Every once in a while, something happens that leaves you walking away feeling like you got away with murder. Today, I get to share with you one of my latest exploits.

My coverage here at Forrester for the past 3-plus years has been vulnerability management, threat intelligence, detection technologies, and incident response. While each of these areas are interesting in and of themselves, I wasn’t able to tell the story of detection and response from the cradle to the grave. Here’s where things get interesting . . . as many of you know, we recently promoted three analysts on the security and risk team to research director, which left us needing to backfill roles. This is where I saw my opportunity.

I thought to myself, “What if I took on security analytics and SOC operations?” This would give me the coverage of anything that has a red light that turns on and everything you do in response to it from triage through response. I pitched the idea, and it was accepted, so moving forward, my coverage will look roughly like this (non-exhaustive) list:


  • Security analytics
  • Security incident management (SIM)
  • Network analysis and visibility (NAV)
  • Endpoint detection and response (EDR)
  • Security automation and orchestration (SAO)


  • Security operations center (SOC) operations
  • Cybersecurity incident response
  • Ransomware mitigation

I spent most of my cybersecurity career on the offensive security side and often joke about how I switched teams, from “red” to “blue,” when I founded an EDR company years ago. While this background might not be what you’d expect from the new SIM analyst, I present to you a perspective from someone who has either built or broken a lot of the technology we use to defend our organizations — a new hope.

I will continue taking inquiries in vulnerability management as well as threat intelligence/digital risk protection until my backfill has been hired (every time I say that, it feels like planning my own funeral).

I’m planning on using the second week of November for briefings in the security analytics space, and if you’re an EDR vendor that hasn’t gotten the screener for my upcoming Now Tech reports/Forrester Wave™ evaluations, you should have, so it’s time to reach out.