This is the engagement the breach walkthrough on our homepage is drawn from. Names and identifying details are removed; the sequence is intact. We were called in after the ransom notes were already on the screens. Here is what remediation actually looks like when a flat, VPN-connected network has been fully compromised — and why we rebuilt it Zero Trust from the top down rather than patching the old design.
Hour zero: assume nothing is clean
The instinct after a ransomware hit is to start restoring. That's a trap. If you restore into the same architecture the attacker owned, you restore into their hands. The domain admin credential they used is still valid. The backdoors they planted are still there. The flat network that let them move is still flat.
So the first decision was containment before recovery. We isolated segments, forced a credential reset from a known-clean path, and treated every existing account and device as untrusted until proven otherwise. That "prove it" posture — never trust, always verify — is the entire philosophy, applied under fire.
Why the old architecture failed
The breach didn't succeed because this company was careless. It succeeded because the architecture was built on implicit trust, like most networks still are:
- A legacy VPN granted whole-network access to anyone with a valid credential. Once the attacker phished one, they were inside — not at one application, but on the network.
- The network was flat. Nothing challenged east-west movement, so RDP and SMB scans swept subnet to subnet unopposed.
- A cached domain-admin credential on an aging file server handed over the directory. Game over.
- Backups were reachable from inside the same network, so they were encrypted first.
Every one of those is a trust assumption. Fix the assumptions and the same attacker gets nowhere.
Rebuilding Zero Trust from the top down
We didn't reinstall the old design with better passwords. We replaced the trust model.
Kill the VPN; grant applications, not networks. ZTNA replaced the VPN. Users now connect to the specific applications their identity entitles them to — never to "the network." A stolen credential grants exactly what that one person could reach, and nothing lateral. There is no flat network to sweep because there is no network handed out at all.
Cloak the infrastructure. The gateways are hidden behind Single Packet Authorization. To an unauthorized scanner, the infrastructure simply doesn't respond — it isn't there. The reconnaissance step that every one of these attacks depends on returns nothing.
Verify every request, continuously. Access decisions weigh identity, device posture, and context on every request, not once at login. A credential that starts behaving like an attacker — odd hours, machine-timed cadence, reaching for resources it never touches — loses access mid-session.
Put autonomous EDR on every endpoint. SentinelOne went on the endpoints so that if a payload does execute on a compromised device, it's killed on-device and the machine quarantined in milliseconds — not after an analyst notices an alert.
Segment backups out of reach. Recovery infrastructure was moved behind its own policy boundary, unreachable from general user access, so the "encrypt the backups first" playbook no longer works.
Replay the same attack
With that architecture in place, run the identical attack again. The phish still lands — you can't patch human curiosity. But the harvested credential opens no network, because there is no network to open. The scanner finds no infrastructure to map. The one payload that reaches the one compromised laptop is killed autonomously and the device quarantined. Entitlements are revoked. Total impact: one laptop reimaged, zero files encrypted, zero ransom paid. Monday morning, business as usual.
Same attacker, same 3 AM, same stolen credential. Different architecture, different outcome.
What to take from this
You do not want to meet us at hour zero. The remediation worked, but it was expensive, stressful, and avoidable. The controls that saved this company after the breach are the same controls that would have prevented it — and they cost a fraction of the incident.
If you're running a flat network behind a VPN today, you're running the architecture that failed here. Test your Zero Trust readiness in a couple of minutes, or see what the bundle costs against what a breach costs. The math is not close.