For an industry obsessed with breach reports, ransomware dashboards and post-mortems, Wendy Nather is making a simple but uncomfortable argument: we’re learning from the wrong stories.
On CYBR.SEC.CAST Episode 66, Nather shifts the spotlight away from catastrophic failures and toward something far more common and arguably more valuable: the near-miss.
Watch or listen to the full episode:
Bill Brenner
These are the incidents that almost turned into breaches, the attacks that got one step too far – but not all the way. The moments where a single decision, a trained employee, or a lucky break stopped what could have been a disaster.
And yet, almost no one talks about them.
“That one thing saved the day,” Nather explains. “But what can we learn from how it escalated to that point and how it got stopped?”
That question was explored in “Less Blood, More Bits,” a talk she gave at RSAC 2026 with Bob Lord. The premise is simple: cybersecurity has built an entire learning ecosystem around failure, while ignoring the far more frequent and actionable signals of success.
High-profile incidents like WannaCry or major supply-chain attacks offer visibility, but they don’t represent the daily reality of defenders. What’s missing is the invisible layer of defense, the thousands of attacks stopped before they become headlines.
Those stories carry a different kind of intelligence.
In one example Nather shares, organizations using the same vulnerable software were quietly exchanging threat intelligence. Two were hit with ransomware. A third, learning from their experience, deployed a protective control just in time, giving them a critical seven-hour advantage over the attacker.
Breaches are forced into the open by regulators, customers, or attackers themselves. Near-misses, on the other hand, remain buried inside organizations, often treated as internal close calls rather than industry-wide lessons.
There’s also the issue of trust.
Formal threat-sharing mechanisms like ISACs play an important role, but Nather points out that much of the most valuable intelligence still flows through informal, relationship-driven networks — what she calls “steak and ale ISACs.” These are the off-the-record conversations where real details get shared between trusted peers.
Efforts to automate or anonymize threat sharing often fall short because organizations want to consume intelligence but hesitate to contribute. Legal concerns, reputational risk, and simple paranoia all play a role.
That tension has left the industry stuck. We know sharing works, but we haven’t figured out how to do it at scale without losing the trust that makes it valuable in the first place.
Nather argues that organizations must start treating near-misses as first-class learning opportunities. Even if they’re shared privately, the lessons matter: how attacks progress, where defenses hold, and what small decisions make the biggest difference:
The help desk analyst who pauses on a suspicious request.
The engineer who patches just in time.
The team that acts on intel hours before an attacker arrives.
These aren’t headline-grabbing moments, but they’re the ones keeping organizations out of the headlines. If the industry wants to get better, Nather suggests, it’s time to start paying attention to them.
