BIZTECH: Why do detection and response capabilities matter more today than simply adding more preventive controls?
The ability to detect, which is measured by your mean time to detect, your ability to respond, measured by your mean time to respond, as well as your ability to contain, measured by your mean time to contain, are more critical today than they have ever been. The primary reason for this is the speed with which threat actors can increase the scope of their attacks. Using machine learning and AI tools, threat actors can execute their attacks with speed. This means we have to be able to detect, respond and contain with similar speed.
Add the complexity of the impact of tools such as Mythos and their ability to not only detect vulnerabilities but to create exploits for those vulnerabilities, and the situation has become more perilous. The risk of running any technology based on software — which is almost everything today — means you must figure out at the time of design or via the procurement process how to ensure security is the No. 1 priority.
At the early stage, the enterprise can make the decision on how to address the risk. Should the risk be avoided? Should it be accepted? Should the risk be transferred? It is more likely that the risk is going to be mitigated via technical controls. Those technical controls will ultimately aid the prevention. However, when prevention fails, at least there will be a clear understanding of how to detect, respond and contain.
BIZTECH: What are the most common signs that an organization’s security program looks mature on paper but is weaker in practice?
To determine how effective and robust an organization’s security program is, the organization does not have to look far. One question that organizations can is ask is, “How measurable is my security program?” The good part is your security program can, in many cases be measured quantitively rather than being subjective and speculative.
Here are eight keys things the organization can consider:
1. Vulnerabilities identified. Every software has vulnerabilities, whether intentional or accidental. For example, Mythos Preview found a 27-year-old vulnerability in OpenBSD, which is known to be one of the most secure operating systems. The fact that it was not found yesterday does not mean it will not be found tomorrow. In fact, we should expect that it will be found tomorrow. Another clear example is Mozilla using Mythos to uncover 271 bugs in Firefox 150.
2. Vulnerabilities remediated. Now that we know we cannot escape the world of vulnerabilities, and that more of them will be identified even faster, how do we remediate them faster? This is going to be a major challenge. Think about Microsoft Patch Tuesday, which is once a month. Even with patches being released once a month, organizations have a difficult time patching. Can you imagine what will happen now in the world of Mythos and other such tools, where vulnerabilities and will be identified with greater speed, but application of those patches will be take longer?
RELATED: Why businesses are drowning in too many cybersecurity tools.
3. Threats prevented. Threat actors are always targeting your infrastructure. Do you have visibility into those attacks? If you have visibility via your security platforms, kudos. This gives you numbers you can measure: “We had 10 attacks that targeted the organization via malware, 12 via phishing, five via business email compromise,” etc.
4. Threat detected. We know that even though we have firewalls, proxies, endpoint detection and response, extended detection and response, managed detection and response, e-mail filtering, and all of these preventive technologies, organizations are still being compromised. These threats are also coming through different vectors. For example, the FBI reports that for 2025, business email compromise resulted in more than $3 billion in losses, data breaches cost just over $400 million, and phishing/spoofing just over $200 million. There is a serious economic impact to your business if you are unable to prevent or even detect these threats. There is also the impact to business reputation, etc.
5. Mean time to detect. Now that we know we must detect the threats, how quickly are you doing so? Is a mean time to detect of 24 hours fast enough for your organization, or are you expecting detection within an hour? This obviously can be sooner, depending on the security and threat detection tools you have deployed, as well as the SLAs you have defined with your managed security service provider (MSSP) or MDR provider. Outside of the tools or MDR provider, you must depend on some level of threat hunting to proactively detect these threats. One can argue, if we provide an agentic AI solution with the right the data and ask it to analyze the activity, it may find things faster than a human. This is true. However, does the AI have the appropriate context?
6. Mean time to respond. So you detected a threat. What do you do next? Do you leave it there, or do you try to address it immediately? One hopes the objective is to deal with it immediately. However, personal experience tells me this is not always the case, as there are usually competing priorities.
7. Mean time to contain. Once you have identified the threat, even if you cannot fully act on it, you should at least try to contain it. You can always remediate later if you have competing priorities.
8. Lessons learned from those past incidents. The only way to truly ensure your security readiness, as we spoke about above, is to ensure your security program evolves. This evolution can come through your own experience or, more important, what is happening in other sectors or to other companies in your vertical.
Click the banner below to learn why cyber resilience is essential to enterprise success.