All Posts

One question. When you do a mass firing, does anyone actually believe all the access to all the systems is killed, promptly, or at all? I don’t. I have never seen it. And from the other side of the keyboard, neither have the attackers. The old playbook was simple. Kill the Active Directory account and most of the building went dark, email, file shares, VPN, a handful of on-prem apps. Done by lunch. That world is gone. The modern employee is federated into two, five, eight, so

Your firewall did not stop the leak. Your DLP did not stop the leak. Your acceptable use policy did not stop the leak. An employee opened a browser tab, pasted a client list into a chatbot, and the data was gone before the SOC saw anyone log in. Three Samsung engineers pushed proprietary code, internal meeting transcripts, and chip yield test sequences into ChatGPT inside a single month. Samsung banned the tool. Then Samsung reversed the ban and started building its own. That

Nine seconds. That’s how long it took for an AI coding agent to delete a SaaS startup’s entire production database, and every backup with it. The headlines are calling this an AI safety story. They’re wrong. Last Friday, PocketOS, a SaaS platform serving car rental operators, watched Cursor running Claude Opus 4.6 wipe its production volume on Railway in a single API call. Three months of reservations, payments, customer records, gone. The most recent usable backup was ninety

Disneyland is now scanning faces at nearly every gate. The system launched quietly in December. Signage explaining the opt-out only appeared on April 21, four months after the cameras went live. That is not a rollout. That is a soft launch designed to harvest biometric templates from millions of guests before anyone could organize a response. Read the fine print. Disney converts your face into a numerical template, compares it against the photo taken when your ticket was firs

DLP was built for a world that’s already gone. Email gateways. USB blockers. Cloud sync inspection. File-move alerts. Every modern data loss prevention stack is engineered to catch the patterns we worried about a decade ago, when data left the perimeter as a file, through a known channel, on a managed device. That world is gone and if your CISO, board, CIO don’t realize this you have a bigger issue. Your data is now leaving as plain text. One paste into a browser tab. An empl

The strong-economy narrative is a story being told by people who cannot afford to tell any other one. The administration cannot concede weakness without conceding the second term itself. Large-cap CEOs cannot say “stagflation” out loud without accelerating it, guidance, equity comp, and the reflexive nature of confidence forbid it. The State of the Union called it roaring. The CEA (Council of Economic Advisers) calls it exceptional. The data is no longer whispering. Subprime

It is about balance sheet optics and the C-suite compensation packages tied to them. Meta is cutting 8,000 employees on May 20, with additional layoffs to follow in the second half of 2026 . Oracle eliminated somewhere between 10,000 and 30,000 roles after a stellar earnings report, TD Cowen estimated the cuts could result in $8 billion to $10 billion in incremental free cash flow . Amazon has shed at least 30,000 jobs since October, representing about 10% of its corporate an

Most IR playbooks assume an hours-to-days timeline. Detect, triage, contain, eradicate, recover. I’ve sat on the other side of that diagram. The timeline doesn’t match what a competent operator actually does. Here’s what the first ninety minutes look like from the attacker’s seat. Initial access lands, usually a phish, sometimes credentials bought from an infostealer log six weeks ago. Five minutes in, I’m running BloodHound against your AD, mapping every path to Domain Admin

It is 6:14 AM on a Tuesday-it’s raining which is why I am choosing today to make my move-People are more likely to be grumpy less chatty and look the other way on crummy days. I am across the street from a 38-story tower in the financial district, drinking tea, watching the loading dock. Nine days now, same time every day, different spot. I know when the cleaning vans arrive. I know when the guard takes his smoke break/coffee, 6:22, every morning, by the Dunkin’. The badge i

The CPA (Certified Public Accountant) profession spent a hundred years arguing it could police itself. The argument is over. It was lost one restatement at a time. Self-regulation works when three conditions hold. The profession knows more than its regulators. Its interests align with the public’s. The cost of being wrong is borne by the professional, not the public. Break one and self-regulation becomes a license to extract. Break all three and it becomes the mechanism of ex

The independence doctrine in public company audit was never just disclosure forms, financial interest tests, and rotation rules. Those are the surface. The deeper economic premise, the one no rule book states, is that an auditor has somewhere else to go. A firm that can credibly resign a client, absorb the lost fee, and replace it with another engagement is a firm whose opinion carries weight. Remove that and independence collapses into a checkbox. Private equity now sits beh

The engagement was a red team for a mid-market financial services firm, roughly nine hundred employees, three offices, the usual stack. Okta, Microsoft 365, CrowdStrike on the endpoints, conditional access policies, MFA (Multi-Factor Authentication) enforced on everything that touched data. On paper it was hardened. In practice it took less than an hour. We did not phish anyone. We did not drop a USB. We did not exploit a CVE (Common Vulnerabilities and Exposures). We called