Most security teams believe their tools are working -- but belief is not the same as proof. In this Brand Spotlight recorded live at RSAC Conference 2026, Matt Stewart and Alex Grohmann of Impetum explain why continuous purple teaming has become the missing link between compliance-driven security and evidence-based confidence.
The security industry has spent years debating which tools to buy. Impetum is asking a different question: are the tools you already have actually working? Founded by incident responders who saw the same failures across hundreds of breaches, Impetum built the Persistent Purple Team platform to simulate advanced threat actors inside customer environments on a continuous monthly basis -- not as a one-time engagement, but as an ongoing relationship built around real data, custom TTPs, and a measurable Threat Resilience Score.
Matt Stewart and Alex Grohmann spoke with Sean Martin and Marco Ciappelli at RSAC Conference 2026 about what they are hearing on the show floor: agentic AI is accelerating the speed of compromise and exposing vulnerabilities in legacy systems that have been dormant for decades. Against that backdrop, the value of knowing -- not assuming -- that your detection and response capabilities hold up becomes critical. The platform builds that knowledge through live-fire exercises using an organization's own data, validating patch management, XDR, SIEM tuning, and post-compromise detection in a way no annual pen test can.
The conversation also touched on the structural talent problem agentic AI is creating inside SOCs. As AI fills the level one analyst role, the pipeline for developing level two analysts and incident responders is narrowing. Impetum sees persistent purple teaming as the training ground that closes that gap -- giving existing teams the repeated, realistic practice they need to respond with confidence when an actual breach begins.
Impetum targets mid-size organizations that have the right security tools but lack the budget, bandwidth, and access to industry events to keep those tools continuously validated against evolving attack paths. For those teams, the platform delivers something an annual report cannot: a documented, ongoing record of what works, what does not, and where the program is heading.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Matt Stewart, Co-Founder, Impetum
Alex Grohmann, Co-Founder, Impetum
LinkedIn: https://www.linkedin.com/in/alexandergrohmann/
RESOURCES
Impetum / Persistent Purple Team: https://www.persistentpurpleteam.com
ITSPmagazine RSAC Conference 2026 coverage: https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Matt Stewart, Alex Grohmann, Impetum, Persistent Purple Team, Remedium Security, Sean Martin, RSAC Conference 2026, brand spotlight, brand story, brand marketing, marketing podcast, purple teaming, continuous security validation, threat resilience, CISO, security operations, SOC, red team, blue team, incident response, agentic AI, MITRE ATT&CK, penetration testing, cybersecurity
Continuous Security Validation in a World of Agentic AI | A Brand Spotlight at RSAC Conference 2026 with Matt Stewart and Alex Grohmann of Impetum
[00:00:10] Marco Ciappelli: Marco, come on. Star
[00:00:12] Sean Martin: You're very persistent in me starting.
[00:00:14] Marco Ciappelli: Oh,
[00:00:15] Sean Martin: Very persistent. Let's see where you're going.
[00:00:17] Marco Ciappelli: There. I didn't even think remotely that you were going to start with that one, but that's my job.
[00:00:23] Marco Ciappelli: I see what you're doing. I see what you're doing there. Where we're going with this. Yeah. I see what you're doing. And there's some purple color around there.
[00:00:30] Sean Martin: There is some purple
[00:00:31] Marco Ciappelli: colors. Point. And then we are a team. Right. We are a team together.
[00:00:36] Matt Stewart: Home point. Get a good
[00:00:37] Marco Ciappelli: home point. Okay. Well done. It's a pleasure to have this improvised get together here with really good friends that are actually doing something that I think is very special in this industry. They've been in the cybersecurity industry for a while, so they're gonna tell us a little bit about who you are very quickly, and then we jump into what you do.
[00:01:10] Matt Stewart: Yeah, absolutely. So your word alliteration was awesome. So Persistent Purple Team is what we've built. It says it in the name. We simulate advanced persistent threat actors within your environment. And we show you the guidance from a red team and blue team perspective on how to improve security operations as a whole. So that's our background. We originated in incident response as Remedium, a company that very heavily focused on security operations improvements after breach. So we built this platform really for ourselves, and started to get it out in customers' environments, and they're loving it. So it's really advancing and making better use of security operations, practices, and playbooks.
