Detection over compliance: building security that stops attacks

By Jason Waits, Chief Information Security Officer at Inductive Automation

I’ve always loved solving puzzles and challenges—the harder the better. That’s one of the reasons I was drawn to cybersecurity. When the landscape is constantly shifting beneath your feet, you have to keep finding the right pieces to prioritize safety. That’s what we do at Inductive Automation, the coolest company you’ve never heard of.

Our business model relies on keeping companies in some of the world’s most critical sectors online and secure. We make SCADA software, the systems used to monitor and control industrial processes. Our web-based Ignition platform, used by nearly 70% of Fortune 100 companies, enables businesses to control their industrial processes and track, display, and analyze their data. Our software plays a crucial role in protecting the supply chains of major companies in key sectors, including energy, pharmaceuticals, and data centers.

Our software is installed in the most critical, often air-gapped parts of global infrastructure, and my number one mission is ensuring our software never becomes a vector for a breach. By protecting Inductive Automation we are protecting all our customers downstream.

Here’s an uncomfortable truth: many security programs are built to pass audits, not stop attacks.

Organizations often build the skeleton of a cybersecurity program, but there’s no real meat on the bones. They check the boxes, develop policies, and run quarterly reviews, but when an actual attacker arrives unannounced on a Saturday night, the gaps in incident response capability become painfully obvious.

Many security programs over-index on governance, risk, and compliance (GRC) and under-index on actual prevention and detection. The adage I live by is simple: prevention is ideal, but detection is a must. The most beautiful compliance framework in the world is useless if you can’t see an attack happening in real-time and respond within minutes.

The problem compounds with rapid scale. When Inductive Automation transitioned to remote work, we went from one office in California to having employees in 30 states and Australia almost overnight. Our main business hours suddenly spanned the globe, and the expanded footprint meant more after-hour security alerts.

We were in a classic dilemma: do we keep pulling our best people away from strategic projects to chase noise, or do we hire our way out of the problem? The math indicated that we would’ve needed at least six more people just to maintain basic 24×7 coverage. The answer to our coverage problem wasn’t more headcount—it was more automation.

There’s truth in advertising. “Automation” is in our name, and we take an automation-first approach to everything we do.

This philosophy extends to our security stack. I’m not sold on the platformization trend of going all-in on one vendor. It usually involves trading efficacy for easier administration, and that’s a bad trade. I prefer a best-of-breed approach, where we pick products that align with our automation-first strategy and solve a singular problem.

More than being about tools, automation involves building a defense that can stop attacks at scale. Compliance frameworks might require an incident response plan, but they don’t test whether that plan can execute at 2 AM on a holiday. Our team can’t be on the clock around the clock, so we brought in a managed detection and response (MDR) partner to monitor our environment and be ready to respond at any time.

When evaluating MDR providers, I wanted one that would slot in on top of our existing best-of-breed stack. I also craved transparency, because I hate trying to navigate a black box to know whether we’re protected.

We found this partner in Expel. They expose their detection logic, integrate cleanly with our tools, and can trigger automated responses when needed.

As much as I believe in automation-first security, I’m deeply skeptical of the current push to automate everything with AI. Instead, I use AI where it makes sense—like adding nuance and context to ambiguous investigations—but not for taking critical actions like quarantine or account disablement. I still want a human in the loop.

Our choice of an MDR partner reflected this philosophy.

Having hard-coded automations trigger AI workflows for context, then relying on a human expert to make the final call, offers a level of security we can’t get from an AI-only approach. Automation catches things in real time, and human expertise helps to understand context, make nuanced decisions, and avoid false positives that disrupt operations. These capabilities create a security model that’s fast and intentional while building real incident response capability, not just a policy document that says you have one.

Shortly after expanding detection and response capabilities with Expel, we conducted an internal penetration test to simulate an IT admin account getting compromised. We disabled certain security features in our EDR and application control software and granted the pen tester access to an IT laptop. We let them loose on our environment to try stealing credentials and performing other nefarious actions.

Despite our attention to detail, we forgot to mention the test to Expel. In less than 10 minutes, the device had been quarantined. The pen tester Slacked me, saying they’d lost access to the device.

I’ve seen this play out in real situations, too. During one event, we watched as the platform automatically locked down accounts the moment credentials appeared on sketchy ISPs in other countries. Instead of just sending an alert that someone was active, the system neutralized the threat in real time. Integrating this automated response capability into our fabric allows me to focus on bigger-picture risk management, not manual intervention.

A SOC 2 report won’t tell you if you can act in under 10 minutes. Can you simulate an attack and prove your defenses work? Can you measure response times and hold teams accountable to them? These validations separate real security programs from compliance theater. If you can’t answer these questions, you’re just hoping for the best.

When you can detect and respond to threats quickly, you can embrace opportunities that might otherwise seem too risky.

For us, this meant fully embracing cloud infrastructure to support our global expansion. We now have 50+ cloud accounts that allow us to enhance our velocity and scale globally. From a security perspective, these accounts add massive complexity, but the right detection capabilities mean we can manage that complexity without stretching our team too thin.

With proven, reliable detection and response capabilities, security stops being a constraint and starts being an enabler. Yes, building robust detection and response capabilities requires investment. But the alternative—limiting growth to what your security team can manually monitor or scaling without adequate protection—is ultimately far more expensive.

By building detection into the fabric of our operations, we now have 24×7 coverage that meets our security needs without exceeding our budget. It prevented us from having to more than double our team size. We now have the confidence to pursue our ambitious growth strategy and scale our business while maintaining the security posture our customers depend on.

If you can’t see what’s coming, you can’t stop it. That principle should drive every security decision, and it requires a shift in how we think about security investments. Instead of treating security as a checklist of compliance requirements, we need to treat it as a capability to be tested, measured, and continuously improved. We need metrics that matter—not just “how many policies do we have?” but “how fast can we detect and respond to a credential theft?”

The organizations that get this right will be the ones that can scale confidently and embrace innovation without fear. The reality is, you can have all the compliance certifications in the world, but they won’t give you the confidence to scale into new markets or adopt new technologies. Only real detection capabilities do that. The organizations that don’t have them will keep checking compliance boxes until the day an attacker highlights the difference between looking secure and being secure.

The ground continues to shift, and the key is maintaining visibility and speed. With the right approach—automation where it makes sense, human judgment where it matters, and a relentless focus on proven detection capabilities—we can make smarter, risk-based decisions about our security posture as new threats emerge.

It’s been the greatest puzzle I’ve ever faced, and I’m still putting the pieces in place.