Enterprise-Security

Disclaimer: The examples below are anonymised and aggregated across multiple engagements. The goal is to highlight recurring patterns, not embarrass any specific organisation. Security Theatre: Field Notes from the Inside The Scene Most environments I assess are not wide open. They have firewalls, policies, and controls that look sensible on a slide deck. The same weaknesses keep showing up anyway. Security gets implemented as a compliance checklist rather than an adversarial system. ...

The Illusion of Security Most environments aren’t completely unsecured. Firewalls are enabled. Logging exists. Alerts are configured. From the outside it looks fine, maybe even responsible. Controls aren’t usually missing. They’re inactive. In recent work I’ve seen environments where security features were technically enabled but effectively useless. Logs existed but nobody read them. Alerts fired and nobody came. Things broke and the outcome was the same either way. An organisation’s security is only as strong as the people interacting with it. The tooling matters less than whether someone looks at it. The architecture diagram matters less than whether someone notices when something breaks. ...