They used to hack governments for a living. Now they protect your clients from the people who do.
It's 2 a.m. somewhere. A hacker - patient, quiet, lateral - is moving through a network they shouldn't be in. Most security tools send an alert. Blackpoint Cyber's SOC sends them packing.
Blackpoint Cyber is a managed detection and response company with a quirk that MSP partners either love immediately or find slightly alarming: the security operations center acts before asking. When it sees a threat, it contains it. The partner gets a notification afterward explaining what happened and why. There is no approval queue. There is no committee.
This is by design. The company was built by people who spent careers in the intelligence community, where hesitation has consequences. Jon Murchison, the founder and executive chairman, spent more than 12 years at the NSA planning, conducting, and executing national security missions. He operated like an adversary - finding vulnerabilities, exploiting networks, and applying offensive techniques against targets. He was, in his own words, "the bad guy for the good guys."
"Security teams don't have time to stitch together fragmented tools and dashboards."
- Jon Murchison, Founder & Executive Chairman, Blackpoint CyberIn 2014, he took everything he knew about how attackers operate and built a company around it. Not a consulting firm. Not an advisory shop. A platform. One that could detect the subtle, lateral, tradecraft-driven behavior patterns that signature-based tools simply don't recognize - because they weren't built by people who've done those things.
Traditional endpoint detection and response (EDR) tools miss 72% of attacks that reach Blackpoint's SOC. That number isn't from a commissioned whitepaper. It comes from the company's own operating data, watching what slips through other products and lands in front of their threat hunters.
The gap exists because most security tools look for known signatures - malware hashes, known-bad domains, recognized attack patterns. But experienced attackers don't use known malware. They use legitimate tools: PowerShell, RDP, Windows administrative utilities. They move quietly, horizontally across a network, blending into normal traffic. There's nothing to flag. No malware. No obvious intrusion. Just someone who shouldn't be there, being very quiet about it.
Estimated threat detection coverage rates. Traditional EDR relies on known signatures. Blackpoint's SOC adds live network mapping, behavioral analytics, and tradecraft pattern recognition. Results vary by environment.
The MSP market was particularly exposed. Managed service providers were being asked by their small and mid-market clients to handle cybersecurity alongside everything else - helpdesk, backups, patching, licensing. MSPs are good at operations. They are not, as a rule, staffed with former NSA computer network operators.
"20% of organizations newly onboarded to Blackpoint's platform already have active email compromise threats present when they join."
- Blackpoint Cyber operating dataThe founding thesis was uncomfortable in its simplicity: the techniques nation-state actors use to penetrate networks are the same ones criminals use to hit SMBs. The target changes. The playbook doesn't. So why should the defense be any different?
Murchison holds multiple patents in network analysis, defense, pattern analytics, and mobile platforms. The SNAP-Defense platform - Blackpoint's original proprietary system - uses a patented Live Network Map to reconstruct network topology in real time and detect lateral movement as it happens. Not after the fact. While it's happening. The SOC sees the attacker moving through the environment and can respond before they reach the target.
That speed - 16 minutes average response time on-premises, 7 minutes in cloud environments - isn't a marketing number. It's the operational consequence of removing the approval delay. Other MDR providers alert the partner, wait for approval, then act. Blackpoint acts, then informs. For a lateral movement attack where the window to stop spread can be measured in minutes, that difference is the ballgame.
For a long time, the security industry's answer to complexity was more tools. A different vendor for endpoint protection. Another for cloud posture. Another for identity. A SIEM on top of that. An MSP managing five clients might need fifteen dashboards to answer the question: "Are my clients secure right now?"
CompassOne, launched at RSA Conference in April 2025, is Blackpoint's answer to this proliferation problem. It consolidates MDR, endpoint detection, cloud posture management, asset inventory, vulnerability management, application control, and compliance logging into a single platform with a letter-grade security posture rating - an A through F score that tells MSPs, in plain terms, how their clients are actually doing and where to focus first.
The platform targets two audiences. MSPs get portfolio-level visibility and the tools to prove their security work to clients. End-user organizations - typically small to mid-market businesses - get coverage that was previously available only to enterprise security teams with eight-figure budgets.
Blackpoint locks a compromised Microsoft 365 account approximately every 30 minutes. That's not an annualized projection. That's the operational cadence - automated, continuous, running regardless of timezone or holiday schedule.
The G2 results tell a similar story. In Spring 2025, Blackpoint earned 23 G2 badges across MDR, Cloud Detection and Response, and Cloud Security categories - more than in any previous quarter, and earned from MSP reviews rather than analyst scoring. Six of those badges were first-place finishes. The company holds the top position in the G2 Momentum Grid for Managed Detection and Response.
At RSA Conference 2025, CompassOne was recognized as Most Innovative Unified Security Posture in the Global InfoSec Awards - a result that arrived roughly 72 hours after the platform's public debut, which is either very fast validation or a judge with good timing.
The $190M Series C in June 2023 was one of the largest raises in cybersecurity that year. Bain Capital Tech Opportunities led the round, with Accel participating alongside existing investors. The capital funded platform development, team expansion, and the partner program infrastructure that Blackpoint launched in October 2024.
Blackpoint's position in the market has always been a slight provocation. The company argues, with evidence, that the techniques sophisticated attackers use against SMBs are identical to those used against government targets - only the expected resistance differs. When attackers know the target won't have a threat hunting team, they get comfortable. They move slower. They don't bother covering tracks they don't think anyone will check.
Blackpoint's response is to check. The SOC team hunts for behavioral indicators - tradecraft patterns, privilege escalation sequences, unusual authentication timings, lateral movement signatures - that don't require known malware to identify. When something looks wrong, even if nothing is technically flagged, they look closer.
"By unifying proactive hardening and real-time response, CompassOne helps organizations measure, prioritize, and strengthen their security posture."
- Manoj Srivastava, CTO, Blackpoint CyberThe MSP channel is the distribution mechanism. Blackpoint provides complimentary internal-use licenses to MSP partners, which means partners experience the platform protecting their own operations before they sell it to clients. It's an unusual choice for a B2B SaaS company. It also explains the depth of trust reflected in the G2 reviews - these aren't buyers who saw a demo. They're operators who've run the platform on their own networks.
The MDR market is projected to grow at 16% in 2025, according to Canalys. Every MSP in that growth curve is being asked the same question by every client: how do we know we're covered? The answer used to be "we have antivirus and a firewall." That answer no longer satisfies anyone who reads the news.
Blackpoint's timing was not incidental. The company spent a decade building detection logic and operational muscle before it became a venture-scale story. The technology works because the people who built it have used the same attack patterns from the other side of the network. That's not a branding claim. It's a structural advantage that takes years to replicate.
Back to that 2 a.m. somewhere. A hacker is moving through a network. Lateral. Quiet. Patient. The difference now is that Blackpoint's SOC is also awake, also patient, and considerably less impressed by the tradecraft than the attacker expected. By 2:17 a.m., the session is terminated. The partner gets a notification. The attacker finds another target.
That's the product. That's the mission. That's the 16 minutes.