Your Security Vendor Has Root. Now What?

title: "Your Security Vendor Has Root. Now What?"

date: 2026-03-04

author: Patrick Duggan

The Post That Hit a Nerve

Last week I wrote six paragraphs on LinkedIn about a simple observation: your security vendor has more access to your systems than most attackers need. Kernel-level hooks. Ring-0 privileges. Telemetry pipelines that exfiltrate every process, every connection, every file hash — to infrastructure you don't control.

20,736 impressions. 21 comments. The security industry's nerve, exposed.

The comments split into four camps: a backup vendor, an MSP reseller, a Palo Alto evangelist, and a DNS security founder. Each one validated the thesis in a way they didn't intend. Let me show you.

Camp 1: The Backup Guy

John Quinn runs Object First, an immutable backup appliance company acquired by Veeam in January 2026. His product uses S3 Object Lock to make backups tamper-proof. He defended "enterprise-grade pricing" in the thread.

Here's the problem: Object First isn't security. It's insurance. It protects your backups *after* you've already been breached. The appliance itself is a Linux box with a network interface sitting inside your perimeter — which means it's another attack surface, not a reduction of one.

S3 Object Lock is an AWS feature anyone can enable. Object First wrapped it in proprietary hardware and charges enterprise rates for it. When Veeam acquired them, it wasn't because immutable backups are hard — it's because backup is a commodity racing to zero margin, and hardware markup is how you fight that race.

Quinn's product answers the wrong question. The question isn't "how do I survive ransomware?" It's "why does my EDR vendor have the kernel access that makes ransomware catastrophic?"

Camp 2: The Reseller

Perry L. runs Remote Support Systems, an MSP selling managed MXDR stacks. He claims "world class MXDR, zero trust architecture" for under $100 per user per month. He called my post "AI slop."

Let's do the math. A 500-person org pays Perry $600,000 a year. For that money, Perry installs someone else's kernel agent on every endpoint, connects it to someone else's SIEM, and watches someone else's dashboard. The "M" in MXDR means a human watches alerts. The "X" means agents installed everywhere. Both are liabilities, not features.

When CrowdStrike pushed a bad channel file on July 19, 2024 and bricked 8.5 million Windows machines, every MXDR provider running CrowdStrike was equally down. The "managed" part didn't help. The "extended" part meant the blast radius covered everything — endpoints, servers, cloud workloads, the lot.

Perry called it "AI slop" because the post threatens his margin. If customers realize the kernel agent IS the risk, they stop paying $600K a year for someone to watch it blink.

Camp 3: The Surveillance Platform

Chris Tillett evangelizes Palo Alto's Cortex XSIAM — their AI-driven SOC platform. His pitch: "Triple the EDR telemetry plus enriched firewall logs." 2,900 ML models. Ingests competitor telemetry. Their framework is NICE: Network, Identity, Cloud, Endpoint.

Read that again. XSIAM ingests your EDR telemetry, your firewall logs, your identity provider data, your cloud configuration, AND your competitors' telemetry. If you're running CrowdStrike and Palo Alto, Palo Alto sees what CrowdStrike sees on your endpoints. Think about that from a data sovereignty perspective.

2,900 ML models means 2,900 opaque decision functions you cannot audit. Your security posture is determined by algorithms trained on data you contributed but don't own. And XSIAM requires Cortex XDR agents on every endpoint — the same kernel-level access that made CrowdStrike a single point of failure for global infrastructure.

Chris engaging with my post was ironic. His product IS the thing I described. XSIAM is the thesis made manifest: give us all your security data and trust our AI. If XSIAM is compromised, the attacker gets everything — endpoint telemetry, firewall state, identity mappings, cloud config, and whatever they harvested from your other vendors' agents.

Palo Alto had their own firewall zero-day exploited in the wild last year — CVE-2024-3400, a command injection in PAN-OS GlobalProtect. The vendor was the attack surface. Literally.

Camp 4: The One Who Gets It

Tom Byrnes founded ThreatSTOP in 2009. DNS-layer threat intelligence. Network policy enforcement via DNS Response Policy Zones. Four patents. Army veteran.

Here's what's different: ThreatSTOP doesn't need kernel agents. DNS blocking works at the network level. RPZ is an open standard — you can audit every rule. The threat intel is delivered to your infrastructure, not extracted from it. Your data stays yours.

Byrnes has been doing this for 17 years, which means he predates the entire EDR gold rush. He watched the industry pivot from network-level controls to endpoint agents and knew what that meant: every vendor would eventually have root on every machine, and eventually one of them would prove why that's a terrible idea.

CrowdStrike proved it on July 19, 2024. Byrnes had been right for 15 years.

What We Built Instead

DugganUSA runs three production services on Azure for roughly $500 a month. Our analytics container is 140 megabytes. We publish threat intelligence via STIX/TAXII — open standards that your infrastructure consumes without giving us access to anything.

275 consumers in 46 countries pull our STIX feed. We have never had kernel access to any of their machines. We have never ingested their telemetry. We don't know what processes they run, what files they hash, or what connections they make. That's the point.

Our auto-blocker processes over a million block events. Our IOC index tracks 938,000+ indicators. We cross-reference four government document corpora — 10.8 million documents — to surface threat patterns. All of this runs on three containers, one VM, and Meilisearch.

No kernel agents. No telemetry harvesting. No 2,900 opaque ML models. No $600K annual invoices.

The security industry convinced everyone that protection requires surveillance. That the only way to defend your systems is to give a vendor the keys to them. CrowdStrike proved that wrong at industrial scale, and the industry's response was to sell you a bigger, more expensive version of the same architecture.

The Question Nobody Wants to Answer

Every CISO should ask their EDR vendor one question: "If you are compromised, what does the attacker get?"

If the answer includes "kernel-level access to every endpoint," "real-time telemetry from every process," or "the ability to push arbitrary code to every machine in our fleet" — you don't have a security vendor. You have a pre-positioned threat actor who sends you a bill every month.

The 8.5 million machines that went down on July 19 weren't attacked by a nation-state. They were attacked by a vendor update. The only difference between a supply chain attack and a bad vendor push is intent. The blast radius is identical.

Your security vendor has root. Now what?

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*