Ralph Chammah, Co-Founder & CEO of Blacklight AI, shares a builder’s perspective shaped by years in cybersecurity analytics—what breaks in real SOC environments, and what it takes to make detection actually usable at scale.

In this episode, Ralph explains why “AI-first” security isn’t a label—it’s an operating model for reducing alert noise, improving context, and helping teams detect behavior that rule-based systems routinely miss.

He explains:

1. Why security stacks get noisy (and what “AI-first” should actually mean)
2. How to cut through acronyms like XDR/MDR and evaluate real value
3. How to use context + behavior patterns to catch insider risk and compromise
4. Why privacy/trust decisions (local vs external processing) matter in AI security
5. How replay/simulation helps validate detections and reduce false positives

Episode Timeline:

1. (01:46) Meet Ralph + what Blacklight AI does
2. (06:45) Why he left the Big 4 to build a product
3. (12:26) Tool overload, acronyms, and differentiation (XDR/MDR)
4. (18:10) Why AI belongs in detection (and how to avoid bad signals)
5. (21:44) Trust & privacy: where the data goes (and why)
6. (23:16) “Battle scars” from SIEM life: parsers, missing fields, manual grind
7. (29:32) Selective ingestion vs. “pipe everything” into the magic box
8. (31:32) Validation: replaying history + simulation to prove detections
9. (35:35) Biggest high-risk wins: insider threat + slow-burn intrusions
10. (39:13) Jaguar Land Rover breach story + business impact
11. (47:27) Quickest wins: what to connect first by maturity level
12. (49:55) What tools he’d remove first (and why)
13. (59:39) Platform vs point solutions: the real trade-off

Connect with Ralph on LinkedIn

Powered by controld.com