An Invitation to Change: introducing the SecOps Cloud Platform

The SecOps Cloud Platform exists to answer a question that nobody in security wants to say out loud: there is a hard limit on how many tools a team can actually run. Maxime Lamothe-Brassard, LimaCharlie's CEO and co-founder, opened the launch by naming it plainly. The industry ships a new category every week and a new vendor behind every one of them, and that is fine, except that the laws of physics intervene. You can only onboard, integrate, and operationalize so many products built as one-size-fits-all solutions before the work of managing the stack crowds out the work of defending anything. His answer is not another product. It is a different layer underneath all of them.

The model he reaches for is the public cloud. Telemetry retention and search, direct access to endpoints through an EDR agent, the ability to reshape data and route it wherever it needs to go: these are now well-understood primitives. The point of treating them as a platform is to make them assumptions, multi-tenant and API-first, so the value moves up to whatever you build on top. The platform is positioned as an enabler, not a destination.

The case against the single pane of glass

The people on stage who actually run security were noticeably uninterested in the marketing version of consolidation. The enterprise panel kept circling the same complaint: everybody sells a single pane of glass, but not many people achieve it, and the biggest cost in a security program is people, not software. Every minute an analyst spends switching back and forth between consoles is a minute off target.

Fred Wilmot, who has been a CISO and now leads product at Interpres Security, pushed past tooling entirely. What matters, he argued, is the life cycle of the work: a team investigates a technique, then works its way left in the process toward fixing the thing that produced the alert, so that detection never has to fire again. The trouble is that working left gets harder at every step, which is why the SOC keeps consuming the same alerts and the same incidents over and over. Reduce that friction and you get a clearer path to the fix. Wilmot was blunt that the payoff is not only better controls but staff retention and quality of life, the people side of the equation that consolidation pitches almost never mention.

His deeper objection was about ownership, and it is easy to skip past. When an organization hands the mantle of its operations to a managed detection provider or a SaaS vendor, that vendor starts making changes without the customer's context. That, he said, is the negative side of the value proposition, the thing that gets vendors thrown out. A platform that hosts your operations while leaving you autonomy over them, even when it is cloud hosted, is in his words substantively valuable to a CISO. The argument is not that one console is prettier. Consolidation only counts if you still control what is happening inside it.

What service providers and builders actually do with primitives

The most concrete evidence came from the operators. Paul Imhof of Soteria and Lee Salt, now at Cyber Triage and previously an incident response lead, described the same arc: start with the EDR, pull in AWS logs, Office 365, and Microsoft Defender telemetry so a client's data lands in one place rather than scattered across consoles, then shoot the shaped data back out, running detection and response in LimaCharlie while pushing data into Elastic for deeper querying. The unglamorous parts mattered most to them. Spinning up a new client organization takes a credit card and a few API calls, with no sales rep and no deal registration, after which automation applies the standard configuration. Role-based access controls cut down on cross-tenant accidents. And there is no arbitrary cap on custom rules, the way some platforms limit you to a hundred; the operators described running well over five hundred signatures at any given time, often by pointing the platform at a GitHub repository instead of waiting on a single vendor to upload a signature it may not even have the data to write.

The praise for the sleeper sensor was the sharpest illustration of why primitives beat products in a crisis. A low-cost dormant agent deployed under an incident response retainer means responders already have presence the moment an incident hits. They can come in and start the investigation immediately, without running an enterprise-wide software deployment first, which is exactly when remote access tends to disappear.

For builders, the argument turned economic. Eric Capuano of Recon InfoSec described spending thirty to forty to fifty hours a week just keeping monolithic infrastructure alive, which stalled new work and made margins hard to predict. Moving to a fixed-cost, on-demand platform put that scaling concern in the past and freed his team to ship customer-facing features instead. He and Amanda Berlin of Blumira both described the same real-time payoff: getting into a live ransomware case, extracting IOCs from an impacted host, and writing detection-and-response rules that automatically isolate the machines an attacker has already touched, cutting off the bleeding rather than performing a post-mortem. Berlin's team built a full integration with Blumira's product in about three and a half months with only a handful of people. Capuano named the real prize, and the ecosystem panel with John Tuckner of Tines, Casey Smith of Thinkst, and Huxley Barbee of runZero said it in their own words: agent is a four-letter word to customers, who do not want yet another one on their systems. The value is consolidating function so a service provider is not dropping one more.

The launch closed with a preview of binlib, a private store of every binary that has executed in your environment, built to search execution metadata and run Yara scans at scale so you can answer a retroactive question like whether a threat actor touched you in the past. It was in private beta at the time, with general availability planned for Black Hat. Like everything else, it is designed as a feature of the platform rather than a silo, which is the whole thesis restated. The interesting move in security is no longer the next box. It is owning the layer that every box now runs on.