// Security Stack Analysis

Your Stack Is Not
Your Security

What each tool actually achieves — and the gaps it leaves open
Active Toolset — Purpose · Achieves · Limitations
🛡
SentinelOne
Purpose
Endpoint Detection & Response (EDR)
✓ What It Achieves
  • Detects and isolates compromised endpoints
  • Maps threats to MITRE ATT&CK techniques (T1562)
  • Alert investigation & false-positive triage
✕ What It Does Not
  • Prevent social engineering or phishing delivery
  • Fix underlying misconfigurations autonomously
EDR = behavioral detection, not prevention architecture.
📊
Graylog / SIEM
Purpose
Correlate & Centralize Event Logs
✓ What It Achieves
  • Aggregates logs across all client environments
  • Correlates events into defensible timelines
  • Surfaces alert patterns for escalation judgment
✕ What It Does Not
  • Auto-remediate or contain threats
  • Replace analyst interpretation of correlated data
SIEM = correlation engine, not intelligence or response.
✉️
Proofpoint
Purpose
Email Threat Filtering & Policy Enforcement
✓ What It Achieves
  • Blocks phishing, spam & malicious attachments
  • Enforces email delivery & relay policies
  • Reduces attack surface at the inbox layer
✕ What It Does Not
  • Train users to recognize threats (KnowBe4 does)
  • Stop credential-based BEC with no malicious payload
Email filter = reduced delivery, not zero phishing risk.
🌐
Cisco Umbrella
Purpose
DNS-Layer Web Filtering & Threat Blocking
✓ What It Achieves
  • Blocks malicious domains before connection
  • Enforces acceptable-use web policy
  • Visibility into DNS query traffic patterns
✕ What It Does Not
  • Inspect encrypted payload content (not a proxy)
  • Replace firewall or endpoint controls
DNS filter = domain-layer boundary, not full web inspection.
💾
Datto / Backup
Purpose
Business Continuity & Disaster Recovery
✓ What It Achieves
  • Continuous backup with validated integrity checks
  • Fast, tested restore paths (T1490 resilience)
  • Agent health monitoring & failure remediation
✕ What It Does Not
  • Prevent the incident that triggers the restore
  • Replace incident response or root cause analysis
Backup = recovery capability, not threat prevention.
📡
Zabbix / Grafana
Purpose
Infrastructure Monitoring & Observability
✓ What It Achieves
  • Tracks health across 35+ client environments
  • Raises threshold alerts for proactive response
  • Dashboard visibility for performance trends
✕ What It Does Not
  • Auto-diagnose or remediate root cause
  • Replace security-layer threat detection
Monitoring = observability signal, not autonomous resolution.
Where Confusion Happens
"We have SentinelOne deployed."
"We have a SIEM running."
"We have Proofpoint on email."
"We have Datto backing us up."
Owning tools is activity.
Tuned detection with reduced MTTR is outcome.
Validated restores with zero data loss is outcome.
Defensible timelines with evidence-ready logs is outcome.
The Core Principle
Every security tool I operate is aligned to a specific control objective — not just deployed and forgotten. The difference between a tool owner and a practitioner is knowing what each layer actually reduces, where the gaps remain, and how the stack integrates into a defensible design.
What risk each tool reduces in the environment
What gap it covers vs. what it leaves open
What it cannot and should not be expected to solve
How alert tuning drives signal-to-noise improvement
How layers interlock — EDR, DNS, email, SIEM, backup
How outcomes map to client SLA & compliance posture
Tools do not create outcomes. Design does.