Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Let's get tactical.

Vulnerability data isn’t the starting point. Context is. Ed Amoroso and Garrett Hamilton unpack why CVEs on their own don’t explain risk. What matters first: ⇢ What assets actually exist⇢ How controls are deployed and configured⇢ What the live posture looks like, not last month’s report With that context in place, vulnerabilities stop being noise and start becoming decisions. Garrett also makes a critical point near the end: many security tools are excellent at producing findings, but far less effective at helping teams resolve them.

Security investment only matters if it can be measured. In this roundtable, Josh Jones makes a straightforward point: security leaders need a way to quantify whether their investments are actually producing outcomes that can be explained to executives and boards. That challenge isn’t about buying more tools. It’s about answering basic questions: What are our tools actually doing? Where are controls misaligned or underused?

Configuration drift isn’t just “change.” It’s unmanaged change. Let's get practical about how teams should actually measure drift: ⇢ What type of change occurred⇢ How often those changes happen⇢ How critical they are in real context⇢ And—most importantly—how teams respond Volume alone isn’t the metric that matters. If changes pile up without response, alerts get ignored—and drift quietly becomes exposure.

Vulnerability management identifies weaknesses. Exposure management helps prioritize them based on real-world risk and context. Ed and Garrett unpack why traditional vulnerability programs struggle to drive real risk reduction. The challenge isn’t discovery. It’s prioritization and follow-through. Too often, vulnerabilities are treated as isolated IT tasks—handed off, tracked by SLAs, and stripped of the context that explains why they matter in the first place.

"Gartner estimates that 99% of cloud security failures through 2025 will be the customer's fault, primarily due to misconfigurations." Don’t become part of the statistic. Take our configuration drift product tour for a spin. Consider it some light work before the weekend. Most breaches don’t stem from cloud provider failures, but from customer-side issues like misconfigurations, weak identity controls, and unmanaged change.

It's always a pleasure to sit down and chat with Ed. Good security decisions don’t start with alerts. They start with context. We rarely do anything in life without understanding some baseline of context. Otherwise, we're essentially "flying blind." Garrett breaks down the three signals that actually drive meaningful change:⇢ A clear baseline of how your environment really operates⇢ What’s happening in the outside threat landscape⇢ What your own history is already telling you in the context of your business.

The silent killer in modern security programs? Garrett Hamilton and Todd Graham discuss how the real killer is settings quietly slipping out of alignment over time — even in environments packed with “best-in-class” tools and clean audit results. Misconfigurations don’t announce themselves. They accumulate. They age. They slowly pull your security posture away from original intent. What teams think is “turned on” often isn’t enforced consistently — or at all. Without continuous validation, drift becomes invisible risk.

Nicole Perlroth asks Garrett how Reach's involvement would have impacted the breach with Target. Attackers came in through a third-party HVAC vendor. Credentials were compromised. Alerts fired. But nothing rose to the level of urgency it deserved. As Garrett Hamilton explains at UCI, this is where security breaks down—not detection, but prioritization. Most teams keep investing in reacting faster inside the SOC. The harder (and more effective) shift is upstream: reducing the exhaust before it ever hits the console.

Humbled that CRN included Reach Security in their 2026 startups to watch list. This one’s for the team, our partners, and every customer who’s believed and shared in our vision — thank you. Onward.

Assessing Microsoft E3 and E5 is less about the license tier and more about understanding the security coverage you already own. In our conversation, Todd and Garrett break down what often gets missed in the E3 → E5 journey: Organizations move to E5 without clearly understanding:⇢ what coverage they already have with E3⇢ what incremental capabilities E5 actually adds⇢ and whether those capabilities are being adopted at all.