Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

We really enjoyed our conversation with Ed Amoroso from TAG Infosphere. We didn’t start Reach to chase headlines. We started it because the hard security problems weren’t getting solved. The important ones rarely are. Security only works when incentives are aligned to the customer’s actual outcome. Not noise. Not theater. Not (exclusively) shiny tools. That alignment is what makes the work worth doing.

“IT giveth. Security taketh.” A topic examined in a print interview with Colt Blackmore, co-founder & CTO of Reach Security, written by Dan Raywood at Security Boulevard: ︎ The long-standing friction between IT enablement and security restriction︎ Configuration drift as the quiet divergence between intended and actual state︎ How incremental change accumulates into measurable risk︎ The challenge of maintaining alignment in complex, fast-moving environments︎ Why drift often remains invisible until consequences surface.

Zero Trust (and probably many general posture) conversations stall at one question: Where are we actually today? Because Reach connects directly through APIs, teams can quickly assess their environment without deploying new agents or ripping anything out. That makes it practical to benchmark a Zero Trust program against the CISA Zero Trust Maturity Model — and see what’s real vs. assumed.

Let's get tactical.

Vulnerability data isn’t the starting point. Context is. Ed Amoroso and Garrett Hamilton unpack why CVEs on their own don’t explain risk. What matters first: ⇢ What assets actually exist⇢ How controls are deployed and configured⇢ What the live posture looks like, not last month’s report With that context in place, vulnerabilities stop being noise and start becoming decisions. Garrett also makes a critical point near the end: many security tools are excellent at producing findings, but far less effective at helping teams resolve them.

Security investment only matters if it can be measured. In this roundtable, Josh Jones makes a straightforward point: security leaders need a way to quantify whether their investments are actually producing outcomes that can be explained to executives and boards. That challenge isn’t about buying more tools. It’s about answering basic questions: What are our tools actually doing? Where are controls misaligned or underused?

Configuration drift isn’t just “change.” It’s unmanaged change. Let's get practical about how teams should actually measure drift: ⇢ What type of change occurred⇢ How often those changes happen⇢ How critical they are in real context⇢ And—most importantly—how teams respond Volume alone isn’t the metric that matters. If changes pile up without response, alerts get ignored—and drift quietly becomes exposure.

Vulnerability management identifies weaknesses. Exposure management helps prioritize them based on real-world risk and context. Ed and Garrett unpack why traditional vulnerability programs struggle to drive real risk reduction. The challenge isn’t discovery. It’s prioritization and follow-through. Too often, vulnerabilities are treated as isolated IT tasks—handed off, tracked by SLAs, and stripped of the context that explains why they matter in the first place.

"Gartner estimates that 99% of cloud security failures through 2025 will be the customer's fault, primarily due to misconfigurations." Don’t become part of the statistic. Take our configuration drift product tour for a spin. Consider it some light work before the weekend. Most breaches don’t stem from cloud provider failures, but from customer-side issues like misconfigurations, weak identity controls, and unmanaged change.

It's always a pleasure to sit down and chat with Ed. Good security decisions don’t start with alerts. They start with context. We rarely do anything in life without understanding some baseline of context. Otherwise, we're essentially "flying blind." Garrett breaks down the three signals that actually drive meaningful change:⇢ A clear baseline of how your environment really operates⇢ What’s happening in the outside threat landscape⇢ What your own history is already telling you in the context of your business.