Lines in the Sand
A Security Brutalism Story
Mar 2026
Modern companies depend on invisible systems. Networks, data, and software run quietly behind the scenes, and most of the time no one notices. But every so often someone on the outside starts knocking on the digital doors, searching for a weakness. When that happens, the difference between a small incident and a serious breach often comes down to a handful of people who understand the system better than the attackers do.
Ari was one of those people. Direct, impatient with bureaucracy, and fiercely protective of the foundations that keep systems secure, he had built a small team that thrived in controlled chaos. While others focused on reports and compliance checklists, Ari focused on something simpler. When attackers came, and they always did, he made sure they ended up exactly where he wanted them.
Chapter 1: The Man Who Watches
The office tower woke slowly in the pale gray light of morning. Glass caught the first reflection of the sky while elevators moved quietly through empty shafts and the last members of the cleaning crew finished their rounds before the day began. At this hour the building felt like a machine warming up, silent systems coming online before the noise of people arrived.
At 5:58 a.m., the lobby doors opened and Ari Shaw stepped inside.
He moved like a man who had already been awake for hours. Lean, strong, and fluid in the way he carried himself, every step deliberate but unhurried. There was nothing restless about him. He walked with the quiet efficiency of someone who had long ago learned that energy spent unnecessarily was energy wasted.
The guard at the desk nodded when he saw him.
“Morning, Mr. Shaw.”
Ari returned the nod with the faintest acknowledgment, already moving past the desk toward the elevators with a black coffee in hand. No sugar. No milk. Just heat and bitterness in a simple paper cup.
The elevator ride was quiet. Thirty seconds in a mirrored box rising through an empty building. Ari stood still with one hand in his coat pocket, his reflection staring back at him from three sides. His face revealed almost nothing. It was the expression of someone who had trained himself not to react too quickly, someone who preferred to observe first and decide later.
Silence.
The doors opened to the executive floor. Most people believed the Chief Information Security Officer arrived closer to eight. That assumption had never been corrected. It was easier to see things clearly before the building filled with people.
Ari walked down the corridor past rows of glass offices and dark conference rooms until he reached the last door at the end of the hallway. There was no nameplate, only a small placard beside the frame.
Chief Information Security Officer.
Inside, the office looked almost unfinished.
The desk was large but bare. A laptop rested at its center beside a single black ceramic mug. Two chairs faced each other across the polished surface. Nothing else occupied the room. No awards. No photographs. No framed credentials meant to reassure visitors that the person sitting here was important.
The walls were empty except for one sign mounted directly across from the desk.
“Security is what survives contact with reality.”
Ari placed the coffee down and opened the laptop, but for a moment he did not sit. He stood quietly, studying the words on the wall as if measuring them again.
Most people who saw the sign assumed it was a quote from somewhere. Some military strategist or philosopher whose name had been lost to time.
It was not a quote.
It was a rule.
Security programs failed for the same reason military campaigns failed. Eventually someone began believing their own plan instead of reality. Controls that looked perfect on paper collapsed the moment they encountered an adversary who did not follow the script.
Ari had learned that lesson earlier than most.
His official biography said he had spent ten years in federal service before entering the private sector. It did not say where. The résumé listed no agencies and no operations. It simply recorded the years and then moved on, as if an entire chapter of his life had been deliberately erased.
Inside the company there were theories about what those years meant. Military intelligence. Special operations. One rumor claimed someone in the legal department had seen his name mentioned in a declassified counterintelligence report tied to an operation somewhere in Eastern Europe.
Ari had never confirmed any of it.
Anyone who asked received the same calm answer.
“I used to solve different problems.”
He finally sat down and took a sip of coffee as the laptop screen came alive with dashboards. Threat alerts, vulnerability reports, incident summaries, vendor assessments. An endless stream of signals that most security teams believed represented awareness.
To Ari it was mostly noise.
Real danger rarely appeared in dashboards. It appeared quietly and indirectly. A developer granted access they did not need. A supplier that had never been properly vetted. A server communicating with another system that should not even know it existed.
Ari did not watch alerts.
He watched patterns.
Patterns told you where the lies were.
And there were always lies somewhere inside a system this large.
At 6:30 a.m., his phone vibrated once against the desk. The calendar reminder appeared without sound.
COO / General Counsel 7:00 a.m.
