Category: Federal Compliance Insights
-
Lessons from 2025: What Red Team Exercises Should Actually Test in 2026
TLDR Major 2025 breaches exposed critical gaps in traditional red team exercises. While organizations tested for technical vulnerabilities, real-world compromises succeeded through different attack paths. The three patterns: third-party helpdesk social engineering (Marks & Spencer’s £300M ransomware attack), supply chain attacks (Salesloft Drift breach, Shai-Hulud NPM worm), and internet-exposed industrial systems with default passwords (critical…
-
M&A Deal Risk: Acquiring a Company Mid-Incident (And How Diligence Should Change)
TLDR Most M&A technical due diligence assumes you’re evaluating a stable security posture. But sophisticated breaches can remain undetected for months, meaning you might be acquiring a company mid-incident without knowing it. Standard diligence questionnaires and compliance reports won’t find active compromises. Here’s what changes when you need to verify you’re not inheriting an ongoing…
-
Post-Incident Threat Hunting: Finding What Automated Tools Missed
TLDR After a security incident, automated tools tell you what happened. Threat hunting tells you what else happened. Most organizations stop investigating once their EDR and SIEM systems identify the initial compromise. Attackers count on this. Organizations that stop investigating once automated tools identify the initial breach leave attackers’ backup access in place. Drawing from…
-
Ransomware Response Beyond Backups: Technical Realities Security Vendors Won’t Tell You
TLDR Three weeks after restoring from backups and declaring their ransomware incident resolved, a regional healthcare provider discovered attackers still had domain admin access. The encryption had been reversed. Systems appeared functional. Yet the threat actor had maintained persistence through credential compromise and backdoor accounts that backup restoration never touched. The real incident was just…
-
The First 48 Hours: What Offensive Security Experience Reveals About Incident Response
TLDR Adversaries establish multiple persistence mechanisms, move laterally, and exploit blind spots within the first 48 hours of compromise. Most incident response plans focus on containing initial access before understanding the full scope. Three critical gaps emerge: IR teams treat initial compromise as the complete incident while attackers have already established redundant access; lateral movement…
-
How Shai-Hulud Learned to Evade Everything That Caught It
In September 2025, Shai-Hulud compromised over 500 npm packages, generating security advisories from CISA, analysis from every major security vendor, and widespread coverage across developer communities. Package maintainers were warned. Security teams implemented additional scanning. The npm ecosystem was on alert. Ten weeks later, Shai-Hulud 2.0 compromised 796 packages totaling over 20 million weekly downloads.…
-
Red Team Findings That Predict Incident Response Success (Or Failure)
TLDR Red team engagements reveal which organizations will successfully contain real breaches and which will face catastrophic incidents. The predictive indicators are clear: detection speed, response timelines, lateral movement visibility, backup integrity, and stakeholder coordination under pressure. Organizations that can’t detect simulated attacks within 24-48 hours won’t catch sophisticated adversaries moving at operational speed. Those…
-
Incident Response Economics: What Security Teams Miss in Their Preparedness Planning
TLDR Most organizations budget for incident response tools and retainers but ignore the real costs: business disruption during recovery, decision-making delays, and the technical debt that makes incidents worse. True preparedness means calculating the economics of your response capability before you need it. Introduction In September 2023, MGM Resorts lost $100 million to a ransomware…
-
Building Red Team Capability: Partner or Build In-House?
TLDR Building in-house red team capability requires 2-3 operators at $150K-$250K+ each, plus training, tools, and retention challenges. External partnerships cost $50K-$150K per engagement with no overhead but less institutional knowledge. The decision hinges on three factors: engagement frequency (8-12+ annually favors in-house), specialization needs (breadth favors partnership), and your ability to retain talent. Most…
-
Pre-Acquisition Security Posture: Questions Every PE Firm Should Ask
TLDR Spirit AeroSystems saved $230M by discovering security problems before closing their ASCO Industries acquisition. Most PE firms aren’t that lucky. Standard compliance questions miss the technical vulnerabilities that destroy portfolio value post-acquisition. Here are the six questions that reveal whether you’re buying defensible infrastructure or expensive security debt, and how the answers should inform…