They could give a few more insights into security groups and recommendations on how to be more effective. That's getting more into the AWS environment, specifically. I'm not sure if that's Threat Stack's plan or not, but I would like them to help us be efficient about how we're setting up security groups. They could recommend separation of VPCs and the like - really dig into our architecture. I haven't seen a whole lot of that and I think that's something that, right off the bat, could have made us smarter.

Even as part of the SecOps Program, that could be helpful; a quick analysis. They're analyzing our whole infrastructure and saying, "You have one VPC and that doesn't make a lot of sense, that should be multiple VPCs and here's why." The architecture of the servers in whatever cloud-hosting provider you're on could be helpful.

Other than that, they should continue to expand on their notifications and on what's a vulnerability. They do a great job of that and we want them to continue to do that.

It would be cool, since the agent is already deployed and they know about the server, they know the IP address, and they know what vulnerability is there, for them to test the vulnerability and see if they can actually exploit it. Or, once we patch it, they could double-check that it can't be. I don't know how hard that would be to build. Thinking on it off the top off my head, it could be a little challenging but it could also be highly interesting.

It would also be great if we could test a couple of other features like hammering a server with 100 login attempts and see what happens. Real test scenarios could be really helpful. That is probably more something close to what they do with the SOC 2 audit or the report. But more visualization of that, being able to test things out on our infrastructure to make sure we can or can't hit this box could be interesting.

It certainly has a lot of capabilities and we're not using much of what it can do. That's something that, as we mature as an organization, we'll expand into. 

The one thing that we know they're working on, but we don't have through the tool, is the application layer. As we move to a serverless environment, with AWS Fargate or direct Lambda, that's where Threat Stack does not have the capacity to provide feed. Those are areas that it's blind to now, so that's the biggest area for improvement. They're currently looking at changing that with an acquisition, but as it stands right now, that's the only spot that I consider weak.

The API - which has grown quite a bit, so we're still learning it and I can't say whether it still needs improvement - was an area that had been needing it. They have just recently come out with new improvements. 

I'm looking forward to their code analysis, which is coming out as a result of an acquisition they made.

The user interface can be a little bit clunky at times. My enjoyment of the user interface is not 100 percent. We maintain multiple sites, a pre-production site and a production site in different parts of our business. I find myself switching between those sites fairly frequently and I lose track of where I'm at: Am I in the pre-production account or the production account? Sometimes that's a little discouraging. There's a lot of information that needs to be waded through, and the UI just isn't great. They do have a great API. The API has been helpful for us to use as a replacement in many cases for the UI. 

The reports aren't very good. We've automated the report generation via the API and replaced almost all the reports that they generate for us using API calls instead.

The solution’s ability to consume alerts and data in third-party tools (via APIs and export into S3 buckets) is moderate. They have some work to do in that area. I'd like to see more on that side. I'd like to see much better reporting. The API does not mimic the features of the UI as far as reporting and pulling data out go. There's a big discrepancy there.

The other thing that would be really great - and I know this is something they might not want to get into as a business, but it's something I'd love to see - would be if we could bring in data from other tools, specifically AWS WAF. If we could bring in data from there, and include that with what they're already collecting, that would be a huge game-changer for us.

Finally, container vulnerability assessment is something they aren't doing right now.

The compliance and governance need improvement.

I would like the following: 

• Further support of Windows endpoint agents or the introduction of support for Windows endpoint agents. 
• The ability to quickly templatize rule sets and share them.

Firstly, it shoots back a lot of alerts. Secondly, there are some drawbacks which we have found. Sometimes, they say that the servers is down and up, but that thing is not coming up. This happens repeatedly.  Thirdly, the solution should have hash calculation. 

In addition, from a security point of view, they go to file level. That's pretty nice. But they are running completely onto AWS instances and Linux boxes most of the time, so a file can be modified, but what is happening on the process level? That should be the thing on which we should shoot alerts, not on basis of files.