If you walked the floor at Black Hat, one thing was clear: Everyone secures, protects, or defends something… powered by AI.
And on the surface, everyone looks the same.
For buyers trying to solve real problems, it was difficult to figure out who to trust and who to spend time with.
As someone who spends every day researching attacker behavior and building detection logic, I want to offer a different perspective. It’s not about who has the best tagline or flashiest demo. It’s about asking sharper questions, grounded in how modern attacks actually work.
Prevention Still Dominates. But Prevention Alone Is Not Working.
Most vendor messaging still centers on keeping attackers out, and that’s necessary. But threat actors today are no longer relying on exploits to get in.
In my Black Hat session, Mind Your Attack Gaps, I shared examples of how threat groups like Scattered Spider, Volt Typhoon, and Mango Sandstorm gain access and quietly escalate their control. These attackers don’t need malware or zero-days. They rely on valid credentials, stolen session tokens, or federation abuse to blend in with legitimate activity.
The initial compromise often starts with something no security tool is trained to stop: A successful login.
From there, they explore the environment using native tools, escalate privileges through trusted identity paths, persist using OAuth apps, and exfiltrate data under the radar. No exploits. No binaries. Just behavior that looks like it belongs.
Traditional controls don’t raise alerts because the activity technically follows the rules. The credentials check out. The access paths are allowed. Logs, if not already deleted, tell an incomplete story. Most defenses were designed to detect what’s foreign or obviously malicious, not what’s valid and misused.
In every real-world case we studied, prevention tools were in place. But they were watching for the wrong signals.
Because today’s attacks don’t stand out. They blend in.
“Assume Compromise” Should Shape How You Evaluate Vendors.
You’ve heard “assume compromise” before (and maybe read our earlier blog on the topic). It’s not just a mindset shift, and it should be a way to filter vendors when everyone at a show claims to stop attacks.
You do not need to understand every single cybersecurity product on the market. You need to understand how your attackers behave, then ask vendors how they detect and respond to that behavior:
- What does your solution detect after initial access?
- How do you identify lateral movement if credentials are valid?
- What happens if a user’s session token is hijacked in a SaaS app?
- Can your product detect behavior across cloud, identity, and network layers, or just one?
- What detection and response capabilities do you offer when logs are gone?
If the answer sounds like more alert noise, or the solution depends entirely on prevention and logs, you have your answer. You’re not talking to someone who can help when compromise has already happened.
What You Need Post-Compromise (And How to Spot It)
When compromise happens – and it will – the key differentiator is visibility. Not visibility into raw telemetry, but visibility into attacker behavior, stitched together across environments. Look for solutions that can:
- Detect activity without relying on agents or logs
- Identify behaviors like reconnaissance, credential abuse, and persistence
- Correlate what is happening across identity, network, and cloud
- Provide triage that reduces noise, not adds to it
- Show the full attack path, not just isolated events
These are capabilities that cannot be faked. You will see them in a demo. You’ll feel it in how the product explains what’s happening during an incident. And you’ll see the gap between a system that shows telemetry and a platform that shows intent.
It’s Not About If. It’s About What Comes After.
Most vendors still sell you the hope that you will prevent the breach. But attackers are no longer trying to break in. They are logging in. They are exploiting trust. They are already inside.
What matters now is not whether you stopped them at the gate, but whether you see what they do once they’re in.
That is the question every buyer should be asking.
If you're curious how modern compromise unfolds, and how real behavior-based detection exposes what prevention tools overlook, we’ve built a self-guided experience you can explore in minutes. No forms. No calls. Just a clear look at what effective compromise detection actually looks like.