[00:01:55] Marco Ciappelli: Yeah. Alex, how about you?
[00:01:58] Alex Grohmann: Yeah. So Matt and I, we've built this thing basically out of need for ourselves, and it's based in a lot of really good feedback we've heard from the industry, from people saying, hey, this is what we need. It's a unique take on something that has been around forever. And now that we're able to actually have a whole ecosystem that we're able to help, not just do it the one time, it's a continuous process, which really works with our clients to be able to say here's where you are in terms of your maturity of your security operations center, and we can help them through the lifecycle of that, not just a one-time hit.
[00:02:50] Marco Ciappelli: There you go.
[00:02:52] Sean Martin: It's not random purple teaming. It's not inconsistent purple teaming. Right? It's persistent.
[00:02:57] Alex Grohmann: Persistent, thank you.
[00:02:59] Sean Martin: Persistent purple teaming. And that's not by accident, right? The what it does is rooted in experience that the two of you have had. For many, many years. So talk to me. Give us the scoop on all the breaches.
[00:03:10] Matt Stewart: Yeah. So we've had a lot of fun ones that we can't talk about, but we developed a process to get people out of that bad era and we see the same failures over and over again where company X didn't detect this or it didn't make its whole way to the right individual to pull the right string at the right time. So we started exploring these verticals and really understanding the depth of what it takes to prevent an attack. Everybody talks about the kill chain. We prove out the kill chain. And so we had to do this for getting people out of breaches and we'd follow the same attack paths that the adversaries do. And now we've developed internal threat intelligence and we're taking feeds from outside, other incident responders, other partners that we have in place that we're building custom TTPs for your environment persistently. And that gets back to that point. We've watched a lot of companies do pen tests every single year. It's great, right? You find your holes, but you don't understand the depth of what those holes mean. And so that's where purple team exercises come into play. But to break it up is a great muscle memory training exercise for the organization, for your analysts internally.
[00:04:10] Sean Martin: Now I want to make this really clear for folks. It may not be picking up on it completely.
[00:04:14] Alex Grohmann: Proving. Yes. Validation.
[00:04:16] Sean Martin: The validation. That what you have in place is working. So you might have some understanding that your patch management's working, you might have some understanding that XDR and your network stuff is in play. And your SIEM might be tuned a certain way and you might get the signals from those things that you think say, I'm good. And then there's the signals you're missing. And then there's a connection of those that you're missing. And how do you prove the stuff you can't see, that you don't know. The misconfigurations, the lack of a signal or a fire of an alert.
[00:04:55] Alex Grohmann: It's a lot. As a chief information security officer, there's so many different facets and so many hats you have to play. Not only you have to manage your budget, you have to manage the team. You have to do all the -- go on and on. The fact is you're not really stopping and saying, wow, okay, really, how mature are we everywhere? How do we know if things work? We have this great implementation that took two years to get in for this security tool and we can see there's enough security tools. Everybody has them. But really, how do you have that level of comfort? You're probably at night, as the CISO, you're like, if you were able to sleep the whole night, you're probably thinking like, well, wow, okay, great. I passed that audit, or I passed this, and you're feeling excited because you've met the bare minimum for an audit. A lot of times that is. But how do you go above and beyond to have that really level of comfort where, yeah, my stuff is working. I'm getting maximized out of all my security operations tools, team, technology, and I feel good about that. That's where we're trying to help with our clients.
[00:05:56] Marco Ciappelli: Yeah. Well, let's talk about that. Then we go back to what you guys do. We are at a big event. Probably the biggest event.
[00:06:04] Alex Grohmann: Yes.
[00:06:05] Marco Ciappelli: Definitely with numbers for sure. Companies on the floor. We've already had, I don't know, 15, 20 conversations ourselves. I think we got the bingo card on agentic AI.
