Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Garrett Hamilton recently presented at the North Texas ISSA Lunch & Learn in Plano, TX to talk about what risk reduction actually looks like in practice. Reach shows customers exactly which controls they've deployed, the user impact of those changes, and how much risk has been reduced across IAM, EDR, email, firewall, and SASE. Not feature checklists. Targeted, measurable outcomes tied to the business.

New year, new faces, big goals. To close out 2025 and open 2026, we welcomed 43 new team members across engineering, sales, customer success & solutions, marketing, and operations. Reach was founded to close the gap between knowing where you're exposed and actually fixing it. That mission doesn’t scale without the right people. Growth is exciting, but aligned growth—with the right people, at the right time, for the right mission—is what really matters.

Microsoft Defender for Office 365 protects against phishing, malware, and malicious links across email and collaboration tools. But as environments scale and settings are changed, your Defender security controls can drift away from security baselines and degrade your security posture. Reach continuously analyzes your Defender deployment to find and fix misconfigurations, activate unused capabilities, and stop configuration drift.

Garrett Hamilton, CEO & Co-Founder of Reach, joined Bryce Carter, CISO for the City of Arlington, at the NTX ISSA Lunch & Learn in Plano, TX — a practical, operator-focused discussion with the local security community.

Security tools don’t usually break. They just slowly stop doing what you think they’re doing. Or perhaps were never set up to do what you needed in the first place. Something got deployed. It worked. Then it drifted. No one noticed. And three years later, you’re questioning the renewal because you’re not even sure what it’s protecting anymore. That’s configuration rot. Thanks to Julian Lee at eChannelNews for the fun, thoughtful and much needed conversation on this topic and more.

We really enjoyed our conversation with Ed Amoroso from TAG Infosphere. We didn’t start Reach to chase headlines. We started it because the hard security problems weren’t getting solved. The important ones rarely are. Security only works when incentives are aligned to the customer’s actual outcome. Not noise. Not theater. Not (exclusively) shiny tools. That alignment is what makes the work worth doing.

“IT giveth. Security taketh.” A topic examined in a print interview with Colt Blackmore, co-founder & CTO of Reach Security, written by Dan Raywood at Security Boulevard: ︎ The long-standing friction between IT enablement and security restriction︎ Configuration drift as the quiet divergence between intended and actual state︎ How incremental change accumulates into measurable risk︎ The challenge of maintaining alignment in complex, fast-moving environments︎ Why drift often remains invisible until consequences surface.

Zero Trust (and probably many general posture) conversations stall at one question: Where are we actually today? Because Reach connects directly through APIs, teams can quickly assess their environment without deploying new agents or ripping anything out. That makes it practical to benchmark a Zero Trust program against the CISA Zero Trust Maturity Model — and see what’s real vs. assumed.

Let's get tactical.

Vulnerability data isn’t the starting point. Context is. Ed Amoroso and Garrett Hamilton unpack why CVEs on their own don’t explain risk. What matters first: ⇢ What assets actually exist⇢ How controls are deployed and configured⇢ What the live posture looks like, not last month’s report With that context in place, vulnerabilities stop being noise and start becoming decisions. Garrett also makes a critical point near the end: many security tools are excellent at producing findings, but far less effective at helping teams resolve them.