We sat down with John Sapp, CISO at Texas Mutual, at RSA 2026. Sapp runs dual managed services to triage alerts down to true positives. Once the noise is gone, his analysts need to investigate fast. That's where Mallory fits: a force multiplier for the deep investigation work that follows triage.
Triage: Two Managed Services, One Goal
Sapp runs what he calls a "cyber-resilient SOC play" built on two managed services working in parallel: a product-oriented SOC focused on endpoint telemetry and a services-oriented SOC correlating logs from across the environment.
Alerts get escalated from two independent paths. The dual approach measurably reduces alert fatigue and produces a high rate of true positives, which is the whole point: his analysts only spend time on things that actually warrant investigation.
After Triage: Where Mallory Fits
Once his SOC has triaged alerts down to true positives, the next question is: what is this threat, who's behind it, and are we affected? That investigation work needs to happen fast. Attackers are AI-enabled now. They get in, get out, and disappear. Sapp's benchmark is five minutes to determine if you're affected, as events unfold in real time.
"That's where I think Mallory comes into play, the cyber threat intel that really will help us get to the answer to be able to respond and remediate within a reasonable timeframe."
Mallory is the force multiplier that enables his analysts to go deep on investigations, get to answers, and respond before the window closes.