Security Spent a Decade Finding More. It Should Have Been Proving More.

By: Nir Krumer

March 18, 2026

Here's an uncomfortable truth most security leaders already suspect but rarely say out loud: Your organization has invested millions in security tools, and you still can't prove they stop the threats that target you.

Not theoretically. Not based on vendor claims or configuration audits. Prove - with evidence, against real attacker techniques, in your environment.

The average enterprise runs 30+ security controls. Default configurations protect against roughly 70% of known threats. That means nearly a third of what's coming at you is getting through tools you're already paying for - and most teams don't know which third.

This isn't a tools problem. It's a proof problem.

The Industry Optimized for the Wrong Thing

For the past decade, security has been about finding more: More vulnerabilities, more alerts, more coverage and more tools. The assumption was that if you could see everything, you could protect everything.

But seeing isn't stopping. Most organizations can generate thousands of findings. Very few can tell you which of those findings represent a real, exploitable risk in their environment - and fewer still can prove their controls actually block it.

The result is what we call the risk-to-fix gap: the time between knowing a threat exists and proving your defenses handle it. For most organizations, that gap is days to weeks. For the threats that matter most, that's the difference between a blocked attack and a board-level incident. And that gap is widening as attack surfaces grow and threat actors move faster.

Resilience You Can Measure

The organizations that consistently stay ahead share one trait: They don't assume their defenses work. They prove it - continuously.

Resilience is not a maturity score or a framework checkbox. It's the ability to answer three questions with data:

What stops what? Which controls block which attack techniques — and where are the gaps?
How fast do we adapt? When a new threat emerges, how quickly can we validate exposure and close gaps?
Are we improving? Can we show measurable risk reduction quarter over quarter - not just activity?

If your answers rely on assumptions, periodic pen tests or vendor dashboards, you're estimating your security posture. You're not managing it.

A Shift in Operating Model

Getting to provable resilience requires a fundamental change in how security teams operate. It's not about adding another tool or running more assessments. It's about building a continuous loop:

Validate - Test your defenses against the threats that actually matter to your environment. Not generic scenarios. Real attacker techniques, mapped to your industry, your assets and your exposures.

Improve - Turn findings into action. Tune prevention. Strengthen detection. Deploy mitigations for exposures you can't patch yet. Focus effort on what measurably reduces risk.

Prove - Re-validate after every change. Show that the gap is closed. Build an evidence trail that leadership, auditors and your own team can trust.

Then repeat. Every new threat, every environment change and every control update feeds back into the loop.

This is how security programs evolve from reactive to resilient - not through more coverage, but through continuous proof.

Where to Start

You don't need to boil the ocean. Pick the entry point that matches your current pressure:

A threat just hit the news. CISA issued an alert, a new campaign is targeting your sector, your CEO forwards an article asking "are we exposed?" - start there. Validate whether your controls actually stop that specific threat. That's your first loop.

A control you're betting on. You just deployed or renewed a major investment - EDR, email gateway, SIEM. Can you prove it's doing what the vendor promised against the techniques that matter to you? Test it. Tune it. Prove it.

Exposures you haven't patched yet. You've got hundreds of open CVEs and a patching cycle that takes weeks. Which of those are actually exploitable in your environment right now? Start by validating the ones that keep you up at night — then prove your compensating controls hold until the patch lands.

Pick one. Run the loop. That first cycle of validate → improve → prove will teach you more about your real defensive posture than months of dashboard reviews.

Where Security Goes from Here

The security industry spent a decade building better ways to find problems. The next decade belongs to teams that can prove their defenses work — and improve them when they don't.

At Cymulate, this is the problem we've built our platform to solve - helping security teams continuously validate their defenses against real threats, close gaps faster and build the kind of resilience that holds up when it matters.

Because the next attack isn't a question of if. It's when - and whether you'll have the evidence that you're ready.

See How to Build Resilience You Can Measure

Nir Krumer is Vice President of Product at Cymulate with extensive experience leading product strategy, building high-performing teams, and developing innovative cybersecurity solutions. He has a strong track record of scaling products, driving growth, and helping organizations strengthen their security posture across complex digital and operational environments.

More about Author

Table of Contents

The Industry Optimized for the Wrong Thing Resilience You Can Measure A Shift in Operating Model Where to Start Where Security Goes from Here

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More