Last month, our CTO Riz broke down the terrifying reality of the 2026 threat landscape. He explained why the attacks are winning.

Today, we sat down with our Chief Product Officer, Josh, to ask the obvious follow-up: "How do we actually stop them?"

Josh joined StrongestLayer with a specific mission: to build security that doesn't feel like security. In this deep dive, he explains why the "Department of No" is dead, why "Threats Blocked" is a vanity metric, and how his team is building an Evidence Engine that fixes problems before you even know they exist.

Here is the future of the product, in his own words.

1. The "Zero-Friction" Paradox

Q: Traditionally, security has been the 'Department of No'—adding friction to every workflow. In 2026, is it actually possible to build 'military-grade' security that doesn't slow the user down, or is that just a marketing myth?

⚡ The Short Answer

Friction isn't a feature; it's a symptom of not understanding the context. We are moving from "Block by default" to "High-confidence silence."

The Strategy

It's not a myth, but it requires a fundamental reframing. The "Department of No" existed because legacy security was rule-based and binary — allow or block — and when you're uncertain, you default to block, which creates friction.

The breakthrough in 2026 is that we now have enough contextual reasoning on threats to make high-confidence decisions silently. The friction wasn't a feature of good security, it was a symptom of insufficient understanding. When you deeply understand the threat, the sender, the recipient's role, the business context, and the behavioral patterns, you can act decisively without asking the user to make a security decision they're not qualified to make.

That said, "invisible" doesn't mean "zero interaction." There are moments where the right thing to do is surface a decision, but it should be a well-informed decision, not "hey, this looks suspicious, good luck." Our job is to eliminate the 99% of noise so the 1% that reaches a human actually deserves their attention.

2. The AI Dilemma

Q: Riz is building 'Reasoning AI,' which is powerful but probabilistic. From a Product perspective, how do you design a product that handles AI uncertainty? How do we trust an AI agent to block threats without accidentally blocking business?

⚡ The Short Answer

Never show a user a raw probability score (e.g., "73% Malicious"). Instead, show them the Evidence (e.g., "Domain registered 48 hours ago") so they can trust the decision.

The Strategy

This is the central product challenge of our generation and honestly one of the things that excites me most about what we're building. The answer is: you never expose raw probability to your customers. Nobody wants to see "73% likely malicious." That's transferring our uncertainty onto them, which is the opposite of helpful.

Instead, you design around two core principles. First is context, we translate probability into prioritisation with context. We’ve chosen a formula that outputs the financial exposure risk of each threat. The AI's confidence maps to action, not an arbitrary label.

Second, you show your evidence, not your math. This is the entire thesis behind our Evidence Engine. Instead of "we think this is bad," you say "this sender has never emailed your CFO before, the domain was registered 48 hours ago, and the reply-to doesn't match the from header, here's what that pattern costs organizations like yours." The analyst doesn't need to trust the AI's conclusion; they can see the reasoning and arrive there themselves in seconds. Trust is a product you ship incrementally.

3. The "Death of the Dashboard"

Q: We are seeing a trend where the best security tools are invisible, they just work in the background. Do you believe the future of StrongestLayer is a 'Single Pane of Glass' dashboard, or a 'Zero-UI' experience where we fix things before the user even knows?

⚡ The Short Answer

It’s both. For the employee, it’s Zero-UI (invisible). For the SOC Analyst, it’s Integration (Splunk/SIEM). For the CISO, it’s Strategy. We don't want to be another tab you have to keep open.

The Strategy

Both, but for different personas. This is a distinction many security vendors in our space get wrong.

For the SOC analyst, they need a surface. They live in Splunk, Sentinel, their SIEM of choice. Our job isn't to pull them into our dashboard, it's to push our intelligence into their workflow. That's why SIEM integration and the SOC Analyst View are core to our v3 release (due in March!). We're not building a destination; we're building an engine that powers decisions wherever those decisions are made.

For the employee clicking on email the answer is absolutely Zero-UI. The best outcome is they never think about us. We catch the threat, we provide context only when it's a genuine teaching moment, and otherwise we're invisible. The worst thing we can do is train people to click "dismiss" on security banners 50 times a day.

For the CISO and security leadership, that's where a dashboard matters, but it's not an operational dashboard, it's a strategic one. It answers "what's my exposure," "where's my risk trending," and "what do I tell the board." Three different personas, three different surface areas, one evidence engine underneath.

4. The "Human Layer" Pivot

Q: We just brought on Simon Pople, our Principal Product Manager, who has deep roots in 'Security Awareness'. Does this signal a shift in our product philosophy? Are we trying to 'train' users better, or are we trying to design a product where user error is impossible?

