context.” That habit, tidying complexity so others can act, shaped TechJitsu’s product philosophy: solve a surgical problem, integrate tightly, and listen obsessively to the people who carry the pager.

The attack that starts with “Hi, it’s me”

Anyone who has worked a help desk knows the pattern. The attacker performs a little reconnaissance, birth date from social media, a mother’s maiden name from a genealogy site, a recent city from a public profile. They call, sound urgent but polite, and answer just enough questions to pass a script built for a more innocent web. Within minutes, a reset link is sent, MFA is re-enrolled, and the account is theirs. For a consumer, that could mean savings drained. For a business, it could mean a foothold deep inside a corporate network.

Nyholt’s technology inserts a speed bump that’s hard to socially engineer. The agent initiates a verification challenge that rides on the organization’s MFA stack, push, one-time code, passkey, whatever is standard, so the person on the line has to prove they possess the enrolled device or factor. No device, no reset. Because it’s built as an integration, not an MFA replacement, the rollout is practical: identity teams keep their policies, logs, and telemetry in one place.

That decision, to integrate rather than invent was one of Nyholt’s earliest bets. It kept TechJitsu small and focused while aligning the company with the hard reality of enterprise IAM: nobody wants yet another source of truth.

Building a company around a narrow truth

TechJitsu started as an identity services shop, helping banks and credit unions strengthen MFA and access governance. The help desk gap emerged from a specific banking client who kept seeing well-rehearsed voice attacks. A prototype was hacked together “off the side of the desk” by problem-solvers who couldn’t leave the issue alone. Demand pulled the tool into a product; a dedicated development team made it robust, auditable, and enterprise-ready. Then came the market lesson many Canadian founders learn: the home market is supportive but small. TechJitsu shifted early to the U.S., where the volume of call centers, and the stakes of account takeover, are vast. With recent turbulence south of the border, Nyholt is opening lanes to the U.K., where regulatory clarity and strong IAM adoption present a natural fit.

Listening, not launching, has been the growth engine. TechJitsu runs a customer advisory board and treats sales feedback as a roadmap input, not noise. “The mistake most companies make is not really listening, or not having a way to get feedback to the developers,” Nyholt says. It’s not lip service. The product direction, how verification prompts flow, what events are logged, how agents are guided, reads like a transcript of frontline pain points.

AI, the voice in the wire - and why possession still matters

If the help desk exploit is old, the toolkit is new. AI has industrialized impersonation. Deepfake audio can match the cadence and timbre of a CEO or a spouse. Large language models can script a patient, believable escalation path. The caller sounds like the person you think they are, and the pressure to help feels real.

Nyholt’s team looks at AI from both flanks:

1. Defense against AI: By anchoring verification to possession—something you physically control; Caller Verify undercuts voice-only trust. It doesn’t matter how good the imitation is if it can’t unlock the factor.
2. Enablement of AI: TechJitsu has an in-house AI specialist and a long list of ideas, most of which don’t pass the company’s security threshold. “We’ve rejected more than we’ve shipped,” Nyholt admits. AI is finding life inside the business, ops efficiency, workflow assist, where risks are bounded. In the core product, where a mistake could ripple to customers, restraint is policy.

There’s also a quiet bet on the far horizon: quantum. Through an incubator connection, TechJitsu is collaborating with quantum specialists on a confidential project. Nyholt won’t share details, but the direction is clear: as cryptography evolves, authentication must evolve with it.

The founder’s path: creative entry, clear value

Nyholt’s own route into cybersecurity informs how she hires and mentors. She is not looking for perfect resumes; she’s looking for proof. “Don’t ask me for a job,” she says. “Show me how you create value. Tell me a story, bring me an analysis, build a tiny tool, something that moves the ecosystem forward.” Communication sits at the top of her skills list for the next decade: translating technical controls into business risk and business value, so executives say yes for the right reasons.

As a woman founder, Nyholt avoids preciousness about culture. “Sometimes the environment is rough and tumble,” she says. “I learned to be comfortable there, and to be assertive when needed. If I was talked over, I talked back.” But she also emphasizes reciprocity and learning. “There’s a lot to admire and adopt from different styles, helpfulness, directness, pragmatism.” Her advice to newcomers is refreshingly tactical: volunteer to document systems, shadow jobs you want, make yourself useful to people who are too busy to teach. It’s how she moved up, by reducing friction for others and absorbing the context that separates “knowing a tool” from “owning a function.”

Community as an accelerant

If there’s a single theme that recurs in Nyholt’s story, it’s the compound interest of community. She’s a serial participant in Alberta’s accelerator circuit, ATB X, Platform Calgary, and beyond, and credits mentorship for sparing her avoidable mistakes. Government support has mattered too, from trade missions to grants that widened TechJitsu’s network and opened doors, including the quantum partnership.

That community lens extends to customers. The advisory board isn’t a box-tick; it’s a governance organ. When a customer points to an operational edge case or suggests a new log field, it tends to show up fast. The payoff is trust, and trust, especially in identity, is the only force that compounds faster than risk.

Why the help desk matters more than ever

It’s tempting to dismiss the phone as a legacy surface. Modern identity is about phishing-resistant MFA, passkeys, risk engines, device posture… right? Yes, and still, the last mile of many critical workflows runs through a human with a headset and a reset button.

As AI raises the ceiling on social engineering, the voice channel becomes more dangerous, not less. Caller Verify’s promise is modest by design: it doesn’t claim zero trust magic; it simply insists that a reset require the same possession factor you’d need to log in five minutes later. It turns the help desk into an extension of your identity perimeter rather than a detour around it.

For Nyholt, that’s the kind of progress that sticks: a targeted fix that bends loss curves without upending an architecture. You can hear the English-lit major in her when she talks about it—not as a “solution,” but as a story with a clean arc. There’s a protagonist (the agent who wants to help), an antagonist (the caller who wants to exploit that impulse), and a plot device (possession-based proof) that changes the ending.

What comes next

TechJitsu will keep exporting, deeper into the U.S., where the problem is loudest, and into the U.K., where regulatory discipline meets operational scale. The product will stay lean, anchoring to enterprise MFA rather than competing with it, expanding integrations, and tightening the loop between agent experience and security outcomes. AI will be used carefully. Quantum will be explored deliberately. And the community that helped build the company, mentors, customers, peers, will remain part of the operating system.

There’s a bigger lesson here for Canadian cyber more broadly. We win not by trying to be everything, but by being surgical: find a gnarly, universal problem; hook into the platforms the world already runs; and make the fix painless for the people who actually do the work. TechJitsu is a case study in that posture, a small company taking a big bite out of a very human vulnerability. Back at the “front desk,” the phone still rings. The difference now is what happens next. With this technology in the loop, the caller’s story isn’t enough. Possession talks. The reset waits. And the gate, finally stays shut.

You can reach Tracey on Linkedin