From Idea to SaaS Product: How Our Team Built a Cybersecurity Product and the Rise of Platform MDRs Part 1

We live in a world that has excellent managed detection and response (if you pick the right partner). We have democratized threat hunting as we know it! As a result, we see the emergence of "platform Managed Detection and Response (MDR)s," a term I made up. Think of platform MDRs as any security provider who has built their own SaaS platform to deliver security, has an API, and doesn't rely on off-shelf SIEM to deliver services.

The emergence of platform MDRs, and APIs to tie into, opened the door to new possibilities, which is where Forecheck comes in. Our idea was "simple." MDRs generate incidents to clients, which in turn have to act on them, but MDR providers will only go so far. They want to deliver the best detection and response, but they won't go beyond detection with some containment and disruption.

Here lies the problem:

• Your MDR is 24/7, but you are not.
• Your MDR delivers the incident, but you have to act on it.
• Your MDR might contain an endpoint or account, but it won't connect to your entire stack, or on-prem things like Active Directory, to do things.
• Your MDR might not deliver validated incidents, so you have to investigate them further.
• Your MDR might not deliver any 'lessons," but you have to figure out how to stop the incident from happening again.
• Your MDR might provide guidance on a technical change you need to make, but they won't walk you through it or do it with you.
• Your MDR won't provide any long-term resilience, but you have to find it online.

So, I thought, what if we could do all that while making our MDR partners more sticky and more awesome? They could continue to focus on being the best at detection and response, and we could focus on being the best at containment, remediation, and resilience.

Consequently, as a rule and to not compete with our partners, we decided very early:

• We do not do any detection.
• We operationalize the incident lifecycle the same way your internal team would.
• We map resilience to incidents delivered.
• We provide clients a mechanism to get a hands-on implementation of the delivered resiliences.

Our logic was that our partners' primary focus is catching the bad guys, not cleaning up after them. To use an analogy, the police catch the burglars. They won't fix what they broke or install a better lock system to stop them next time.

So that naturally led to the question: what if we had a platform? A SaaS platform that ingested incidents 24/7 in real-time from MDRs, connected to your entire security stack, both cloud and on-prem, operationalized the entire incident lifecycle, and, at the end, provided you lessons (resilience) on how to be better (or do it for you).

And so Incident Lifecycle Remediation and Resilience was born. Okay, great, we have an idea. How can we turn an idea into an actual product? Is there even a market for this thing?

Answering if there was a market for our product was the most crucial question, but we had a lot of great insight to help provide us an answer. Ironically, we knew a market existed for this product because we were already delivering a minimum viable product (MVP) form of Incident Lifecycle and Remediation to over 20 existing clients. We were doing this manually, without automation, dashboards, product, integrations, or scalability.

To put it differently: a minimum viable product is not a product, it's a process. So, we had the process down, now let's go build the product!

‍

If you're looking for the nitty-gritty discussions around REST vs. gRPC, or why we picked Golang, check out Part 2, to follow.

‍