Ari studied the notification for a moment before setting the phone down again.
Budgets.
In large companies, money was another form of warfare. Resources determined which risks were tolerated and which ones were removed from the battlefield entirely. A security leader who did not understand that dynamic rarely lasted long.
He closed the laptop and finished the last of his coffee. Outside the office, the building had started to change. The quiet early hours were fading as executives arrived, assistants switched on lights, and the first conversations of the day began drifting through the corridors.
Noise.
Ari stepped out into the hallway and closed the door behind him. His pace remained steady as he moved toward the conference wing where the senior executives kept their offices.
The meeting with the Chief Operating Officer and the General Counsel was scheduled to begin in less than an hour.
By the time it ended, something in the company would almost certainly change.
Chapter 2: Lines in the Sand
Marcus Vale’s office was built almost entirely from glass. The walls, the doors, even sections of the conference table were transparent, an architectural choice meant to signal openness and accountability. Ari had always found that kind of symbolism slightly ironic. The most consequential decisions inside large organizations rarely happened in places that were truly transparent.
Marcus stood when Ari entered. The Chief Operating Officer carried the composed confidence of someone used to running vast machinery. Entire divisions of the company moved when he made decisions. Supply chains shifted, factories recalibrated, contracts were renegotiated. The operational pulse of the corporation flowed through this office.
Elena Ruiz sat beside him at the table. As General Counsel, she represented the quiet gravity of the legal system behind the business. Where Marcus projected polished authority, Elena projected precision. She watched everything carefully and spoke only when she had something worth saying.
Marcus gestured to the chair across from them. “Ari. Thanks for coming in early.”
Ari sat down without ceremony. Meetings like this rarely benefited from small talk.
Marcus rested his hands on the glass table. “We’re reviewing operating budgets for the next two quarters. The board wants tighter discipline on spending.”
Ari nodded once.
Marcus continued. “Security has grown significantly over the last few years. New tools, new vendors, additional teams. It’s one of the fastest growing operational budgets outside engineering.”
That part was true. Ari had overseen much of that expansion himself.
Marcus leaned back slightly. “The question we’re asking is whether all of it is actually necessary.”
Ari studied him for a moment before answering.
“Some of it isn’t.”
Marcus paused.
Elena’s attention sharpened.
Ari continued calmly. “A significant portion of our security spending exists because someone outside this company requires it.”
Marcus tilted his head slightly. “Explain.”
“Cyber insurance mandates. Regulatory frameworks. Compliance audits. Third party assessments.” Ari folded his hands together on the table. “Each one introduces a set of controls that must exist on paper whether or not they actually improve security.”
Elena nodded faintly. She understood that world well.
“Those controls generate documentation, tools, reporting systems, consultants, evidence collection, audit preparation,” Ari continued. “All of which costs money.”
Marcus frowned slightly. “But they’re required.”
“Correct.”
Ari’s voice remained steady. “And we fund them. Every year.”
Marcus tapped a finger lightly against the table. “Which brings us back to the original problem. The board sees a large security budget and asks where we can reduce it.”
“That’s reasonable,” Ari said.
Marcus looked mildly surprised. “You agree?”
“Yes.”
The room went quiet for a moment.
Ari leaned back slightly in his chair.
“The problem is where those reductions happen.”
Marcus gestured for him to continue.
“Most cost cutting efforts inside security remove the wrong things,” Ari said. “They cut monitoring coverage, incident response capacity, threat intelligence, or engineering work that actually reduces risk.”
Elena spoke quietly. “Because those are easier to measure.”
“And easier to explain,” Ari said.
Marcus watched him closely now. “So you’re saying we’re spending money on the wrong things.”
“I’m saying a large portion of our budget is spent proving we are secure instead of making us secure.”
The words hung in the room.
Marcus exhaled slowly. “And the board will not accept removing regulatory controls.”
“I’m not proposing that.”
Ari paused briefly before continuing.
“I’m proposing we reorganize everything else around them.”
Marcus leaned forward slightly. “Into what?”
Ari’s answer came without hesitation.
“Security Brutalism.”
Marcus frowned. “You’re going to have to unpack that.”
“It’s simple,” Ari said. “We strip security down to the controls that actually protect the business. Identity systems. Data protection. Attack surface management. Detection and response.”
He spoke calmly, almost clinically.
