COMMENTARY: I've spent 25 years in cybersecurity. I ran a business unit at Proofpoint — the largest email security company in the world. I've built security products at McAfee and Intel Security. I've seen every evolution, every “next-generation” claim, every paradigm shift.
And here's what I've concluded: we've been sacrificing virgins to appease the volcano.
Every signature-based detection system, every machine learning model trained on attack data, every threat intelligence feed operates on a single foundational assumption: someone has to get hit first.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
A new phishing campaign hits. It succeeds against Organization A. Security vendors analyze the attack, extract indicators, update their signatures. Organizations B through Z get protection — but only because Organization A took the hit.
It's the “Patient Zero” model. We've so thoroughly normalized it that we've stopped questioning whether it's acceptable. The security industry's value proposition depends on a steady supply of victims whose suffering generates the intelligence that protects everyone else.
We've industrialized the sacrifice. We've built billion-dollar businesses around it.
The math should haunt us
Our research team recently analyzed 2,766 advanced email threats that bypassed existing security stacks — Microsoft E5,
Mimecast,
Proofpoint. Every one reached real inboxes at real organizations.
Shockingly, we found 98.4% of attacks were unique. Out of 2,766 detections, we identified 2,721 distinct attack fingerprints. Each combined deception tactics and technical anomalies in ways never seen before.
We documented 4,441 unique deception tactics. Not 50. Not 500. Thousands of distinct psychological manipulation approaches; each potentially novel enough to evade signature-based detection.
Under the traditional model, each variant requires its own signature. Different sending domains, different filler content, different URL structures, different evasion techniques. Pattern-matching needs to see each variant succeed somewhere before protecting anywhere else.
How many of those 2,766 attacks represented “Organization A” in the sacrifice ritual? How many victims were required to generate signatures that would have caught them?
In our architecture: zero.
The "prosecutor-only" problem
Traditional email security suffers from what I call the “prosecutor-only problem.” These systems can only hunt for guilt — they have no mechanism to establish innocence.
But the sacrificial model goes deeper. It's not just that these systems can only prosecute. It's that they can only prosecute crimes that have already been committed elsewhere.
A prosecutor who can only try cases identical to past convictions isn't a prosecutor. They're a historian. And history, in cybersecurity, gets written by victims.
Machine learning didn't solve this; it industrialized it. Instead of human analysts extracting signatures from successful attacks, we trained models on datasets of successful attacks. The fundamental dependency on victims remained. We just made the ritual more efficient.
Today's inflection point
We're at a critical juncture.
AI-generated attacks are becoming the norm. Polymorphic threats that look different every time they're deployed. Attacks generated on the fly, optimized in real time, personalized to each target.
In this environment, the sacrificial model doesn't just become ineffective — it becomes absurd. When every attack is novel, waiting for victims creates infinite vulnerability. We can't build signatures fast enough. We can't retrain models fast enough. The volcano demands sacrifices faster than we can deliver them.
As a CISO, the next time the team evaluates an email security vendor, ask: “How many victims were required to generate our detection capability?”
If they talk about threat intelligence partnerships, ask where that intelligence comes from. If they talk about machine learning, ask what training data fed the models. If they talk about signature databases, ask how those signatures were created.
Trace the lineage, and at some point, we can find the sacrifice.
First-principles detection — reasoning about what an email is trying to accomplish rather than matching it against historical attacks — eliminates this dependency entirely. Malicious intent has characteristics that don't require a prior victim to identify. An email trying to harvest credentials has a purpose detectable through reasoning, not matching.
I don't say all of this from moral superiority. I spent years building and selling products that operated on the victim model. I believed the same things everyone else believed. It took stepping back and asking first-principles questions to see what we'd normalized.
The security industry won't abandon the sacrificial model overnight. Too much infrastructure, too many business models, too many assumptions are built on it.
But individual organizations don't have to wait. The technology to detect threats without prior victims exists. CISOs have to ask if they are willing to question the assumption that someone has to get hit first.
The “volcano mentality’ was never a God. It was just a gap in our thinking that we filled with ritual instead of reason.
Over time, we can change it.
Alan LeFort, co-founder and CEO, StrongestLayerSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
