Category: Technical Deep Dives

TLDR Major 2025 breaches exposed critical gaps in traditional red team exercises. While organizations tested for technical vulnerabilities, real-world compromises succeeded through different attack paths. The three patterns: third-party helpdesk social engineering (Marks & Spencer’s £300M ransomware attack), supply chain attacks (Salesloft Drift breach, Shai-Hulud NPM worm), and internet-exposed industrial systems with default passwords (critical…

Read article →

TLDR Most M&A technical due diligence assumes you’re evaluating a stable security posture. But sophisticated breaches can remain undetected for months, meaning you might be acquiring a company mid-incident without knowing it. Standard diligence questionnaires and compliance reports won’t find active compromises. Here’s what changes when you need to verify you’re not inheriting an ongoing…

Read article →

TLDR After a security incident, automated tools tell you what happened. Threat hunting tells you what else happened. Most organizations stop investigating once their EDR and SIEM systems identify the initial compromise. Attackers count on this. Organizations that stop investigating once automated tools identify the initial breach leave attackers’ backup access in place. Drawing from…

Read article →

TLDR Three weeks after restoring from backups and declaring their ransomware incident resolved, a regional healthcare provider discovered attackers still had domain admin access. The encryption had been reversed. Systems appeared functional. Yet the threat actor had maintained persistence through credential compromise and backdoor accounts that backup restoration never touched. The real incident was just…

Read article →

TLDR Adversaries establish multiple persistence mechanisms, move laterally, and exploit blind spots within the first 48 hours of compromise. Most incident response plans focus on containing initial access before understanding the full scope. Three critical gaps emerge: IR teams treat initial compromise as the complete incident while attackers have already established redundant access; lateral movement…

Read article →

In September 2025, Shai-Hulud compromised over 500 npm packages, generating security advisories from CISA, analysis from every major security vendor, and widespread coverage across developer communities. Package maintainers were warned. Security teams implemented additional scanning. The npm ecosystem was on alert. Ten weeks later, Shai-Hulud 2.0 compromised 796 packages totaling over 20 million weekly downloads.…

Read article →

TLDR Red team engagements reveal which organizations will successfully contain real breaches and which will face catastrophic incidents. The predictive indicators are clear: detection speed, response timelines, lateral movement visibility, backup integrity, and stakeholder coordination under pressure. Organizations that can’t detect simulated attacks within 24-48 hours won’t catch sophisticated adversaries moving at operational speed. Those…

Read article →

TLDR Most organizations budget for incident response tools and retainers but ignore the real costs: business disruption during recovery, decision-making delays, and the technical debt that makes incidents worse. True preparedness means calculating the economics of your response capability before you need it. Introduction In September 2023, MGM Resorts lost $100 million to a ransomware…

Read article →

TLDR Building in-house red team capability requires 2-3 operators at $150K-$250K+ each, plus training, tools, and retention challenges. External partnerships cost $50K-$150K per engagement with no overhead but less institutional knowledge. The decision hinges on three factors: engagement frequency (8-12+ annually favors in-house), specialization needs (breadth favors partnership), and your ability to retain talent. Most…

Read article →