惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
爱范儿
爱范儿
人人都是产品经理
人人都是产品经理
博客园 - 司徒正美
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位
罗磊的独立博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Cyberwarzone
Cyberwarzone
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园_首页
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
IT之家
IT之家
博客园 - 聂微东
Spread Privacy
Spread Privacy
V2EX - 技术
V2EX - 技术
S
Security Affairs
宝玉的分享
宝玉的分享
V
V2EX
C
Cisco Blogs
博客园 - Franky
美团技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
S
Securelist
J
Java Code Geeks
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
WordPress大学
WordPress大学
W
WeLiveSecurity
T
Threatpost
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
阮一峰的网络日志
阮一峰的网络日志

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
The Security Event Horizon: Rethinking Cybersecurity Beyond Prevention
Zoey Chu · 2026-06-12 · via Vectra AI Blog

Lately, I’ve been having a lot of conversations with cybersecurity leaders about a concept I’ve been using called the Security Event Horizon. The basic idea is that the concept of “defense in depth” in the security world is a misnomer. Security technologies rarely have any overlap in the scope of what types of attack tooling or behavior they apply to and typically there’s only a single security control/technology between an attacker launching and landing a breach attempt. Prevention remains important, but there is a point in the attack lifecycle where prevention-oriented thinking stops being a relevant model, and detection, context, and response become the things that matter most.

That may sound obvious to people who have spent a lot of time in security operations, but I think it is worth being explicit about because much of the security industry still talks about the problem as if the right collection of preventive controls can make compromise an exceptional condition. In real environments, that’s not how things work.

Why is defense in depth a misnomer?

Modern enterprises are too large, too distributed, and too dynamic for that assumption to hold. They run large estates of cloud infrastructure, SaaS applications, endpoint fleets, identity systems, APIs, third-party services, legacy applications, and business-critical systems that are difficult or impossible to patch in a realistic timeframe. Even well-run organizations have unknown assets, exposed services, configuration drift, over-permissioned identities, and systems that cannot be patched at the moment a fix becomes available.

Obviously, prevention is still necessary. Patching, hardening, segmentation, identity controls, secure configuration, email security, endpoint prevention, and vulnerability management all reduce the amount of opportunity an attacker has. The issue is that prevention is not a complete operating model. At enterprise scale, some percentage of preventive controls will fail, and the security architecture has to be designed with that assumption in mind.

AI makes this problem more acute. Attackers are going to have better tools for finding vulnerabilities, producing exploit variants, automating reconnaissance, generating convincing social engineering, and adapting their activity as defenders respond. Defenders will use AI as well, but the asymmetry around time matters. It is much easier to find one exploitable path than it is to prove that every exploitable path across a large enterprise has been removed.

Additional reading: What’s Next for the Enterprise After Two GenAI Tidal Waves

Why the Security Event Horizon

This is why I developed the Security Event Horizon idea and think it’s important to discuss.

In this model, there is a distinction between cause-based detection and effect-based detection. Cause-based detection is focused on the thing that initiates or enables the attack: a vulnerability, exploit, malicious file, command, infrastructure indicator, phishing message, or known technique. This is where a lot of prevention and blocking logic naturally lives.

Effect-based detection is focused on what happens after the initial attack has succeeded. Once an attacker is in the environment, they have work to do. They have to authenticate, enumerate, move, escalate, persist, communicate, stage data, and eventually act on objectives. Those behaviors create effects in the environment. The defender’s job is to see those effects, understand them in context, and respond before the attacker reaches impact.

MITRE ATT&CK is a useful way to describe this transition. The earlier phases of an attack tend to align naturally with prevention-oriented controls. As an attack progresses into discovery, credential access, lateral movement, command and control, collection, and exfiltration, the environment starts producing behavioral evidence. At that point the problem is less about whether a single object is known to be bad and more about whether a sequence of activity makes sense.

Attackers increasingly use legitimate credentials, legitimate protocols, legitimate administrative tools, and legitimate cloud services. A lot of what they do does not look malicious when viewed in isolation. A login may be valid. A PowerShell command may be allowed. A connection between two systems may use an approved protocol. A cloud API call may be syntactically normal. The question is whether the behavior is consistent with how that user, host, workload, or application normally operates, and whether it fits into a broader attack pattern.

Detection has to be more than alert collection. Producing more signals for an analyst to triage doesn’t really get us where we want to go, but being in a position to understand attack progression is what needs to happen in the post-compromise environment. This has a few practical implications.

Understanding how cyberattacks progress

First, prevention isn’t risk elimination, it needs to be treated as risk reduction. It reduces attacker opportunity and should be continuously improved, but it should not be the assumption on which the rest of the architecture depends.

Second, detection has to be designed around the parts of the attack that are observable after prevention fails. Network activity, identity behavior, cloud control-plane activity, SaaS usage, endpoint telemetry, and data movement all provide different views of attacker behavior. None of them is sufficient by itself in a modern security architecture.

Third, context is essential andit matters as much as telemetry. Seeing an event is not the same thing as understanding it. Defenders need to know what the asset is, who the identity belongs to, what normal behavior looks like, whether the system is exposed, what privileges are involved, and how the activity relates to other events across the environment.

Finally, response has to be tied to attack state. The right response to a noisy early signal is different from the right response to confirmed lateral movement or active data staging. Security operations teams need to know not just that something happened, but where they are in the attack lifecycle, and ideally, what the attacker is likely trying to do next.

This is the point of the Security Event Horizon Framework. It is a way to reason about where different technologies operate, what kinds of signals they produce, and where their value changes as an attack moves from attempted compromise to active intrusion.

Prevention will always be a core part of security architecture. But in a world where AI accelerates vulnerability discovery and exploitation, and where patching every deployed software and hardware component across every enterprise is not realistic, security programs need to be explicit about what happens after prevention fails and architect for it as well.

That is where detection and response have to carry the load. Not as an afterthought or a collection of disconnected alerts, but as a model for understanding attacker behavior across the environment.

The practical question for security operators and leaders is straightforward. When an attacker gets past the controls that were supposed to stop them, can you still see what they are doing, understand how far they have progressed, and respond before the activity becomes a material business event?

Vectra AI is very uniquely built to provide the signals and continuous capability required to secure the hybrid, software defined, enterprise by providing detection and response using data sets and technologies that don’t exist from any other single company.  If you’re serious about a security architecture that provides capability beyond the Event Horizon, take a look.

For more from Marty Roesch on the Security Event Horizon, tune in to the Hunt Club Podcast.