For most of my career, I looked at cybersecurity from the attacker’s side. My background is in offensive operations, working in environments where the job was to understand how organizations could be breached, how defenders could be avoided, and how small mistakes in security architecture could become meaningful opportunities for an attacker.
That experience shaped the way I see the market today. When you spend years operating as an attacker, you build a very practical understanding of what works, what fails, and what defenders often do not see. You also develop a strong appreciation for the gap between the way attacks happen and the way many organizations still try to detect them. That gap is the reason we started Mars Security.
The idea was not born from a single dramatic incident or one moment of realization. It came from years of seeing the same pattern repeat itself. Attackers could move across environments, generate signals, touch different systems, and still remain unnoticed for far too long. From the offensive side, that was difficult to ignore because the evidence of activity was often there, but the connection between attacker activity and defensive detection was missing.
Security teams have invested heavily in tooling, processes, frameworks, and operations, but the way many organizations detect sophisticated activity has not changed enough to match the way threat actors now operate. The threat landscape has become faster, more automated, and more scalable, while many detection models still depend on slow, manual, and expensive work that only the most mature organizations can afford.
For CISOs and senior security leaders, this is no longer a narrow technical issue, it is a strategic problem because the ability to understand, detect, and contain real attacker activity is becoming one of the defining capabilities of modern security.
Proactive Security Needs to Reflect Real Attacker Activity
Attackers do not operate according to neat frameworks, internal categories, or vendor diagrams, they operate according to opportunity, speed, infrastructure, automation, access, and the specific weaknesses of the target environment. Defenders need structure, of course, but structure becomes dangerous when it creates distance from what attackers are doing.
One of the biggest problems I see is misalignment. Threat actors have advanced significantly in recent years, especially with the availability of automation and AI-enabled workflows, but many defensive approaches still look like they were designed for an earlier era. Security teams may have more data than ever, but more data does not automatically create better detection if the organization cannot connect that data to current attacker methods.
Real attacker knowledge matters because detection is not only about writing rules or buying tools. Rather, it is about understanding how an operation unfolds, how an attacker thinks, where they are likely to make mistakes, and how those mistakes appear inside a specific environment and that is very different from treating detection as an abstract exercise.
This is why I believe proactive security must be threat intelligence driven, but not in the shallow sense of reading reports and storing indicators. Threat intelligence should become operational, it should help security teams understand how threat actors are working now, and it should translate that understanding into detections that are relevant to their own environment.
For many organizations, that translation step is where the process breaks down. Reading a report is one thing, but turning that report into useful detections, hunts, and containment logic is hard. It requires expertise, engineering, context, and time, which are resources that many teams simply do not have in sufficient supply.
Attacker Knowledge Cannot Be Replaced by More Manual Work
Today, organizations usually approach this problem in one of two ways. The most mature teams invest heavily in people. They hire threat hunters, detection engineers, and analysts who manually read intelligence reports, write detections, and run extensive hunts to find complex activity in their environments.
That approach can work, but it is expensive, slow, and difficult to scale. The best threat hunters and detection engineers are hard to find, and the organizations that can afford them are usually already among the most mature and well-funded. Everyone wants proactive threat hunting, but wanting it and operationalizing it are not the same thing.
The second group of organizations often does much less, not because they do not care, but because the economics and complexity are against them. A mid-sized organization with a few thousand employees may face threat campaigns that are sophisticated, automated, and fast-moving, yet it may not have the budget or team structure of a global enterprise. Five years ago, that may have been uncomfortable but manageable. Today, it creates a much bigger risk.
This is where the build-versus-buy question becomes important. Some mature organizations are experimenting with agentic frameworks, large language models, and internal automation to solve parts of this problem themselves. I understand why, and in many ways it validates the need because security teams can see the gap and are trying to close it.
However, building something that looks useful in a prototype is very different from building something that works reliably in production. The challenge is not only engineering, it is also knowledge. A team can use powerful AI tools and still lack deep understanding of how threat actors operate, how campaigns are structured, and how attacker activity should be detected inside a real customer environment.
That is one of the reasons we built Mars the way we did. The goal is not simply to provide code or automation, but to bring together product, intelligence, engineering, and offensive experience. A vendor in this space should not only deliver a tool, it should deliver expertise, partnership, and a standard of quality that security teams can trust.
Proactive Security Must Stay Focused as AI Changes the Fight
AI is changing cybersecurity, but I think the industry is still too distracted by the wrong questions. There is a lot of noise, confusion, and hype around what AI means for both attackers and defenders. I am optimistic about AI as a tool, but I am skeptical of the more dramatic claims about what threat actors are doing with it today.
When I look at real attacker activity, I do not see most threat actors relying on AI to discover extraordinary zero-days at machine speed. What I do see is AI being used to automate operations, deploy campaigns faster, generate or adapt infrastructure, support phishing and vishing, and run activity at greater scale. That is extremely important, but it is different from some of the stories the industry tells itself.
The opportunity for defenders is also significant because if attackers can use AI to move faster, defenders can use AI to scale knowledge, engineering, and operational response. In many ways, defenders should have the advantage because they can apply more resources, more compute, more expertise, and more context to the problem. The question is whether they can stay focused on the practical use cases that matter.
Over the next few years, I expect security teams to become smaller, more engineering-oriented, and more dependent on the ability to build and operate systems that automate lower-level work. Some roles will consolidate, and many repetitive tasks will be handled by machines; at the same time, the fundamentals of security will remain familiar because networks, identities, endpoints, cloud environments, and human activity will still create the terrain where attackers and defenders meet.
The pace of security operations is likely to become much faster, and the organizations that succeed will be the ones that can connect real attacker knowledge to their own environments quickly, continuously, and reliably. They will not wait for a breach to validate their assumptions. They will proactively look for the activity that matters, guided by what threat actors are doing.
That is the mission behind Mars Security as we come out of stealth. We want to help more organizations become proactive without requiring every company to build an elite threat hunting and detection engineering function from scratch. We want to make the connection between attacker methods and defensive action much more direct.
We are also very focused on building things that work, which may sound simple, but matters deeply to us. Security teams do not need more products that are impressive in a demo but unreliable in practice, they need capabilities that deliver value, fit into real environments, and help them detect and contain bad activity with confidence.
In five years, I hope proactive cybersecurity is not seen as something only the largest and most mature organizations can do. I hope it becomes a standard expectation for serious security programs, and I hope Mars is known for helping make that possible. For me, proactive security means understanding the attacker clearly enough to act before damage is done, and that starts with real attacker knowledge.