“Everything else gets evaluated by a single question. Does this survive contact with reality?”
Elena thought of the sign she knew hung in Ari’s office.
Marcus studied him for a moment. “And this reduces cost?”
“Yes.”
“How?”
“Because complexity is expensive. Every redundant control, every overlapping platform, every compliance artifact that requires manual effort multiplies operational cost. Brutalism removes the excess and reinforces the foundation.”
Marcus considered that. “So instead of cutting security, you’re proposing restructuring it.”
“Yes.”
“And you’re confident it works.”
Ari nodded once.
“Very.”
Marcus leaned back again. “That’s a bold claim.”
Ari was about to answer when his phone vibrated softly on the table.
The notification came from the internal threat intelligence channel his team used for high priority alerts.
He glanced at the screen.
URGENT. Unusual credential activity detected in vendor network. Possible lateral movement.
Ari read it once and then looked back up at the two executives.
For the first time since entering the room, a faint trace of amusement appeared in his expression.
“Timing,” he said calmly, “is an interesting thing.”
Marcus frowned slightly. “What does that mean?”
Ari slipped the phone back into his pocket and stood.
“I believe,” he said, “we are about to have a practical demonstration.”
Chapter 3: Signals
Ari left Marcus Vale’s office without hurry.
The hallway outside the executive offices was quiet at that hour. Most of the building was still warming up for the day, the slow mechanical rhythm of a large organization beginning to spin. Somewhere far below, elevators hummed and printers came to life.
He walked back toward his office with the calm pace of someone who already understood the shape of the problem. Panic rarely improved outcomes.
Inside his office, the air still carried the faint smell of fresh coffee from earlier that morning. The room had a certain energy to it, the kind that only someone deeply familiar with controlled chaos could maintain.
The sign across his desk looked at him: “Security is what survives contact with reality.”
Ari slipped his phone into his dark jeans pocket and opened the top drawer. From it he pulled a tablet. He always went light when things demanded action. The tablet was protected by a matte-black case designed for environments where coffee spills and sudden movements were normal.
He powered it on as he walked.
The internal alert system expanded across the screen, displaying the initial report in greater detail.
Vendor Network Activity Anomaly
Source: Threat Intelligence Channel
Confidence: Moderate
Indicators: Credential misuse, lateral authentication attempts
Affected Party: Virex Industrial Systems
Ari’s eyes paused briefly on the vendor name.
Virex wasn’t just another supplier. They maintained diagnostic tooling embedded inside several of the company’s production environments. Their engineers had privileged access pathways designed for troubleshooting manufacturing software and firmware updates.
Which meant if their network was compromised, those pathways could become something else entirely.
Ari locked the screen again and stepped out into the hallway.
The Security Operations Center sat two floors below the executive offices, buried deeper in the building where sunlight rarely reached. The SOC had been intentionally placed away from the open glass architecture the rest of the company favored. Security work required concentration, not aesthetics.
The elevator ride took less than a minute.
When the doors opened, the lighting shifted immediately. Cooler. Dimmer. The hum of electronics replaced the quiet of executive corridors.
The SOC itself was a wide, windowless room filled with rows of desks and towering displays mounted across the far wall. Monitors glowed with dashboards, event streams, and network maps that shifted constantly as the company’s infrastructure moved data across continents.
Analysts worked quietly at their stations, headsets on, eyes scanning flows of information most people would never notice.
A few looked up as Ari entered.
Not out of surprise. Just acknowledgment.
One of the senior analysts, Daniel Park, rolled his chair slightly away from his console. “Morning, Ari.”
Ari set the tablet down beside the main SOC console.
“I saw the alert,” he said. “Tell me what we know.”
Daniel rotated one of the monitors toward him.
“It started about fifteen minutes ago,” he explained. “Credential activity inside the Virex network. One of our intelligence feeds flagged abnormal authentication patterns tied to accounts that normally only operate during their maintenance windows.”
A cluster of connection lines appeared on the display.
“Initially we thought it might be routine admin work,” Daniel continued. “But then we saw lateral movement between their internal systems. Fast movement.”
“How fast?”
“Faster than humans usually move.”
Ari studied the map.
“So likely automated.”
“That’s our assumption.”
Another analyst leaned over from the adjacent desk. “We also saw the same credentials attempt authentication against the secure vendor gateway they use to reach our environment.”
