Detection Is Only as Good as Its Source
July 2, 2025 in Security by Tech Scout
What if your detection tools are built on compromised data? In this live pitch from the Stealth Security Experience in Chicago, Chris Nyhuis, CEO of Vigilant, breaks down what most security teams are getting wrong. Detection fails when the data it relies on can't be trusted.
At the Stealth Security Experience in Chicago, one of the partners stepped into a Shark Tank-style pitch. Chris Nyhuis, President and CEO of Vigilant, didn’t talk about integrations or buzzwords. He talked about trust. Or the complete lack of it.
His point was simple. Most security tools are pulling data from systems that can’t be trusted. And if you start there, it doesn’t really matter how advanced your detection stack is. You’re still guessing.
Most Detection Starts Too Late
Security teams are trained to collect. Logs, alerts, endpoint data, network flows—pull it all in and hope it tells the truth. But here’s the catch. A lot of that data is generated by systems that may already be compromised.
If the logs are poisoned, the alerts are worthless. That’s how you end up with a 287-day average to detect a breach. The industry has normalized that number. It’s been stuck there for years. Not because attackers are getting faster, but because defenders are still trusting data they shouldn’t.
Validation Beats Volume
Nyhuis made a comparison that stuck. When someone lies to you, you don’t keep trusting them. You check their story against someone reliable. That’s what most detection strategies are missing. They collect data, but they don’t validate the source.
Meanwhile, vendors keep pushing more collection. More storage. More alerts. It’s a great business model. Just not a great detection model. Collecting more low-trust data doesn’t improve your odds. It just adds more noise.
So What’s Working?
Some teams are rethinking how they approach visibility. Instead of pulling logs from systems that might already be compromised, they’re generating clean data from the start. They’re using out-of-band sensors that attackers can’t easily reach. They’re anchoring detection to something reliable and building from there.
It’s not based on assumptions. It’s based on proof. And that changes everything.
Ask the Right Questions
If you’re leading security, start here:
Where is our log data coming from?
Can someone manipulate it before we see it?
Are we validating any of it, or just reacting?
If the answer to any of those is “we don’t know,” that’s the breach window.
Real Detection Doesn’t Happen at the Dashboard
Most companies don’t have a tooling problem. They have a trust problem. And until that gets fixed, no alert can be fully trusted either.
The teams that are getting this right aren’t looking for more visibility. They’re building smarter sources. That’s what turns detection from a guessing game into something you can count on. And that’s what actually shortens the gap.
Chris Nyhuis is the CEO and Co-Founder of Vigilant, a cybersecurity company focused on clean data and verified detection. With more than 30 years in the field and multiple patents to his name, Chris focuses on solving the problems most teams overlook by starting at the source. He has worked across critical infrastructure, enterprise environments, and national security programs, always with an eye on what’s real, what’s working, and what needs to be rebuilt.
