Pillars of Threat Blocking-as-a-Service


As seen on Cybersecurity Insiders

There are two indisputable facts about the cybersecurity industry right now. One, we are still in the middle of a massive staffing crisis. Two, one of the biggest drivers of this staffing crisis is burnout of security professionals.

A recent study indicates up to 84% of cybersecurity professionals are experiencing burnout. Personally, I was surprised that number wasn’t closer to 100, given what these men and women face on a day-to-day basis.

The past three years have been the gift that keeps on giving to threat actors. Threat surfaces widened with the rise of remote and hybrid work, networks became more vulnerable, and breaches became big business on the dark web.

The technologies we deploy to protect our data have been overwhelmed by a flood of malicious traffic and security teams are forced to respond to more and more alerts from more and more tools, worried that one misstep could result in disaster. Security professionals are not set up for success, which explains why there are 3.4 million cybersecurity roles unfilled worldwide. This is unsustainable.

We can’t keep throwing more of the same kinds of security technologies onto our networks and expecting different results. Threat Blocking-as-a-Service (TBaaS) gets you different results.

Instead of chasing after ever-changing attacks and threats, TBaaS focuses on known threat actors.This model blocks traffic entering the network as well as calls and traffic back out, all autonomously. Importantly, this type of enforcement can only be accomplished by leveraging massive amounts of cyber intelligence to get the clearest picture possible of who the threat actors attacking our networks, users, and data are.

The impact of TBaaS to networks and their security teams is felt instantaneously. We know that 30-50% of the traffic hitting a security stack is coming from IP addresses of known threat actors. Blocking this results in an immediate increase to your security posture while providing a significant boon to the performance of the rest of the security stack. This also eases the pressure on security teams significantly.

The idea of TBaaS – using cyber intelligence to block known threat actors from entering or exiting the network – is so simple that people assume their security stack technologies are already doing that. Unfortunately, without TBaaS, they aren’t. Threat Blocking-as-a-Service stands on five pillars that make it effective:

  • Visibility
  • Risk management
  • Consolidation
  • Budget

Every other tool in the modern security stack might have one, two, or maybe three of these assets, but TBaaS is the only one that combines all of them. Let’s dive into why this holistic approach makes such a difference.


The threats coming in and out of our networks are constantly changing. Where we patch for one type of attack, threat actors deftly evolve more, each time adding layers of obfuscation and complexity. Most of these threat actors are well-funded – often by nation-states – which is of course why they have the resources to inflict such harm and adapt their methods so rapidly.

However, the constant in this discussion is not the “what” of the attacks but rather the “who.” Who are sending these attacks? And where are they?

The cyber intelligence community is comprised of government, open source, and private enterprises who research answers to those two pivotal questions. The TBaaS model is based on the idea of “the more intelligence the better” and ingests intelligence feeds and lists from anywhere with up-to-the-minute updates. This provides as much visibility as possible into the threat landscape, which in turn allows for significant network, user, and data protection.


Currently, the majority of threat intelligence is leveraged in the “detect/respond/recover” functions of a security stack. Make no mistake: utilizing threat intelligence in this space is essential. However, failing to leverage the full power of threat intelligence ahead of a breach has left systems open to breaches. As such, TBaaS is very much a “left of boom” technology.

Utilizing massive amounts of cyber intelligence to block traffic to and from known threat actors is the true defense for any network, and the second pillar of TBaaS.

Risk management

One of the most pivotal concepts in cybersecurity is redundancy: we create overlapping protections so one piece’s failure doesn’t mean system failure. For decades, however, the “identify and protect” piece has been filled by one single technology: the firewall. Firewalls were never built to handle either the amount of traffic thrown at them nor the amount of encrypted traffic they would have to parse.

The TBaaS model instead welcomes other tools and technologies, but also reduces risk by creating a true protection model.


No matter how great all your technologies are, if they aren’t talking to each other you’re headed for disaster. Another pillar of TBaaS is the consolidation of information: not just ingesting and acting on cyber intelligence, but also feeding its own actions and logs into the rest of the security stack to utilize. This type of data consolidation can reduce multiple alerts as well as aid in the “detect/respond/recover” phases if an unknown threat makes its way into the network.


One of my colleagues loves to ask people when making cybersecurity budget decisions: what is your budget for ransom? Because the truth is, unless you’re actively blocking known threat actors, it’s not a matter of if a breach happens, but when, and how often.

Cybersecurity budgets are tight, which is why another pillar of the TBaaS model is budgetary value. Of course, the solution itself should be affordable, but it also alleviates other issues causing budget headaches.

  • Autonomous. Operates and updates without the need for staff to monitor, reducing the strain on the security staff.
  • Reduce known-bad traffic hitting the security stack. Optimizing performance for the rest of the security stack.
  • Reduce alerts. This also helps relieve the burden placed on expensive in-house cybersecurity staff, as well as help to avoid alert fatigue.

Clearly, what we’re doing as an industry isn’t working very well. Threat Blocking-as-a-Service is a paradigm shift in the industry to solve that conundrum. Sometimes it’s the simplest solutions that we can’t believe we weren’t already doing. By focusing on stopping the threat actors, by definition you stop all of the threats they present. That is Threat Blocking-as-a-Service.