Ari’s attention sharpened slightly.
“Were they successful?”
“Not yet,” Daniel said. “The attempts are still outside our network boundary.”
“Good.”
Daniel zoomed the display in further. The connection attempts traced through infrastructure nodes that bounced across multiple regions before converging toward the company’s vendor access portal.
“Looks like someone is mapping paths,” Daniel said.
Ari nodded slowly.
“That would be the logical next step.”
He rested one hand lightly on the edge of the console while studying the data.
Vendor compromise was a familiar pattern. Attackers rarely targeted large companies directly when they could approach from the outside through smaller partners. Supply chains created convenient doors if someone knew where to look.
Daniel brought up another screen.
“We notified Virex security,” he said. “Their team is investigating internally, but they’re about twenty minutes behind where we are.”
“That’s expected,” Ari said calmly.
Another analyst called out from the back row. “New telemetry just came in.”
One of the large wall displays shifted.
The authentication attempts had increased.
The pattern was clearer now. Someone inside the Virex environment was probing outward, testing connections, looking for a pathway that responded differently from the others.
Ari watched it unfold without visible concern.
Marcus’s earlier question echoed faintly in his mind.
How do you know your systems actually work?
The answer was simple.
You watch them under pressure.
Daniel looked up from his console. “We’re preparing containment rules on the vendor gateway. If they manage to authenticate, we can lock the connection down immediately.”
“Good,” Ari said.
Another alert chimed softly somewhere in the room.
Then another.
Daniel frowned slightly and checked a different panel on his display.
“That’s odd.”
“What is?”
“That activity spike triggered a flag with the SUW team.”
Ari’s gaze shifted toward a row of desks positioned slightly apart from the rest of the SOC.
The Security Unconventional Warfare unit operated inside the SOC but rarely participated in routine monitoring. Their role was different.
Where the SOC detected and responded, SUW studied adversaries. Patterns. Behavior. Strategy.
When necessary, they also disrupted.
One of the SUW operators was already standing, staring at a scrolling set of telemetry feeds across three monitors.
A moment later, a message appeared on Ari’s tablet.
SUW Alert
Enemy activity indicators detected
Disruption operations initiating
Daniel looked over at him. “Did they just…?”
Ari read the message once.
“Yes,” he said calmly.
Across the room, the SUW operator typed a final command and leaned back slightly in his chair.
A second alert appeared on the SOC wall display.
SUW STATUS:
Disruption Operations Active
Ari watched the screens for another moment.
Then he spoke quietly, almost to himself.
“Well,” he said, “that escalated quickly.”
Chapter 4: Disruption
When the SUW alert appeared on the wall display, the mood in the Security Operations Center shifted.
SOC analysts were trained to monitor, detect, and contain. Their work was methodical, structured, and reactive by necessity. But when the Security Unconventional Warfare team activated, the atmosphere changed in a subtler way.
They did not simply respond to attacks.
They hunted them.
At the far side of the room, the SUW workstations came alive almost instantly. Three operators leaned over their terminals while a fourth stood quietly behind them, studying the telemetry flowing across the screens.
Keren didn’t raise her voice.
She didn’t need to.
“Let’s slow them down,” she said.
Her accent carried the faint edge of somewhere else, sharpened by years spent speaking English inside operational environments. No one in the SOC had ever asked her directly what she used to do before joining the company. The rumors varied, but they all ended in the same place.
Someone who had done this before. With Ari.
One of the operators brought up the vendor gateway telemetry on a larger display.
“Credential attempts are still probing the perimeter,” he said. “Pattern suggests automated reconnaissance.”
Keren nodded.
“Good. That means they’re impatient.” She stepped closer to the console and tapped a section of the network map. “Wake up the dormant segments.”
One of the analysts smiled slightly.
“Thought you might say that.”
Within seconds, a portion of the company’s internal infrastructure that normally remained invisible began to light up inside the monitoring system. Hidden systems and network devices appeared. Additional network routes quietly came online. Several storage systems that had been intentionally left inactive began broadcasting subtle signals across the internal routing tables.
To an external observer probing the network, it would look like systems that were reachable. Valuable systems.
“Decoy environments and honypots active,” the analyst reported.
Ari watched the map expand.
“Bait,” he said quietly.
Keren glanced toward him briefly. “Information,” she corrected.
