The SecOps Cloud Platform for Managed Security Service Providers

Ask a vendor what their product does and you get a list. Ask a service provider what they actually need and you get something stranger: the freedom to do things the vendor never imagined. That gap is the real subject of this panel. Christopher Luft, a LimaCharlie co-founder, moderates, but the argument comes from the two operators across from him. Paul Ihme, co-founder and managing principal at Soteria, runs managed and incident response work. Lee Sult, formerly co-founder and CTO at Horangi and chief incident response officer at Black Panda, now a principal investigator at Cyber Triage, comes in after the breach. Neither of them describes LimaCharlie as a tool that solved their problem. They describe it as a thing they can build on, and the distinction matters more than it sounds.

The most useful platform is the one that wasn't designed for you

The tell comes when Ihme stops mid-sentence to make a point he clearly cares about. "I 100% believe that the SecOps Cloud Platform was not designed for that use case," he says, "but it just gives you all these APIs and extendability that you can just be creative with." That is not a complaint. It is the entire value proposition. A purpose-built tool encodes someone else's assumptions about how the work should go. When a client asks for something outside those assumptions, the tool says no. Ihme's version of the job is the opposite: a client comes with a hard problem, and the answer is "we can do this and this and put them together, good to go."

Sult arrives at the same place from the incident response side. His hard questions come from customers, compliance auditors, regulators, and outside counsel, and they are usually some form of "what data do you have." With most stacks, the honest answer is "I don't know, and I have to wait several days to find out." His differentiator is not a feature. It is being able to answer at all, because the data is in one place rather than behind fifteen tabs and three vendor support tickets. Quality of service, in his framing, is just the absence of that scramble.

Speed is a billing event before it is a technical one

Both operators treat the platform's speed as something they can sell, not just admire. For incident response, the first hours decide the outcome, and onboarding friction is the enemy. A provider can stand up a new client organization with a credit card, skipping sales reps and deal registration, then let automation pour in standard configurations and threat hunting rules the moment the tenant exists. Sult's demo of choice is registering a virtual machine: by the time you alt-tab back, it is already in the platform. Detections hit the backend immediately, with no query runner or five-minute scheduled scan deciding when you find out you have been breached.

That speed compounds at scale because the API turns fleet-wide work into a few lines of Python. Find a known-malicious file across every endpoint, tag the offline ones to check later, mark the compromised ones, done. Sult, who shows up after an attacker is already inside, values being able to push whatever he needs into a live environment, Cyber Triage or even Meterpreter, without rewriting deployment scripts and hoping they fire. Pull new indicators out of one tool, feed them into another, scope the whole intrusion in minutes.

The economic argument runs underneath all of it. Ihme and Sult both keep returning to billing transparency, and they mean it as a margin issue, not a nicety. Sult has lived the other version, where a vendor quietly guarantees a big customer a lower price while still charging him the original rate "because it's too complicated to figure that out." Clear per-tenant cost means a provider passes spend to the client cleanly and, with the data the platform exposes, can answer the CFO question: which customers are expensive to serve, and which capabilities are paid for but never monetized.

Building blocks beat a feature list

The pattern that makes the panel cohere is that almost every advantage they name is something they assembled rather than something they were handed. Multi-tenancy lets one team carry many clients, and lets a single client split into separate organizations so European and US alerts route to different teams. Role-based access controls mean fewer accidents across all of it. Detection rules are portable: point a tenant at a GitHub repository, paste a signature someone dropped in a Slack or Discord channel during an active campaign, or pull from Soteria's own add-ons, rather than waiting on a vendor that may not even have the data to write the rule. Neither operator runs into an arbitrary cap on custom rules; Ihme keeps well over 500 in place.

The sleeper sensor is the clearest case of the building-block mindset paying off as a service. A provider deploys low-cost dormant sensors under a retainer, so when an incident hits, the presence is already there. That solves two specific problems Sult and Ihme name from experience. Yanking the internet to contain an attack breaks remote forensics, while a sleeper sensor isolates and re-enables hosts cleanly. And during a live incident, frightened staff hide endpoints, not out of malice but because, as Sult puts it, they have "mouths to feed at home." Coverage that was already in place removes the scramble of an enterprise-wide software push at the worst possible moment.

Even the gaps they point to are framed as openings rather than missing features. Sult floats wiring SOAR-style logic into the API for clients too small to buy SOAR, checking whether a newly created user has MFA enabled yet, an idea he is careful to flag as a possibility rather than something he has deployed. Ihme recalls the time Luft made LimaCharlie change the color of his home Hue lights when a file was opened, a silly proof of concept that nonetheless gets a team thinking about what else the same plumbing can carry. Both men land on the same horizon: security is leaving the on-prem network for cloud platforms and scattered SaaS apps, where visibility is thin and what exists charges a fortune. The reason they expect to follow it is structural. A platform that ingests telemetry regardless of source, lets them tinker, and prices predictably is one they can adapt as the threat moves. That is the difference between owning infrastructure and renting a product. For a service provider, it decides whether the next client's hard problem is a sale or an apology.