[00:06:14] Matt Stewart: Yep.
[00:06:15] Marco Ciappelli: What did you guys hear around and between meetings and on the floor and everything?
[00:06:20] Matt Stewart: So, yeah, a lot of things. The speed of compromise and how quickly that's happening and occurring, and the number of vulnerabilities that agentic AI is exposing within organizations and within legacy platforms that just weren't known about today. I mean, we're hearing holes within Linux that have gone back 26 years. We're hearing a lot of this same talk, and to us it's a game changer from an attacker's perspective. But what doesn't change is the internal practices and what matters. At the end of the day, what matters is that last mile of security where if you can detect something and respond to it effectively -- we all know something's going to happen at some point within an organization. It's do you trust your technology that it works? Do you trust that your employees understand your technology and how it works? And I believe very firmly that through muscle memory we can achieve that. So there's a lot of talk going on around agentic AI on the SOC itself. It's been a gap in the industry for a long time. I ran a security operations center early in my career. It's very hard to find qualified analysts. It's very hard to reproduce that once you get one. Analysts don't sit in seats forever. So there's a lot of agentic AI starting to consume that level one analyst role in a SOC. It's needed in the industry, it really truly is. But it creates a very large problem of --
[00:07:58] Alex Grohmann: Yeah.
[00:08:00] Matt Stewart: Where are you getting your level two analysts? And where you're getting your incident responders internally? They're not trained internally. So we're working to fill that gap, alongside of those because we know it's needed. So alongside these partners in security operations and AI -- how do we train level two analysts when we don't have level one analysts? It's a unique problem that purple teaming really helps fill.
[00:08:34] Sean Martin: Yeah. You have to be able to still do the tabletops and run the playbooks and run through this risk scenario and that attack scenario and this response scenario and the full gamut, even with level one not in the picture.
[00:08:48] Matt Stewart: A hundred percent. And with tabletops, wouldn't you rather use your own data? Rather than a scripted slideshow that you're stepping through. With your CISO, with your analyst, and with your legal team. Using your own data really goes a long way to make it realistic. Like this didn't just happen hypothetically. This actually could have happened here and we're proving that ground out. And really helping to show those different things that have to occur to handle a breach before it happens.
[00:09:13] Marco Ciappelli: So you're pen testing, you're testing, and as you do that you improve the product that they have because through validation then you can do some remediation. And where I'm going with this is -- when we talked a while back, you had an old advertisement in mind about, you know, we're not selling a product. We're helping you to make it better.
[00:09:47] Matt Stewart: Yep.
[00:09:48] Marco Ciappelli: And that's what you guys do.
[00:09:49] Matt Stewart: Absolutely. Yep. That's a hundred percent. It was BASF. It stuck with me as a kid. We don't make the products you buy, we make the products you buy better. I've wanted to live that model my whole life. It made so much sense to me. Right? To say why build something new whenever you can stroll down the halls here and see a thousand different companies that are trying to solve the same issues over and over again. And I go -- what we see as incident responders isn't necessarily a tools problem, it's how they're implemented. It's how they're understood. It's how they're driven, and that's where we're just trying to look at from a different angle about the problems of the world and really simplifying that for organizations.
[00:10:28] Sean Martin: Can you give an example of where a breach occurred because of something and the Persistent Purple Team would uncover that? And the method that's there that you talk about, the muscle memory as well.
[00:10:42] Matt Stewart: Yeah. Some of the higher end breaches to larger organizations that have a very good program in place, they still have a point of entry. Famous examples are, you know, developers will spin up a box that shouldn't have been online anymore because they wanted to pull some old code or update something in a dev environment that was sitting there in the cloud. All of a sudden comes up and it's attached to your active directory and boom, you're using old credentials. Maybe you don't have two-factor authentication enforced on that environment. There's a pathway in. The pathway ins occur no matter what. There's always a pathway in. And so, you know, we've shifted off of perimeter security many years ago, but it's still relied on too much. So what do we do? We simulate that lateral movement. We simulate the privilege escalations within an environment. We simulate what occurs after that initial compromise. And so that's the last mile that we're talking about -- do you know that you can detect once somebody's in? And so we're trying to give that reassurance that yeah, your tools are working like they should, or you maybe got the wrong tool for your environment.