On the screen, one of the probing connections immediately shifted direction.
Instead of continuing toward the vendor gateway authentication portal, it redirected toward one of the newly visible internal nodes.
The attacker had noticed the change.
One of the SUW operators leaned forward.
“There we go.”
Packets began to stream across the telemetry feed. The system recorded every move, every request, every malformed handshake attempt as the probing software attempted to interact with the decoy environment.
“Not human,” the operator said after a few seconds. “Behavioral timing too consistent.”
Another analyst nodded.
“Bot.”
The traffic pattern intensified. The bot scanned directories, tested authentication prompts, and attempted to enumerate services running on the decoy environment.
Keren watched quietly for nearly a minute. “Let it explore,” she said.
Ari folded his arms. “What are we learning?”
“TTPs,” the analyst replied without looking away from the screen. “Tool signatures, behavior patterns, scanning logic. We use a bot of our own to learn real time”
Another operator zoomed into the outbound traffic pattern.
“Wait.”
Keren stepped closer.
“What is it?”
The operator pointed to a sequence of outbound packets buried inside the stream.
“It’s trying to report back. It’s injecting the request inside what appears to be a request for OS updates”
“Command and control?”
“Looks like it.”
The team immediately began isolating the packet pattern.
The bot wasn’t just scanning. It was attempting to communicate with an external system, sending compressed telemetry packets toward a remote IP address.
Ari leaned slightly closer. “Can we intercept it?”
The operator tilted his head.
“Maybe.”
Keren’s voice remained calm.
“Reverse engineer the signal if you can.”
That process took some time but using their internal LLM hooked into several agents deployed in the decoy environment helped.
The bot’s outbound communication used a simple but slightly obfuscated protocol designed to disguise command traffic as normal network activity. One of the SUW engineers began reconstructing the packet structure after the AI dropped it, while another worked to identify the remote endpoint.
Several minutes passed before one of them spoke again.
“Got it.”
He rotated the monitor so Keren could see.
“Command structure. We can mimic the server response.”
Keren nodded once. “Do it.”
The team began crafting a spoofed response packet, carefully replicating the formatting and timing they thought was expected by the bot’s command protocol.
A moment later the outbound connection attempt triggered again. This time the SUW system intercepted it. The bot believed it had reached its command server. Instead, it had reached them.
The operator leaned back slightly.
“Well,” he said quietly, “that’s interesting.”
“What?” Ari asked.
“It’s accepting commands.”
Keren allowed herself the faintest smile.
“Good.”
“What do we tell it to do?” the analyst asked.
“Nothing,” she said.
They looked at her.
“For now,” she clarified. “We feed it noise.”
The operator nodded and began injecting harmless responses back through the spoofed channel.
False directory structures. Fake system identifiers. Simulated responses that made the decoy environment look even more valuable than it really was.
The bot accepted everything.
Meanwhile, Ari stepped away from the console. He found Daniel Park at the main SOC station.
“I need a situation report,” Ari said.
Daniel nodded immediately.
“For the board?”
“For the CEO, COO, and Elena.”
Daniel pulled up a reporting interface.
“What level of detail?”
“Clear enough that they understand the risk,” Ari said calmly. “Simple enough that they don’t misunderstand the response.”
Ari opened his own tablet and began organizing the information.
Vendor compromise. External probing. SUW disruption operations active. Containment measures holding.
He wrote the report with the same deliberate clarity he used in every crisis communication. No drama. No speculation. Just facts and controlled assessment.
Ten minutes later he reviewed the document once more.
Then he sent it.
Across the room, one of the SUW analysts suddenly leaned forward.
“Keren.”
She stepped beside him. “What is it?”
He expanded a second telemetry window.
“This traffic isn’t coming from the vendor connection.”
Keren studied the display.
“Where?”
The analyst zoomed in further. Another inbound connection had appeared on the internal network. Not through the vendor gateway; from somewhere else entirely.
Keren’s voice remained quiet.
“Well,” she said, “that’s unexpected.”
Across the room, Ari’s tablet vibrated again.
Chapter 5: The Second Door
Ari read the alert once. Then he walked back toward the SUW console.
“Where did it come from?” he asked.
The analyst highlighted the connection path. “Internal entry point. Different vector.” he said.
Ari looked at Daniel.
