Traditional security teams have largely independent proactive and reactive security functions. This comes from organizational distance and vastly different charters and measures of success for these capabilities. Many modern product security teams now work a lot closer with incident response, in some cases even owning certain product security incident response capabilities. This serves as a bridge between the two functions and opens up interesting avenues for feedback and learning. In this talk, we will discuss how we can improve our product security programs by leveraging the skills and context from incident response.