Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Garrett Hamilton, CEO and Co-Founder of Reach Security, sits down with Todd Graham, Managing Partner at Microsoft’s venture fund M12, to discuss why modern cybersecurity programs struggle to reduce real risk — despite massive spending on tools. Recorded at Black Hat, the conversation explores how misconfigurations, unused controls, and operational blind spots create exposure long before attackers need advanced techniques.

Before investing in new security tools, it’s critical to understand what your current stack is actually delivering. Barmak Meftah spoke about the importance of baselining existing investments to truly grasp risk acceptance versus real risk exposure. Without that foundation, new acquisitions lack context and are often driven by trends rather than necessity. Smarter decisions come from understanding:︎ What is already deployed︎ How it is configured︎ Where exposure persists.

At UC Irvine’s Digital Leadership Agenda 2026, moderated by Nicole Perlroth, Garrett Hamilton illustrates what those blind spots can look like: “We believed it was deployed.”“It was turned on.”“It should have stopped this.” Except one exception, one policy gap, one control not applied at scale — and assumptions replace reality. The real problem isn’t visibility. It’s continuously validating intent against execution.

Garrett Hamilton sat down with Todd Graham, Managing Partner at Microsoft’s venture fund, M12, to talk about why M12 invested in Reach and why our mission was a no-brainer for him. Nation-state attacks make the headlines—but most people are getting owned by misconfigured servers, networks, and controls hiding in plain sight. Turns out the problem isn’t what teams don’t own. It’s what they do own that isn’t, in most cases, even turned on.

95 hours back. Every. Single. Month. One of the many outcomes from our ZTA journey with Insurity. They didn’t just deploy Zero Trust — they operationalized it. Reach unified controls, automated remediation, and eliminated the manual effort slowing progress. Results:︎ 81% less manual work︎ 95 hours saved per employee per month︎ Months → days for rollout︎ Zero Trust that sticks.

Partnership over Procurement Why true collaboration between vendors and security teams is still rare — not because the intent isn’t there, but because most engagements stop at feature checklists. The alternative is more interesting: build together, solve together, and create solutions that fit how teams actually work rather than how tools assume they work. This mindset drove our work with Insurity — a real example of what happens when a security team engages deeply instead of treating tooling as a finished product.

Are AI systems replacing security roles? Maybe not the way most people assume. AI isn't eliminating architects — it's augmenting them. Architects sit at the strategic layer: influence, prioritization, long-term posture. AI’s power isn’t replacing that judgment — it’s continuously surfacing what matters, validating configurations, and helping teams scale impact without hiring “more architects.” "If I say something should be done, I need a way to know whether it was done correctly — and continuously.".

The mythical 1+1=3 model in security? It happens when the tools you already own stop working in isolation — and start working as a system. Jay Wilson and Garrett Hamilton dig into why Reach’s platform approach matters: not just enhancing individual controls, but creating compounding value across identity, endpoint, email, and network. When visibility, configuration, and enforcement align, the outcome isn’t incremental — it’s exponential.