“How did we miss that?”
The question wasn’t accusatory. It didn’t need to be.
Daniel frowned and began typing commands into his terminal.
“Give me a minute.”
The SOC screens shifted as he began replaying historical telemetry from earlier in the morning. Packet captures scrolled across the display while Daniel traced the path of the connection backward through the network.
Another analyst joined him, scanning authentication logs.
“Found it,” Daniel said after a moment.
He zoomed the screen. The connection had entered through a service endpoint used by a vendor support application installed months earlier.
Keren watched silently.
Ari spoke again. “Why didn’t it trigger detection?”
Daniel hesitated.
“Because… it wasn’t supposed to…”
Ari waited.
Daniel sighed quietly and leaned back in his chair.
“Remember the changes we had to make last quarter for the internal audit review?”
Ari nodded slowly.
“Compliance required adjustments to several monitoring pipelines,” Daniel continued. “Logging thresholds. Alert tuning. Some service channels were temporarily excluded because the audit systems kept flagging them as noise.”
He gestured toward the screen.
“This endpoint was one of them.”
Ari said nothing for several seconds. Then he nodded once.
“So we blinded ourselves.”
Daniel didn’t argue.
“Unintentionally,” he said.
Across the room, the SUW team had already begun analyzing the second connection.
Keren spoke without looking up from the display.
“This one isn’t automated.”
Ari turned toward her. “How can you tell?” he asked.
“Timing.”
She pointed to the telemetry.
“The bot from the vendor network probes continuously. This connection pauses, adjusts, then resumes.”
Ari understood immediately.
“A human operator.”
“Yes.”
One of the SUW analysts rotated his chair toward Ari.
“They might have used the bot as a distraction.”
Keren nodded slightly. “Possible.”
The decoy environment still glowed brightly on the network map while the bot continued interacting with the spoofed command channel. Meanwhile, the second connection moved carefully across a different part of the network.
Slower. More deliberate.
Keren turned toward Ari.
“You wanted a demonstration earlier,” she said.
Ari watched the second connection path form across the display.
“Yes,” he replied.
“Well,” she said calmly, “now you have two.”
One of the SUW operators pushed an empty chair toward Ari.
“Want to help?”
Ari sat down without hesitation.
“Show me what you’re seeing, and put me to work.”
The operator brought up the command interface.
“Attacker is enumerating service accounts and system interfaces. Looking for escalation paths.”
Ari’s fingers moved across the keyboard.
“Let’s give him something to think about.”
Across the room, the SOC and SUW teams worked side by side now.
Detection.
Deception.
Containment.
The network map shifted slowly as the intruder continued moving through the environment, unaware that every step was being watched.
Ari studied the telemetry calmly.
Then he began typing.
Chapter 6: Bait
The second breach had now become something else entirely.
It was no longer just an intrusion. It was a conversation.
Inside the SUW workspace, screens glowed with scrolling telemetry as the team quietly watched the attackers move through the carefully prepared environment. The fake datasets had been planted hours earlier, just believable enough to pass a quick inspection, but completely fabricated.
“Movement confirmed,” Keren said, leaning forward. “They’re browsing.”
On another screen, packet captures began filling a window. The attackers had started packaging the files.
“They're compressing,” someone from the team muttered.
Ari glanced over.
“Same method as the bot,” he said calmly. “Watch the exfil path.”
A few seconds passed.
Then it appeared.
The outbound connection spun up exactly the way they expected: encrypted, structured, and methodical. Except it wasn’t going where the attackers thought it was going.
The traffic hit the fake command-and-control infrastructure the SUW team had deployed earlier.
“Got them,” Keren said.
Across the room, someone smiled.
The attackers believed they were extracting valuable internal data. Instead, they were delivering it neatly into a trap.
But Ari wasn’t done. He opened another terminal and began spinning up a new server instance.
“Another decoy?” one of the analysts asked.
“Better,” Ari said.
Within minutes the system was online: a pristine server running a MySQL database. Empty.
For now.
Ari launched one of the SUW team’s internal automation scripts. The script began populating the database almost instantly.
Rows appeared by the thousands.
Design documents. Technical research. Proprietary algorithms. Internal product notes. Everything an attacker hunting intellectual property would dream of finding.
Or so it looked.
In reality, every single record was fabricated, synthetic intellectual property crafted to look authentic.
