First, Chicago ISSA, thanks for inviting me to share my thoughts with you! I thoroughly enjoyed the presentation, Eric Hasty’s followup presentation, and all the ad-hoc discussions afterwards. A big thanks to Steve Moscarelli and Gregg Friedman for reaching out to me and planning this.

The Talk

I’ve been collecting and analyzing breach details for roughly 10 years now, and decided it was time to publish and share what I’ve learned. I hired an intern to help me polish and publish a decade’s notes on over 100 incidents.

Breach details are all over though, aren’t they?

Most breach databases are shallow: date of breach, financial losses, number of customers affected, etc. These shallow details aren’t useful for practitioners hoping not to repeat the mistakes of others. That’s where The Defenders Initiative comes in.

We seek out the process failures and control failures. Okay, an employee was phished. We seek to answer why the phishing attack wasn’t detected.

• Why weren’t the attacker’s next 20 steps detected or prevented?

• What was the company culture like?

• Were security products and controls neglected or well maintained?

• Did a penetration test warn the company of an attack precisely like their breach, just months before?

I also have to comment on Mythos and the impact of AI on vulnerability discovery, time-to-exploit, and other factors that weigh heavily on breach likelihood.

The Resources

My talk mentions many resources, which I’ll attempt to list here, roughly in the order they’re mentioned in my talk.

• My talk with Adam Shostack from RSAC 2026: Failure is a Terrible thing to Waste

There are a few places where we can find evidence that is deep and useful. The following lists are examples, not exhaustive.

• Reports on Threat Actors and DFIR analysis

  • Verizon Data Breach Report (annual report - the new one comes out in a few weeks!)

  • Mandiant M-Trends (annual report)

  • FortiGuard Labs’ Global Threat Landscape reports

  • The DFIR Report

• Federal investigations

  • FTC Complaints (here’s Drizly, as an example)

  • US Govt Investigations

  • European Repository of Cyber Incidents

  • Canadian Privacy Commissioners (here’s Alberta and Ottawa’s investigations into the Powerschool breach, as examples)

  • CISA CSRB (RIP - the CSRB put out some excellent reports, but is unfortunately, currently defunct)

• Insurance Companies

  • At-Bay’s annual InsurSec Report

  • Coalition’s annual cyber claims report

  • Cowbell Cyber claims report

• Transparent Companies

  • Code Spaces shared the details of their unfortunate demise one day after it happened

  • The British Library’s report on their own breach

  • Three security companies impacted by Okta’s Support Site Breach shared their experiences: 1Password, Cloudflare, and BeyondTrust

  • CircleCI provided a lot of details about their 2023 breach.

Other references

• One of the talks I’ve done on the Equifax breach

• My writeup on Mythos and the impact of AI on vulnerability management (below)

From this point on, it only gets rougher

Adrian Sanabria

·

Apr 13

In case you missed it, I’ve detailed some of the challenges facing vulnerability management programs in a previous post: Reevaluating vulnerability management. Those challenges are only getting worse.

Read full story

The Slides

Last, but not least, here’s a link to the slides.