Why we stayed single-model on the LLM layer — and what we built instead
One good model in a 20-detector consensus beats two models carrying 60% of the verdict.
Long-form write-ups of the architectural decisions behind each shipped release — what we built, why we chose one approach over another, and what happened when it met production traffic. New articles land here after the release they describe is live.
One good model in a 20-detector consensus beats two models carrying 60% of the verdict.
An account-takeover case study, and the identity-to-email signal bridge that closed the gap.
Audit logs are not evidence. The difference between the two is a cryptographic chain, a legally-operative custodian record, and a destruction record that is itself audit-chained and independently verifiable.
Detection quality is a function of what a SIEM can ingest, not what a vendor can POST.
Compliance scores have a problem: a number on its own does not tell you whether you are above or below the line. A letter does.
Where Microsoft's built-in retention stops, what falls through the gap, and what an MSP actually needs to defend a POPIA Section 22 event.
Whole-mailbox restore is the disaster-recovery answer to a granular problem. The threats most MSPs face in 2026 need a different unit of recovery.
Click-through rates went from 12% to 54% in a single product cycle. Detection has not kept pace. What MSPs actually need to layer in.
The CEO-fraud playbook is no longer typos and Hotmail addresses. Pattern matching against known-bad signatures lost the engagement in 2024.
The compromise-first, phish-second pattern is the modern attack chain. Defenders who watch only one signal at a time are seeing one frame of a film.
Credentials stolen on Tuesday, mailbox accessed on Wednesday, BEC sent on Thursday. The 22-second handoff is the new asymmetry — and the bridge between identity and email is how MSPs close it.
Microsoft Entra Conditional Access is a power tool with a sharp edge. Production is the wrong place to learn how the edge works.
Defender's identity protection covers the basics. The advanced patterns — token replay, brute-force-at-scale, federated-domain spoofing — need a layer above.
USD-denominated SaaS, 15% VAT, R/USD volatility, plus the "global" premium. The real M365 backup bill for a SA MSP rarely matches the marketing landing page.
Identity threat detection, drift, license analytics, conditional-access What-If. The global price is broken; SA-resident pricing is roughly a third of that.
POPIA Section 72, where master keys actually live, and what data residency means when the regulator asks for proof.
Single-classifier email security has a blind spot in every direction it does not look. Consensus across thirteen independent engines, plus DMARC AI in the same chain, closes the seams.
Microsoft's native Entra Backup and Recovery covers a useful baseline. There is still a gap above that baseline — drift, simulation, cross-tenant operations, identity threat correlation — that an MSP at scale has to fill some other way.
Stack consolidation is sold as cost savings. Sometimes that is true. Sometimes it is a lock-in trade dressed as a discount. The honest answer requires per-seat math, MCS-floor disclosure, and a clear view of where integration boundaries actually break.