- Col. USA, ret.
- Cyberspace Directorate
- US Army Chief of Staff
- USCENTCOM
- CTO, State of Illinois
- Microsoft
- Federal Signal
- Lt. Col. USA, ret.
- ITT Defense/Exelis
- Signal Officer, 101st Airborne Div.
- Deputy Dir. Ops., Joint Force Headquarters-DoD Information Network
- United States Air Force – 41 yrs., Communications, IT and cyber
There are two parallel threads.
The first thread was learning how analysis breaks down. Scientists use analysis all the time to explain natural phenomena. This works out great because the laws of physics don’t change. (Not that we know of, at least.) Analysis techniques like signal detection and hypothesis testing worked so well in the physical sciences, people started applying them to other fields. Fields like natural language processing, hedge fund trading, and eventually cybersecurity. The problem was that the analysis techniques always depended on an underlying model… and the models changed. Fields of study that involve humans always seemed to have models that changed on a regular basis. People are unpredictable — go figure! So when we wonder why our security methods don’t work, it’s because our adversaries work very hard to break our models of security.
The second thread was military operations. I have a military background and learned fairly quickly that plans, while a good exercise for preparation, do not hold up under contact with the enemy. The funny thing — the enemy wants your plans to fail. Better yet, the enemy is constantly trying to trick you. Simple analysis, while a good tool, never is enough when facing a determined adversary.
Mixing these two threads together gives us an “interactive defense” that allows us to “change the battlefield,” “influence and expose malicious intent and intruder” and “expel malicious actors.”
That is, we can deploy information technology tools that actively deceive attackers. Things like this have been around for a while and have been used by experts in the field of cybersecurity. The problem is that these kinds of solutions are a lot of work to set up and maintain, and the solutions are usually very fragile.
I wanted a platform that would let me easily and quickly (in 5 minutes or less) deploy a massive armada of phantoms, and, I did not want to have to configure or maintain this stuff. I wanted to overwhelm any adversary with the push of a button. Ridgeback was the answer to my problem.
Ridgeback is a unique and innovative Enterprise Security Platform, allows me to deploy any sort of interactive defense at an incredibly large scale. I can now completely overwhelm even the most sophisticated adversary by simply typing “start-ridgeback.” Better still, I can even run it on my laptop.
Ridgeback transforms cybersecurity from interpretation to evidence, from alerts to consequences, and from reaction to control. These testimonials make clear, once organizations see the ground truth of their own networks, the decision to deploy Ridgeback often becomes very easy.
“Much of the time the customer does not believe what Ridgeback is showing… but in every instance, after analysis, Ridgeback is always shown to be correct.”
Traditional tools rely on inference: logs, heuristics, and delayed analysis. Ridgeback presents direct observation of network behavior as it occurs. When the data challenges long-held assumptions, Ridgeback consistently proves accurate because it is not guessing, it is watching the network operate in real time.
This is the difference between analytics and evidence.
Security failures are often not the result of malware, but of invisible architectural flaws. In this case, Ridgeback revealed an unintended trust path that allowed firewall bypass, something no log-based tool detected.
The discovery was material enough to drive an immediate purchasing decision, underscoring Ridgeback’s value not as a theoretical control, but as a decision-forcing instrument.
NAC is complex, brittle, and fundamentally permissive. Once a device is admitted, NAC largely stops protecting the environment. Ridgeback operates differently: it continuously monitors and defends Layer 2 segments after access is granted, where most lateral movement occurs.
This fills a structural gap present in virtually every modern network.
Ridgeback’s Phantom-based architecture ensures that reconnaissance, enumeration, and mapping cannot occur quietly. Any attempt to explore the network triggers immediate engagement. This is not detection after the fact, it is interruption at first contact.
The attacker is denied freedom of maneuver from the outset.
Most security tools generate alerts and wait for humans to respond. Ridgeback acts immediately, disrupting adversary activity while defenders assess the situation using real, verified data. This compresses dwell time, reduces panic, and replaces guesswork with certainty.
It is automated defense that buys decision-quality time.
Operational friction kills security initiatives. Ridgeback’s ease of deployment enables teams to move quickly from visibility, to cleanup, to policy enforcement, all without lengthy tuning cycles or fragile dependencies.
Simplicity here is not cosmetic; it is operational leverage.
This endorsement comes from decades of hands-on experience, not marketing theory. Ridgeback is not another AI-driven analytics engine, it is a fundamentally different defensive approach based on direct observation, interaction, and consequence.
Ridgeback is not positioned as a replacement for AI-driven tools, but as the truth layer they lack. By feeding AI systems with verified, high-fidelity signals instead of noisy inference, organizations dramatically improve defensive outcomes.
AI is strongest when facts are available to evaluate it.
Most organizations assume they understand their internal network behavior because they have firewalls, NAC, EDR, or SIEM. But realistically, those do not provide continuous, real-time visibility into Layer 2 activity—where unmanaged devices, misconfigurations, and lateral movement happen. Ridgeback exposes the ground truth of what is actually happening on every VLAN, instantly.
This transition from assumed visibility to factual visibility is often the moment when hidden risk becomes identifiable and therefore addressable.