⚡ The Short Answer

We aren't trying to "train" users out of existence. We are building a system where user error is survivable. Simon’s expertise helps us map "Human Risk" as a dynamic signal, not a static setting.

The Strategy

Simon spent 11 years in the security awareness space, Wombat Security Technologies through to Proofpoint, building the products that defined the category. When you're building a next-gen email security platform, you need people on the product team who deeply understand the problem. Simon understands where traditional awareness models work, where they hit their ceiling, and critically, how human risk actually behaves in practice. Click rates plateau, training fatigue is real, and today's AI-generated attacks are sophisticated enough that trained users still fall for them. You can't train your way out of a T5 Apex threat that hijacks a legitimate email thread.

What that decade of experience does produce is an understanding of human risk as a measurable, dynamic signal, and that's what we're operationalizing.

Our Threat Calculus system weighs priority based on who the recipient is, their permissions, VIP status, wire authority. That's a static profile. The next layer is dynamic human risk: the same person's susceptibility shifts based on context, workload, and time of quarter. A finance team member processing invoices during quarter-close isn't the same risk profile as that person in a quiet week. Our T1 to T5 sophistication scale then lets us map threat complexity against who in the organization would actually be vulnerable to each tier, making protection proportional and contextual, not one-size-fits-all.

So the honest answer: we're not trying to train users better, and we're not pretending user error is eliminable. We're building a product where user error is survivable, where the system understands both the threat and the target well enough to intervene at the right moment with the right evidence. The industry has treated threats and humans as separate problems for too long. StrongestLayer sits at the intersection, and that's where the entire market needs to go.

5. The Vanity Metric

Q: Most cybersecurity products sell themselves on 'Threats Blocked', a number that is easily inflated. As CPO, what is the one metric you think customers actually care about, that the rest of the industry is ignoring?

⚡ The Short Answer

"Threats Blocked" is meaningless. The real cost is the "Black Box Tax"—the time your team wastes investigating false alarms. That is the metric we are obsessed with killing.

The Strategy

Everyone in this industry sells "threats blocked." You're right - it's trivially inflatable and ultimately meaningless to a security team's daily reality. You know what actually burns out SOC analysts, erodes confidence in tools, and drives churn? Spending 20 minutes investigating an email that turns out to be a legitimate vendor, fifty times a week.

The metric nobody tracks, and the one CISOs feel in their bones, is how much of their team's time is wasted on things that weren't actually threats. That's the "black box tax." When a tool gives you an opaque severity score with no evidence, every alert becomes a mini-investigation. Multiply that across hundreds of alerts and you're watching your team burn through hours on nothing.

Our v3 release will show a customer: "Last month, your team spent an estimated 47 hours investigating emails that our evidence engine would have auto-resolved with full audit trail", that's a number that maps directly to headcount, burnout, and budget. That's the metric that closes deals and retains customers, because it reflects the actual operational pain rather than a vanity number on a vendor slide.

Final Thoughts: The End of the Black Box

Riz outlined the danger of Agentic AI, but Josh has outlined the only viable defense: Radical Transparency.

The days of "Black Box" security—where you blindly trust a vendor to block things—are over; in 2026, if a tool can't show you the evidence, it’s just guessing.

We are building a future where security is invisible to the user but instantly explainable to the analyst.

Stop paying the "Black Box Tax" on false positives and start demanding a system that thinks before it acts.

Key Concepts from this Interview

What is the "Black Box Tax" in cybersecurity?

‍The "Black Box Tax" is the time and money wasted by security teams investigating alerts that lack context. When a security tool blocks an email but doesn't explain why (a "Black Box"), SOC analysts have to spend hours manually verifying if it was a false positive. StrongestLayer eliminates this tax by showing the "Evidence" upfront.

How does an "Evidence Engine" differ from a standard firewall?‍

A standard firewall or gateway makes a binary decision (Block/Allow) based on hidden rules. An Evidence Engine (like StrongestLayer’s) provides the human-readable reasons behind the decision—such as "Domain age < 48 hours" or "Mismatching Reply-To headers"—allowing teams to trust the AI's decision immediately.

What is "High-Confidence Silence"?

‍"High-Confidence Silence" is a product philosophy where the security tool only alerts the user when it is absolutely necessary. Instead of flagging every suspicious email (Low Confidence), the system uses reasoning AI to resolve 99% of threats in the background, ensuring users are only interrupted for genuine teaching moments.

‍