Five bets shaping the modern security program

Five bets every security
program should be making.

Passarel names the bets your program needs to place this year. We diagnose which apply, deploy the curated partner stack, and operate the program end to end.

Start a conversation See the bets
Identity in the deepfake era Offense at AI pace Control efficacy Defense at AI pace Agent runtime governance

Five bets,
delivered end to end.

Passarel identifies the bets your security program needs to be making in 2026, deploys the curated partner stack for each, and operates the program once it's live.

One firm. One owner. Skin in the game on the outcome.

The five bets

Where every modern
security program is exposed

01 Identity

The helpdesk is now your weakest authenticator.

AI-deepfaked impersonation has turned account recovery, helpdesk reset flows, and high-trust transactions into the soft underbelly of the IAM stack you spent a decade building.

Nametag SDG
02 Offense at AI pace

Manual pentests can't keep pace with AI-armed attackers.

Attackers find weaknesses on a weekly cadence. You're testing on an annual one. Automation owns the volume. Reserve human creativity for the work only humans can do.

Staris Pairs with bet 04
03 Control efficacy

Boards are asking whether your controls work, not whether they exist.

Compliance frameworks tell you what to have. They don't tell you what's actually catching attacks. We measure the difference and close the gap.

Discern
04 Defense at AI pace

Your defense cannot run at human pace if your attacker runs at AI pace.

Once they're in, you have minutes, not days. The SOC has to be re-architected around AI-speed triage and response. Tier 0 is the new operating layer.

SRA Pairs with bet 02
05 Agent runtime governance

Your AI agents have no badge, no boss, and no audit trail.

Every agent your business deploys makes decisions, calls tools, and delegates to other agents. IAM governs humans. Network governs devices. Nothing in your stack governs what agents do at runtime.

Watchlight

How we deliver

Diagnose the bets.
Deploy the stack.
Operate the program.

Every bet follows the same path. A fixed-fee diagnostic to map which apply and on what timeline. The curated partner stack to deliver each one. Operations to keep the program running once it's live.

One firm. One accountable owner. End to end on the bet that matters.

Selected outcomes

What the work has produced.

Case study · Operator role · 2024–2025

Pangea → CrowdStrike, $260M in 11 months

Joined Pangea as Head of Business Development to lead the pivot to AI detection and response. Built the channel motion and partner ecosystem that positioned the company for acquisition. Eleven months later, CrowdStrike acquired Pangea for $260M as the basis of its AIDR offering.

Result: $260M strategic exit; product line became a named CrowdStrike offering.

Case study · Services P&L · 2013–2021

Accenture Security, ~100X over eight years

As Global Managing Director, ran the cybersecurity services P&L across Communications, Media, Technology, and Aerospace. Scaled the business approximately 100X through delivery modernization, automation, and acquisition integration. 1,800-person global org at peak.

Result: ~100X revenue growth; 1,800-person global org; multi-hundred-million-dollar services portfolio.

Case study · Operator engagement · 2026

From 590 candidate vulns to 6 real bugs in 7 hours

Through Staris AI, ran continuous attack path validation against an 823,000-line proprietary platform. Surfaced 590 candidates, validated to 6 real, exploitable bugs with PR-ready patches in 7 hours 12 minutes. Shipped the same week.

Result: 99% noise reduction; zero false positives; engineering shipped fixes same week.

About

Built by someone who's run programs like yours

Steve Curtis is a former Accenture security practice leader and Palo Alto Networks SVP. He has board relationships, deep vendor knowledge, and the pattern recognition that comes from seeing what works (and what doesn't) across hundreds of security programs.

Passarel is the firm he would have wanted as a client. Trusted. Opinionated. In it for the outcome.

Steve Curtis Founder, Passarel

Ready to cross?

Every voyage starts with a single conversation. No deck required.

[email protected]

About Passarel

Passarel: a cybersecurity advisory firm that names the five bets every modern security program should be making this year, deploys the curated partner stack for each, and operates the program end to end.

What is Passarel? Who founded it? And how does an engagement actually run? Passarel is a cybersecurity advisory firm that names the five bets every modern security program should be making this year, deploys the curated partner stack for each, and operates the program end to end. One firm, one accountable owner. Founded by Steve Curtis and based in Newport Beach, California.

The five bets

Bet 01 — Identity in the deepfake era
Closing the helpdesk and account-recovery gap that AI-deepfaked impersonation now exploits. Workforce IAM, customer IAM, and the new layer of identity for AI agents acting on behalf of humans. Partners include Nametag and SDG.
Bet 02 — Offense at AI pace
Continuous attack path validation and AI-paced offensive security to replace annual pentest cadence. Partner: Staris AI.
Bet 03 — Control efficacy
Proving whether the controls a board cares about are actually catching attacks, not just deployed. Partner: Discern.
Bet 04 — Defense at AI pace
Re-architecting the SOC around AI-speed triage and response, with Tier 0 as the new operating layer. Partner: SRA (Security Risk Advisors).
Bet 05 — AI agent runtime governance
Controlling what AI agents do at execution time: what they can read, what they can call, and which other agents they can delegate to. Partner: Watchlight.

How an engagement runs

  1. Diagnostic. A fixed-fee diagnostic maps which of the five bets apply to your environment today, on what timeline, and with what level of partner involvement. Typically 2 to 4 weeks. Output is a written brief, a phased roadmap, and a recommended partner stack.
  2. Deploy. Passarel deploys the curated partner stack for the bets that land. One firm coordinates the rollout; the partners do the specialist work.
  3. Operate. Once the program is live, Passarel stays as the accountable owner of the bet. Quarterly reviews, board-prep support, partner relationship management, and ongoing adjustment. Most engagements run 12 or more months.

Common questions

Who founded Passarel?
Steve Curtis. Twenty-plus years across consulting (PwC, Accenture), vendor leadership (Palo Alto Networks SVP of Ecosystems for Prisma and Cortex), venture-backed operator roles (Cygnvs, Pangea / CrowdStrike $260M acquisition, Staris AI as CRO), and independent advisory through Rencana. Former Global Managing Director of Accenture Security where he ran a 1,800-person global P&L and scaled the business approximately 100X over eight years.
Who is Passarel built for?
CISOs, VPs of Security, and Directors of Security at mid-market and enterprise organizations who want a single accountable partner rather than another vendor introduction.
What is Quay?
Quay is an AI agent built by Passarel that brokers warm introductions between cybersecurity executives and the firms in the Passarel partner catalog. See askquay.com.

Further reading