2022 in Review (and what's to come)

Most security vendors close out a year by counting what they caught. When LimaCharlie's team gathered to review 2022, they spent the hour arguing that catching things was never really the point. Ross Haleliuk, the company's head of product, put it plainly when the conversation turned to visibility: "by default, like, we don't promise to keep anybody safe, we don't promise to stop, like, 100 zero days, APTs, breaches, ransomware." For a security company, that is close to heresy. But it is the idea the whole session is built on. If no vendor can honestly promise safety, the work shifts from selling outcomes to handing operators the tools and the visibility to produce their own. Read that way, almost everything the team shipped in 2022 becomes an argument for the same thing: security you own rather than security you are sold.

Infrastructure beats product when complexity keeps climbing

Maxime Lamothe-Brassard, co-founder and CEO, does not describe LimaCharlie as a product at all. He describes it as infrastructure, built the way AWS builds compute: self-serve, usage-based, scale up or scale down, with chunky security capabilities layered on top and exposed as infrastructure as code. The reasoning behind that choice came out most sharply from Haleliuk, who argued that the right way to think about it is to ask what the industry will look like ten or twenty years from now. In that timeframe, he said, it is very unlikely that every company's environment will run on 600 different tools all stitched together, simply because that approach cannot scale. Complexity only ever increases. Under those conditions, what an organization needs is the ability to control its own posture in a way that makes sense to it, rather than the way a vendor decided to build for all its customers at once.

That same logic explains why a baseline vendor layer is never enough. Haleliuk granted that broad coverage will still exist, the way antivirus still exists today, but insisted it is "still important, it is just not enough." His conclusion is uncomfortable for the industry he sells into: the future will not be built by a few vendors magically solving all the problems. It will be built by the people inside organizations who have something to lose and the talent to defend it.

Accessibility as a precondition, not a slogan

If operators are going to own their security, they first have to be able to get their hands on the tools. Haleliuk kept returning to how strange it is that you can sign up for Twilio or PagerDuty, see the pricing, and be running in minutes, while most security products still demand a gauntlet of demos and mandatory minimums before you can even evaluate them. In 2022 the team pushed against that friction with transparent pricing, a pricing calculator anyone can run against their own deployment, and a demo tenant configuration that onboards a sensor, ingests telemetry, applies detection and response rules, and generates detections with a couple of clicks. He was careful that this is not a "product-led growth" slogan. The point is that accessible tooling lets aspiring professionals learn before they enter the field, lets engineers evaluate before they buy, and lets people build side businesses. For an MSSP or MDR, the same accessibility is the difference between proving value to a prospect in days and losing them to a quarter of procurement friction.

Ownership shows up in the unglamorous places

The cleanest evidence for the ownership thesis is not a flagship feature. It is the plumbing. Matt Bromiley, the lead solution engineer, spent his time on telemetry ingestion, which sounds dull until you notice what it implies. Saying "we integrate with Microsoft Defender" quietly hides every question that actually matters: how often logs get pulled, whether you get alerts or raw events, how verbose the stream is, what it costs to store. Customers in 2022 pushed the team toward specific fields, time parameters, and severity levels, and the result is that an integration which would normally be a months-long effort becomes, on LimaCharlie's side, a modal window with three fields. Once a source is in, its data becomes a first-class object you can write rules against, the same as native sensor data. Lamothe-Brassard described taking a well-known third-party product a prospect already uses and turning it into a streamlined, first-class telemetry source in three or four days.

The deeper commitment is that the ingestion path itself is open. Rather than publish a fixed integration list and make customers wait three to six months and enough votes for the source they need, the team open sourced what it calls the universal sensor protocol, a Go client over WebSocket and JSON. If you need an unsupported source tomorrow, you build it yourself instead of waiting on a roadmap. Normalization carries the same logic. Third-party EDR data, whether Carbon Black or CrowdStrike, gets mapped into a common EDR format while the original payload is always preserved, so a company that acquires one firm on Carbon Black and another on CrowdStrike can keep applying the same detection rules without re-engineering anything. Joe, who leads the company's research, called this making security posture portable: an analyst's two years of tuning becomes code that survives a job change or an acquisition.

The same instinct against sprawl produced Hive, the unified configuration model. As the platform piled on Velociraptor, Atomic Red Team, historical hunting, and YARA scanning, the team saw the trap of building a one-off API for each, the path that ends with a vendor advertising 250 unrelated API pages that nobody enjoys. Hive treats a cloud-to-cloud adapter, an Office 365 audit log feed, and a wire-speed detection rule as the same underlying thing: a configuration record you apply, enable, disable, expire, and track. The payoff is that new capabilities ship faster because the management layer gets reused rather than rebuilt.

Visibility is the feature that lets you stop trusting the vendor

If safety cannot be promised, the thing a provider can actually defend to a client is coverage. That reframes the year's detection work. LimaCharlie supports its native syntax, one-click Sigma integration, and YARA scanning, alongside curated and partner rule sets from sources including SOC Prime and SnapAttack. The change Bromiley highlighted was surfacing Sigma metadata directly in the detections window, the MITRE ATT&CK tags, references, and associated groups that other platforms bury deep in a SIEM. Haleliuk pushed past metadata to the real point: the full rule content is open and editable. You can read exactly how a behavior is detected, decide a rule does not fit your environment, or layer logic to cut false positives.

This is where ownership and visibility collapse into one idea. Haleliuk granted that more vendors will eventually add context to a detection after it fires. What they still will not let you do is answer "what am I covered against, and how do I prove it" before anything fires at all. That capability turns a security professional from a recipient of alerts into someone accountable for their own coverage, the person who reads the morning's news, decides what it would mean to detect that behavior in their environment, writes the rule, and tests it.

The cost work runs on the same instinct. Replay lets you run a detection rule against a year of retained data, with a dry run to price it first, so instead of switching on a rule set and burying analysts in days of false positives, you can baseline an environment for pennies and promote only high-fidelity findings into playbooks. Data routing with transforms lets a provider forward just the host, timestamp, and domain fields to an external Splunk or BigQuery instance instead of the full stream, sometimes a fraction of the original volume, cutting downstream spend without re-engineering agents across thousands of servers. LCQL, the query language previewed for 2023, extends Replay's engine into ad hoc queries across everything retained. Lamothe-Brassard borrowed a colleague's framing that fit the whole arc: in 2022 they made it cheaper, and next they would make it easier.

Strip away the feature list and the year tells one story. The future the team keeps describing is not a smarter vendor catching more attacks. It is transparency, control, scale, and innovation handed to the operator, the pipes and the rules engine and the agent exposed so a provider can see its own coverage, run it across every client, and build on top of it. For an MSSP or MDR, that is the whole proposition. You are not buying a promise of safety no one can keep. You are buying infrastructure you can open, audit, and make your own.