When you talk about improving resilience, what specific metrics do you point to, and how do you frame that discussion?
We position our retainers to focus strongly on preparedness in addition to rapid response, work done before an incident to make the overall security program more resilient delivers the highest ROI for security. Drawing on lessons from roughly 7,000 investigations by our practitioners, we focus clients on preparation: having an incident response plan, running tabletop exercises, and shoring up fundamentals like vulnerability scanning, patching, and pen testing. It’s about being ready for the chaotic moment that will arrive at some point.
Resilience is therefore measured by readiness and response quality: whether teams know whom to call, what to do, and how to contain, eradicate, and recover. We guide customers to treat preparation as an investment that reduces impact, not just a technology spend. The core question is: have you prepared well enough that, when something happens, you can act quickly and effectively?
How do you ensure those improvements scale globally across time zones and regions?
Our team is global and expanding through both partnerships and direct hiring. Since launching the consulting group at Cybereason earlier this year, we’ve added staff across several countries and are continuing into EMEA, Canada, and Australia.
Scaling is about recruiting top talent and building processes that let us assign or execute work regionally when appropriate. Clear playbooks, coordination across time zones, and structured division of effort allow us to deliver consistently, no matter where the client operates.
You recently inked a partnership with Trustwave and have other partnerships. How does this affect your MDR and consulting model?
From an MDR standpoint, these partnerships position consulting to be product-agnostic. Whatever stack a client already uses, we can quickly contain, remediate, and determine root cause during investigations. We aren’t tied to any single technology, and we meet the client where they are.
In practice, that means leveraging the tools present before we arrive. The Trustwave partnership, for example, helps us interface more seamlessly with existing environments so investigations proceed faster and with fewer roadblocks.
Is there a tension between delivering a seamless MDR/DFIR experience and remaining product-agnostic during incident response?
No. Cybereason has a strong product and a substantial MDR business, and many clients are very happy with that. But some customers choose different tools for many reasons, and we still want to be their MDR and IR provider.
Our proactive services remain the same regardless of the organization’s security stack. During an incident, we simply leverage the technology the client has to drive the investigation. Product-agnostic processes ensure the experience stays seamless.
For incident response investigations, how did you integrate new senior DFIR talent from other firms, and what changes were necessary to onboard them quickly?
We train our people and build processes that don’t depend on a specific tech stack. Much of our team brings experience from law enforcement, government, or large enterprises with robust in-house IR teams, so they’re accustomed to integrating with diverse technologies.
We rally our experts behind a strong mission to raise every organization’s cyber resilience and codify their experience into playbooks and procedures, constantly adapted based on the latest threat intelligence. The tech may change case to case, but the threat intel and investigative rigor remain constant.
How do retainers and insurer partnerships actually reduce costs or regulatory fallout for clients? Can you give a concrete example?
The best return comes from preparation. When an event occurs, being able to quickly engage your carrier, law firm, and IR provider limits damage, shortens business interruption, and may even eradicate the intruder before harm is done. For manufacturers, for example, every day of halted tooling and delayed shipments translates into direct losses—so orchestrating safe restarts is critical.
Restoration sounds simple but can be complex when systems don’t communicate cleanly or are partially down. Planning restoration in advance, truly understanding time-to-restore and the operational dependencies, prevents surprises and reduces costs during an incident.
Regulatory recovery can be intense—state AGs, HHS for HIPAA, and potential litigation. How do you help clients navigate that landscape?
Regulatory exposure depends on what regulated data was impacted, often financial, healthcare, or employee PII, and may trigger notifications. Cybereason can quickly structure unstructured data into a usable list of profiles for legal analysis by outside counsel and, if needed, notifications.
We also help explain investigative timelines and reasonableness to state AGs or HHS. Our staff’s experience, including former law enforcement, supports demonstrating that the investigation took an appropriate amount of time and that reasonable security existed, helping minimize financial impact in post-incident proceedings.
AI now powers both defense and offense. How are you using it, and where does it matter most in your operations?
On defense, AI augments SOC operations, log analysis, and quality control, speeding detection and improving consistency. We expect its role in forensics to grow, especially in reconstructing timelines and surfacing patterns. Analysts still apply judgment to interpret threat-actor intent and sequencing; experience remains essential.
On offense, adversaries use AI to write malicious code faster and craft more convincing phishing, raising credential-theft and social engineering risks. AI is becoming part of everything, on both sides, so our approach is to harness it for scale and speed while keeping expert analysts in the loop.
Looking two to three years ahead, what are the biggest cyber-resilience challenges, and how are you preparing?
Cloud has been a major challenge because infrastructure can be spun up with a few clicks, sometimes as shadow IT. Now we’re seeing similar trends with AI tooling, creating shadow AI through many enterprises. Security programs may have limited visibility until it’s too late, and risk often stems from configuration rather than the inherent security of a cloud or AI provider.
We assess cloud tenants and client environments to establish visibility, what exists, whether it matches expectations, and which settings create exposure. We show how attackers abuse misconfigurations and how a single checkbox, depending on its place in the hierarchy, can have far-reaching consequences. Our tools and processes translate that into actionable hardening guidance.
How many years did you spend at the FBI?
About 22 years.
Which DFIR practices from your FBI work have you brought into Cybereason?
My FBI background was largely in a forensic laboratory, including time at headquarters and as assistant director of the regional computer forensic lab in Newark. We trained state and local personnel who then returned to their agencies with enhanced capabilities. That emphasis on rigorous training and scientific approach to digital forensics translates directly to the private sector.
Equally important are the disciplined operating procedures and layered quality control used on large, fast-growing cases. We’ve brought that methodology, and a focus on taking care of our people, to ensure professional execution during client crises while recognizing the human toll of long hours and sustained pressure.
What, if anything, keeps you up at night running Cybereason’s consulting business?
Building a business from scratch means constantly finding top talent and ensuring they deliver at a high standard as the group scales. Growth introduces new challenges, and we’ve seen this before—scaling teams from dozens to hundreds across many countries.
I’m always thinking about our people: where they are, whether they’re safe, and whether they’re supported. Geopolitics, natural disasters, and local conditions affect operations, so caring for employees is paramount to sustaining great client outcomes.
Is it easy to attract talent to your team today?
Our group’s reputation has made it easier. Interest is strong: recent postings have attracted hundreds of applicants, including many high-quality candidates from large organizations and from law enforcement, whether late-career or transitioning to the private sector.
Cultural fit matters as much as technical skill. So far, we haven’t struggled to find people who align with how we work and the standards we expect, which is encouraging as we continue to grow.
