Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The silent killer in modern security programs? Garrett Hamilton and Todd Graham discuss how the real killer is settings quietly slipping out of alignment over time — even in environments packed with “best-in-class” tools and clean audit results. Misconfigurations don’t announce themselves. They accumulate. They age. They slowly pull your security posture away from original intent. What teams think is “turned on” often isn’t enforced consistently — or at all. Without continuous validation, drift becomes invisible risk.

Nicole Perlroth asks Garrett how Reach's involvement would have impacted the breach with Target. Attackers came in through a third-party HVAC vendor. Credentials were compromised. Alerts fired. But nothing rose to the level of urgency it deserved. As Garrett Hamilton explains at UCI, this is where security breaks down—not detection, but prioritization. Most teams keep investing in reacting faster inside the SOC. The harder (and more effective) shift is upstream: reducing the exhaust before it ever hits the console.

Humbled that CRN included Reach Security in their 2026 startups to watch list. This one’s for the team, our partners, and every customer who’s believed and shared in our vision — thank you. Onward.

Assessing Microsoft E3 and E5 is less about the license tier and more about understanding the security coverage you already own. In our conversation, Todd and Garrett break down what often gets missed in the E3 → E5 journey: Organizations move to E5 without clearly understanding:⇢ what coverage they already have with E3⇢ what incremental capabilities E5 actually adds⇢ and whether those capabilities are being adopted at all.

Security exposure doesn’t take a day off. Rain, snow or shine, environments keep changing. Controls drift. Configs break. Risk quietly piles up. Reach was founded to help organizations find and fix hidden risk and exposure. Traditional approaches surface issues — dashboards, alerts, findings — but stop short of actually fixing them.

Looking for the perfect easy listening experience to kick off the holidays? We just published a full conversation between Garrett Hamilton, CEO & Co-Founder of Reach Security, and Todd Graham, Managing Partner at Microsoft’s venture fund M12. They talk through what's limiting security programs today — not lack of tools, but lack of operational clarity.

Security teams know the attack techniques. What they don’t always know is how those techniques actually land in their environment. Reach maps your existing controls to MITRE ATT&CK (and D3FEND) and shows—visually—︎ which techniques are covered︎ which tools provide that coverage︎ and where real gaps exist Because “we have the tool” isn’t the same as “the technique is stopped.”

Garrett Hamilton, CEO and Co-Founder of Reach Security, sits down with Todd Graham, Managing Partner at Microsoft’s venture fund M12, to discuss why modern cybersecurity programs struggle to reduce real risk — despite massive spending on tools. Recorded at Black Hat, the conversation explores how misconfigurations, unused controls, and operational blind spots create exposure long before attackers need advanced techniques.

Before investing in new security tools, it’s critical to understand what your current stack is actually delivering. Barmak Meftah spoke about the importance of baselining existing investments to truly grasp risk acceptance versus real risk exposure. Without that foundation, new acquisitions lack context and are often driven by trends rather than necessity. Smarter decisions come from understanding:︎ What is already deployed︎ How it is configured︎ Where exposure persists.

At UC Irvine’s Digital Leadership Agenda 2026, moderated by Nicole Perlroth, Garrett Hamilton illustrates what those blind spots can look like: “We believed it was deployed.”“It was turned on.”“It should have stopped this.” Except one exception, one policy gap, one control not applied at scale — and assumptions replace reality. The real problem isn’t visibility. It’s continuously validating intent against execution.