TandemTrace TandemTrace
Request demo
// ESSAY · FIELD NOTE 4 minute read

Why defenders are still losing in 2025.

// AUTHOR TandemTrace founders // DATE 2025.06.25 // CATEGORY Essay // TAGS defense · data · history

Why?

I think it's a fair question to ask why we are still losing to adversaries. We have decent detection and prevention platforms, we have centralized telemetry, we even have amazing AI, and we are still going to lose today and tomorrow to the average adversary.

The technological revolution of the last twenty years changed our lives. It also reshaped the attack surface, and our defenses haven't caught up.

The world changed.

When I started my career in the late 1990s we had on-premise environments, air-gapped by design. We had physical servers, we knew where they sat in the building, and the database servers had labels you could read off the rack: SQL-SRV-05. You always knew where your data was.

Then everything moved.

AWS launched EC2 in 2006 and companies started moving their data into compute they couldn't see. The iPhone arrived in 2007 and people's working hours moved with them, onto a device that wasn't on the corporate network. Bitcoin went live in 2009 and gave attackers a way to get paid that nobody could trace. COVID hit in 2019 and remote work stopped being an exception. Each of these was a productivity story when it happened, and a security problem afterward.

Today the data sits in places I couldn't draw on a whiteboard if I tried, and the people are spread across the same map.

Is it possible to protect it?

We will never get to 100% protection. But we can do a far better job than we are. Most SOCs are running the same tools they've run for years, and attackers have been evolving against those exact tools every week of that time.

If it takes you hours to get process information from a specific endpoint, you can't win. If it takes hours to know whether a suspicious network connection has happened only once in the last year, you can't win.

A data-driven challenge

Cybersecurity is a data problem. So you need a data tool, and one that doesn't require a twenty-year skillset to operate. The path forward is technology that doesn't ask the analyst to be a data engineer first.

We need tools that meet cybersecurity professionals where they already are, instead of demanding they learn another query language.

Do we need more security professionals? Or maybe a bigger training budget? I don't think so. Let's win this time.

If this matches your read of the field, we'd love to compare notes. Get in touch, or read why we built TandemTrace.

More field notes

All entries →
// ESSAY

Autonomous is not automatic.

What "autonomous" should mean in a SOC, and why handoff fidelity is the metric that matters.

2025.11.19 · 5 min · TandemTrace research // INCIDENT

One quiet weekend at 3 a.m.

An anonymized incident, told in timestamps. What the autonomous layer caught while everyone was asleep.

2026.02.05 · 7 min · M. Reyes