On May 13 we published The Proof Gap: What the Canvas Breach Revealed About Modern Cyber Disclosure. The argument was simple. The hardest question to answer after a breach is the one that matters most.
What data was actually accessed?
On June 4, Instructure confirmed that student data had been accessed in the Canvas incident. The timeline:
- April 25: Initial compromise
- May 6: Incident declared resolved
- May 7: Additional unauthorized activity discovered
- May 11: Reported ransom payment
- June 4: Confirmation of what was accessed
The number that matters in that timeline isn’t how fast the intrusion was detected. It’s how long it took to confirm what happened. Six weeks.
The gap between detection and defensible answers is the Proof Gap.
This isn’t a Canvas problem. It’s the pattern after almost every modern breach. Attackers will always find a way in, and entry keeps getting easier, not harder. Canvas is this month’s example. The real fight starts after the intrusion. Can you independently prove what was accessed, what was exposed, and who was affected?
For most organizations the answer is no. So they end up working from screenshots, leak sites, ransom negotiations, and attacker claims to understand what happened to their own data.
Read that again.
The organization owns the data. Owns the systems. Owns the security tools. And the attacker becomes the source of truth.
That isn’t a detection problem. It’s an evidence problem.
The industry has spent years investing in tools that identify malicious activity and generate alerts. Those investments are necessary. But every incident reaches the same moment, where the conversation shifts from did something happen to what was the impact. That’s when superintendents, parents, regulators, insurers, board members, and now Congress want answers.
The organizations that hold up under that pressure aren’t necessarily the ones that detect first. They’re the ones that can produce evidence on demand. Payload-derived, defensible, and usable by both the humans working the response and the agentic AI tools accelerating it.
After every breach, the most important question isn’t how the attacker got in. It’s whether you can independently prove what they did once they were inside.
The attacker should never be your primary source of breach intelligence