[00:11:58] Marco Ciappelli: And how important is the peace of mind?
[00:12:00] Sean Martin: Once a CISO, always a CISO.
[00:12:02] Alex Grohmann: Absolutely. So yeah, it's the peace of mind. But you know, when you look at different models in terms of industry and IT as a whole, there's always some level of maturity that you have. You gotta have benchmarks. Even HR for an individual, you know, like how do you mature from year to year? That's what we're bringing with our platform. Being able to measure that against industry standards that says, okay, here's where you're at now. If you want to strive to get a little bit higher, let's go out there, let's do some testing. Throughout there, through our platform, in our ecosystem, we've got various tools to be able to help that. So no matter what, at least you know that, okay, I am moving the needle, not just going out there and making a compliance checklist. I've heard numerous people like, wow, I'm just barely keeping up with just the compliance. I don't know really if my tools are working, my people are maximized or all that. We are in there to try and help address that.
[00:12:53] Marco Ciappelli: And no matter what, somebody's gonna pen test you.
[00:12:56] Matt Stewart: You're getting tested whether you know it or not. Yes.
[00:12:59] Marco Ciappelli: There is that dragon going somewhere.
[00:13:01] Matt Stewart: Oh, lurking. Yes. I mean, you can put your head in the sand, but he's still gonna be there.
[00:13:05] Sean Martin: So talk to me about being a CISO. There's a lot on the shoulders, which then trickles down to all the leads across the operations of the security program. Speak to the CISOs about what you can do with persistent purple teaming and the Persistent Purple Team product to help them support their team in the best way possible. So instead of calling out that they're missing something or pointing to a failure -- it's helping them learn more and achieve more.
[00:13:43] Alex Grohmann: The beauty of our model is, most of the time when you do an annual app pen test or something like that, it's a point in time. You're going out there, everybody's out. You spend two weeks just doing the paperwork, filling out the rules of behavior, get a contract signed. This is after all the procurement, getting the three vendors, picking the lowest one. It's great, but it's like, okay, you go up there, you have the engagement, there's your report. Thank you very much. Where's our check? And they're out. With us, we work with our clients. We enable, we use AI as an enabler, but we are actually working with the internal operations team. We are building a rapport with them so that they realize that we are in their best interest, not just -- hey, at the end of this is a check with your obligatory five findings, and here's your bill and your report. With that, we gain the trust because it gets easy for an internal security operations center to get not complacent, but you do -- you're dealing with other things. Here we are saying, did you think about this? Did you see this? Hey, we noticed this. Wow. Okay. Thank you. It's like going to a cocktail party and your fly is down. We are helping to say, hey, did you know this? Let's look at this. And this also helps with the CISOs because the CISOs get an independent validation from an external third party about how well their SOC is doing. They're gonna -- CISOs have to go off for funding. They have to justify that they're constantly working with the chief financial officer, whoever. If they say, look, we have a benchmark here. This is where we're going. Here's the next year. This is why I potentially need more funding, or this is why I can justify this already spent.
[00:15:20] Sean Martin: Yep.
[00:15:21] Marco Ciappelli: So Matt, how do you work with clients and who is your ideal client? Is it a certain size company? A certain maturity?
[00:15:30] Matt Stewart: Great question. And we scale up to any size company. Quite frankly, our most successful targets are mid-size companies that need a change of pace from an annual pen test, an annual tabletop exercise. We work well with larger companies that have internal red teams. We work directly with them and give them that front-end threat intelligence that they probably don't have today. And it's right with what Alex was saying, you know -- you get that muscle memory of, hey, we have to solve these same five alerts every single day. We only worry about the criticals that come in. And then they miss a medium because of that. And that medium may be the most impactful thing that they should have seen that day. So the mid-size companies, what we find often and why they're probably our best target is they have the right tools. They have analysts. But they're lacking the depth of experience. Their training budgets get cut all the time.
