ThreatLocker Exec To MSPs: ‘You Are Drowning In Noise’

‘You are hoping and praying that you’re not going to miss that one alert that is an actual attack, rather than the 499 that aren’t. Too many alerts mean real attacks get missed, and visibility without control only creates noise, not safety,’ says ThreatLocker Chief Product Officer Rob Allen.

It is important to make an MSP’s business and its customers’ business a hard target for cyber criminals—or at least a harder target than other businesses, said Rob Allen, chief product officer at ThreatLocker, the Maitland, Fla-.based enterprise cybersecurity software developer.

“The brutal reality today is cybercrime is industrialized,” Allen told an audience of MSPs at this week’s XChange 2026 conference. “They don’t hack into you or into your customers. Generally speaking, they have a menu of different options and different organizations that they choose or have access to. They’re not hacking you specifically.”

XChange March 2026 is being hosted by CRN parent The Channel Company this week in Orlando, Fla.

ThreatLocker MSPs have learned several lessons over time, often the hard way, Allen said.

“You have to remember, you guys are prime targets because if somebody can choose access to or to hit an MSP, where they can get 100 customers downstream via that MSP, obviously it makes sense,” he said. “So the lessons are No. 1, secure yourselves first, because you are such high-profile targets. … [And] you need to protect everything. There is no point in protecting some of your customers but not all. There is no point in protecting 80 percent of an environment because it is the 20 percent that isn’t protected that’s going to get you.”

When talking about cyber criminals and cybercrime in general, scale is more important than skill, and speed is more important than sophistication, Allen said.

“One of the byproducts of the current AI boom is that it is being used by threat actors,” he said. “Something like 60 percent of new malware samples now show signs of being either created by or improved by AI tools.”

A big question MSPs have to ask themselves is why would an attacker choose them over the next company and why would they choose a particular customer over another, Allen said.

“Internet exposure is a huge thing,” he said. “Ports exposed to the internet [are] terrifying. Go show them that you can search for ports in an area. Search for port 3389 in your hometown. I did it for Orlando recently, and there were over 800 machines with RDP exposed to the internet. That’s 800 environments, 800 organizations that were a guest password away from being the next victim of ransomware attacks.”

Other areas of exposure include VPNs, the ability to open HTTPS on a server internally, or every piece of software a company runs, Allen said.

“These all increase the attack surface,” he said. “So do network scans, external scans of your customers. Today, there might be a port that you opened five years ago that everybody’s forgotten about. … So do scans of your customers’ environments.”

Hackers are not hacking, Allen said.

“They’re very open, going on to dark web websites and buying credentials,” he said. “It’s really common, and it’s only a couple hundred dollars to buy credentials to buy access to your environment. Default configurations are obviously a huge problem as are weak endpoint controls.”

Detection and response are great, but to respond to something you have to be able to detect it, Allen said.

“And it has been proved over and over and over again, you can’t detect everything,” he said. “It’s no good being right 99.99 percent of the time. It’s the 0.01 percent of the time that will kill you.”

Customers often suffer from the myth that they are too small to be attacked.

“Small businesses are hit more often than big organizations,” he said. “We hear about the big ones. They’re the ones that make it into the news. But small businesses, small organizations, are hit more often than not. They’ve got less mature controls. They’ve got the same data. They’ve got weaker defenses. Size does not protect you. Small and medium businesses are preferred targets for initial access.”

A lot of businesses have software on their networks that should not be there, Allen said.

“Does anybody here truly know how many remote access tools are running right now in their customers’ environments?” he said. “Because I guarantee you, it’s more than you think it is. I’ve worked with customers who’ve had four, five, six different remote access tools actively running on their customers’ computers without their knowledge. … We all know how it happens. At some point in the far distant past, a third party said, ‘I need to fix a problem with your machine. I need to fix a problem with your software. Just install TeamViewer so I can get it done for you.’ It gets installed, and it sits there forever as a potential way into the network. And we know their users are going to get prompted at some point to change their sign-in. They’ll probably sign in with a username and password that they’ve used on 15 other websites.”

Many anti-virus or endpoint detection and response tools are valuable but offer what Allen called the “illusion of prevention.”

“They are, by their very nature, reactive,” he said. “And detection assumes compromise. You’re hoping you’re going to detect something in order to be able to respond to it. And fundamentally, alerts are not protection. You might feel protected because you have a tool that’s popping off alerts many times a day, but that does not equal protection. The old signature-based thinking is basically dead at this point.”

Alert fatigue is a huge problem and depending on a Security Operations Center, where the number of alerts become noise, is not foolproof, Allen said.

“You are drowning in noise,” he said. “You are hoping and praying that you’re not going to miss that one alert that is an actual attack, rather than the 499 that aren’t. Too many alerts mean real attacks get missed, and visibility without control only creates noise, not safety.”

It’s important to reduce the attack surface by allowing fewer executables to run, Allen said.

“And fundamentally, every piece of software that runs on your or your customers’ machines increases your attack surface,” he said. “Every piece of software that you stop from running on your or your customers’ machines reduces your attack surface. You get fewer scripts and fewer admin actions. The attacker will move on. It’s too slow, it’s too noisy, it’s too expensive.”

Allen said it is important to also remember that an MSP doesn’t need to be unhackable.

“It just needs to be not worth [attackers’] [time],” he said. “Make them choose someone else. Use ThreatLocker to block unauthorized software, including ransomware. We’re used by big and small companies. Sixty-thousand organizations today use ThreatLocker. Probably three-quarters of them are managed by MSPs, by you guys. In fact, it’s more than three-quarters are managed by MSPs.”

Allen covered a lot of ground in his presentation and made it clear that for a lot of companies, cybersecurity is an afterthought, said Jhon Alexander, marketing leader at Quantiphi, a Marlborough, Mass.-based MSP.

“You know it’s an afterthought, like, ‘Yes, we’re able to detect it; we’re able to resolve it,’” Alexander told CRN. “But ThreatLocker is really talking about being more proactive and having controls in place. I think that point stood out really well when he specifically talked about controlling, which is more important than detection.”

Allen was also spot on when talking about making things difficult for the hackers, Alexander said.

“In scenarios with AI also getting infused, it’s really difficult to avoid being hacked,” he said. “But smaller businesses just don’t make it hard for hackers to hack them. To have things in place, just the bare minimum of different control systems in place can help hackers avoid you and make it difficult for the hackers. … I think the things that ThreatLocker mentioned stood out because it’s easier for us to make it easier for them to just go to the next company.”