Q1. Your State of Attack Management report shows organizations facing millions of attack paths at scale. Beyond the technical challenge of mapping these paths, what are the organizational and cultural barriers you see preventing security teams from actually operationalizing this intelligence into remediation workflows?
While the industry is clearly shifting toward an identity-first security model, many organizations are still catching up in terms of experience, ownership, and operating models. Attack path intelligence doesn’t map cleanly to the way security teams have historically worked. Most security teams are optimized for responding to alerts tied to individual hosts or incidents, not for proactively reducing transitive risk across identities, permissions, and systems.
Organizationally, identity and security responsibilities are often split across teams with different incentives and success metrics. Remediating attack paths typically requires changes to identity configurations, which security teams may not own or feel empowered to modify. Without a strong operational relationship or clear accountability, this can lead to slow handoffs, stalled decisions, or risk being accepted by default.
Culturally, many teams lack established remediation workflows for identity-driven risk. Attack paths represent systemic exposure rather than discrete findings, and that shift from reactive response to preventive risk reduction requires new muscle memory. Organizations that succeed tend to recognize this early, whether through tighter reporting structures or deliberate cross-team alignment, and treat attack path remediation as a shared operational responsibility rather than an abstract analytical insight.
Q2. How does Attack Path Management address the shift in threat actor tactics from stealing credentials at rest to stealing active sessions –browser cookies, tokens and cached credentials?
Attack Path Management has always assumed that credential theft is inevitable, regardless of whether those credentials are stolen at rest or harvested from active sessions. From our perspective, the industry’s growing focus on session theft through browser cookies, tokens, and cached credentials isn’t a fundamental shift in attacker behavior so much as a broader recognition of how modern access actually works.
Attack paths don’t depend on how access is obtained, only on what that access enables. Whether an attacker steals a password, a Kerberos ticket, a cloud token, or a browser session, the outcome is the same: a valid identity context that can be used to move laterally and escalate privileges. BloodHound was built to model that reality from the beginning by focusing on effective access and transitive trust relationships.
As attackers increasingly bypass credential storage and target live sessions, the limitations of detection-focused tools become more apparent. Attack Path Management complements those tools by answering a different question: once an attacker has any authenticated foothold, what can they reach next, and how far can they go? By exposing and reducing those paths in advance, organizations can limit the blast radius of session-based attacks before they ever occur.
Q1. How does ThreatLocker Defense Against Configurations (DAC) differ from broader security posture management tools? How does it align with your overall zero-trust strategy?
ThreatLocker Defense Against Configurations (DAC) focuses on a granular, endpoint-level reality that high-level posture management tools often overlook. While broader tools might check cloud settings or general compliance, DAC performs up to 170 daily checks on every individual endpoint to identify local configuration failures. This is critical because 61% of security leaders have suffered breaches due to failed or misconfigured controls in the last year alone. DAC identifies high-risk exposure points, such as RD Web accessible from public IP addresses or machines left in monitor mode, which often slip through aggressive audits.
This solution is the "configuration police" of our Zero Trust strategy. Zero Trust is a mindset built on the belief that nothing should be trusted by default; however, if your proactive controls like Application Allowlisting or Ringfencing are misconfigured, the strategy falls apart. DAC ensures continuous security hygiene, verifying that these controls are actually enforced. It simplifies the business case for security by aligning endpoint reality with industry compliance frameworks like NIST and CIS, making it easier to justify spending to a CFO.
Q2. What operational or threat insights from customer deployments this year have surprised you most about how adversaries are targeting endpoint ecosystems? How has it influenced your strategy going forward?
One of the most striking tactical shifts we've seen is adversaries using Linux VMs (via Hyper-V) to hide within Windows environments. By deploying a minimalistic virtual machine, attackers can execute malware that remains effectively invisible to traditional host-based EDR detections, which often lack the inspection capabilities to monitor traffic coming from the VM. Additionally, we continue to see that the vast majority of successful attacks do not rely on unique malware but on misusing legitimate, approved software, a.k.a. Living Off the Land. For example, the risk of Microsoft Office launching PowerShell remains a persistent and devastating attack vector.
These insights have solidified our strategy of proactive prevention over reactive detection. Instead of just chasing threats after they enter the network, we focus on kneecapping attackers by restricting the behavior of approved apps through Ringfencing. We also prioritize closing the most common entry points, such as disabling legacy SMBv1 and restricting outbound server traffic. Our goal is to ensure that even if an attacker gains a foothold or spins up a hidden VM, their lateral movement is stopped instantly because they cannot interact with files, registry keys, or the internet without explicit permission.
Q3. What key technologies and topics did ThreatLocker highlight at Black Hat Europe 2025? How do you use the event to engage with customers, researchers and other stakeholders?
At major events like Black Hat, we highlight the fundamental shift from threat detection to proactive hardening as the future of the industry. Our core technologies—Application Allowlisting, Ringfencing™, and Elevation Control—form the non-negotiable foundation of this shift. Specifically for the European market, we demonstrate how these controls allow organizations to meet the strict requirements of GDPR and NIS2 by providing real-time visibility and centralized, policy-driven control over every server and endpoint.
We use Black Hat as a platform for high-impact technical engagement, ranging from deep-dive demos at our booth to authentic dialogue with the community in informal settings. It is also an opportunity to validate our deny-by-default model through interaction with researchers. By engaging with the offensive side of the house, we prove that while an attacker only has to be right 1% of the time, our proactive controls remain right 100% of the time. We use these interactions to announce product enhancements, such as policy automation, which reduces the event noise that typically overwhelms security teams.