[00:16:32] Alex Grohmann: Yes.
[00:16:33] Matt Stewart: They're not able to go out and get the external knowledge. They're not here at RSAC Conference, the big companies are all here at RSAC Conference, but the mid-size -- they just don't have that luxury because you can't ship your two analysts to a conference for a week because then who's looking at the traffic? So what this does is it provides training to the individuals with your own data. On-prem, live-fire exercises where you're seeing how your actual tools respond to an actual adversary. So it's that training platform all in and of itself. And that's where I think the mid-size companies are probably who like us the most.
[00:17:08] Sean Martin: Now I'm gonna go back to the muscle memory because let's think about deploying these tools. It's a project. Go research, whittle it down to a few vendors, do a couple proof of concepts. Bring them in, help get it deployed. Maybe you call them back a few months later and tune it.
[00:17:28] Marco Ciappelli: Yep,
[00:17:29] Sean Martin: Yep. Done. Then you leave it. The renewal comes up. Maybe you get an update, you do some maintenance, but you're not going in and fine-tuning. And when you start to look at the attack chain, it's not unlike the pen test once a year. It's in between the deployment and that maintenance period coming around that there's a configuration that's not right. Or a module that hasn't been updated. Or some alert that is not being fired because you weren't told you have to change this setting in order to get this new data that we released -- this new feature. Did you get it?
[00:18:04] Matt Stewart: Yeah. New feature releases is a great example. Oh, we introduced AI but we didn't even know that we have that capability within our MDR platform. We didn't know that our SaaS provider was capable of connecting their API to our SIEM. We didn't know that connection existed. But it changed. Next version came out and now it has that capability. So we're forcing people to look at that. And what we call that is threat resilience. So are you resilient to what's going on in your own environment? The changing threat model -- and companies, project after project occurs. We're gonna build this new widget that does X, Y, and Z, or we're bringing in this new software vendor that's gonna do something else that changes security every single day. And once a year is not enough to test that. Especially in this modern agentic AI era, once a year just doesn't cut it anymore.
[00:19:00] Marco Ciappelli: Yeah. I mean, I think from a branding perspective -- when you have a name that explains everything, it makes sense. Persistent is the key here.
[00:19:10] Matt Stewart: Yep.
[00:19:11] Marco Ciappelli: I was just walking down, I'm not gonna name the company, but in that circus of the expo floor, a couple of companies -- I had to really look behind the buzz, whatever they were going with their circus, to understand -- I'm like, who are these people?
[00:19:27] Matt Stewart: Yep.
[00:19:28] Marco Ciappelli: So I think clarity is really important. And when you have that in the name, it's important.
[00:19:35] Sean Martin: And it's funny because we had to look beyond the fast food facade and the record store facade to see what's behind it. And then you still don't know what's happening. And then we are like, oh, we know them.
[00:19:47] Marco Ciappelli: Right.
[00:19:48] Sean Martin: It's like, I don't understand what's going on here. So to know what's going on, and to be able to prove who you are and have trust with the community is key.
[00:19:57] Marco Ciappelli: Yeah. So if somebody wants to get started with you tomorrow, what do I have to do?
[00:20:02] Matt Stewart: PersistentPurpleTeam.com. We have an amazing site that shows you the journey that you're gonna take to work with us, to help propel your program.
[00:20:10] Marco Ciappelli: And it shows a lot of the conversations you've had.
[00:20:13] Matt Stewart: It does. Yeah.
[00:20:14] Marco Ciappelli: Some pretty cool people too.
[00:20:16] Matt Stewart: Content first rate. Yes. It's always good to have old friends.
[00:20:20] Marco Ciappelli: Content first rate. Hey, it was a pleasure to spend time with you. Thank you for joining us here on the couch at RSAC Conference 2026.
[00:20:28] Matt Stewart: Always a pleasure.
[00:20:29] Sean Martin: Good to see you guys. Thanks.