Across the room, Keren was doing something similar. Her database, however, looked completely different. Instead of intellectual property, it was filled with chaotic corporate debris.
Random code fragments; archived reports; fake HR documents. Even folders of staged company party photos.
Someone had gone to impressive lengths to make the pictures look awkwardly real.
Ari nodded when he saw it.
“Good,” he said.
One database represented valuable intellectual property. The other looked like normal corporate clutter.
The attackers’ behavior would reveal everything.
“If they go for the IP,” Ari said, “it’s targeted.”
“And if they grab the junk?” Keren asked.
“Then we’re just today’s victim.”
The systems ran. The attackers moved. And the trap waited.
Halfway through the operation, Ari’s phone buzzed.
A text message.
From the CEO.
Come to my office. Need a status update.
Ari stared at the screen for a moment. Then sighed.
“Keep monitoring,” he said to the team. “Nothing changes.”
He left the room reluctantly.
The executive floor felt quieter than the SOC. Too quiet.
When Ari walked into the CEO’s office, the entire executive team was already there. CEO. Legal. Finance. Operations. All of them.
The moment he stepped inside, the questions began.
“What exactly happened?”
“How serious is this?”
“Is data already stolen?”
“Are we exposed legally?”
“Should we notify customers?”
“Is this ransomware?”
The questions came rapidly, overlapping, louder by the second.
Ari stood there without saying a word.
He waited.
Eventually, the noise slowed. Then stopped.
Only then did he speak. Calm.
Measured.
“We detected an intrusion attempt,” he said. “Two entry points. One automated, one manual. Both are currently contained inside controlled environments.”
Blank stares.
He continued.
“We are feeding them fake data.”
Silence.
More questions erupted.
“Fake data?”
“Why?”
“Is that legal?”
“Can they still reach production?”
Ari exhaled slowly.
Then, for the first time, irritation crept into his voice.
“This,” he said, gesturing slightly around the room, “is what happens when security controls get weakened for audit convenience and legal paperwork.”
The room went still.
Ari didn’t wait for a response.
He turned and walked out.
Chapter 7: Containment
When Ari returned to the SOC, nothing looked panicked.
Which was exactly how he liked it.
The SUW team had taken over one side of the room, their screens filled with network telemetry and sandbox environments. Across the aisle, the SOC analysts were updating detection rules in real time.
“Welcome back,” Keren said without looking up.
Ari pulled a chair over. “Status.”
“They took the bait,” she said.
A screen rotated toward him.
The attackers were still active inside the decoy environment. Files were being explored, directories opened, and databases queried.
“Which one?” Ari asked.
Keren smirked.
“The IP database.”
Ari nodded slowly. Targeted. Not random.
“Good to know,” he said.
Another analyst spoke up. “We’re feeding indicators to the SOC. They're pushing detection updates live,” he said.
Across the room, SOC monitors began lighting up as new alert signatures propagated across the company’s systems.
Every new tactic the attackers tried was immediately captured and converted into detection logic. Their methods were now becoming the company’s defenses.
Meanwhile, the decoy infrastructure continued doing its job. Every attempt to extract data hit the fake C2 server. Every outbound transfer was silently absorbed.
The attackers believed they were successfully stealing information. In reality, they were going nowhere. And they quickly understood that.
Time passed. Their activity slowed. Queries became less frequent. Commands more hesitant.
Eventually, the probing stopped entirely. One connection dropped. Then another.
Finally, the last command session went silent.
The attackers had given up.
The room stayed quiet for a few seconds. Then someone leaned back in their chair.
“Well,” one analyst said, “that was fun.”
Ari didn’t smile. He stood up.
“Alright,” he said. “Now the real work begins.”
Several heads turned.
“Every entry point we saw tonight gets hardened.”
He pointed toward the screens.
“Authentication paths, network segmentation, monitoring rules. And anything else they even looked at.”
The team nodded.
This wasn’t just stopping an attack. It was making sure the same door could never be opened again.
Outside the SOC, the building had gone quiet for the night.
Inside, the team started rebuilding the defenses.
Stronger.
Smarter.
And far less forgiving.
Chapter 8: Foundations
The building was quieter than it had been the night before. The chaos had passed. The attackers were gone.
Inside the SOC, however, the work continued.
Logs were still being reviewed. Detection rules were being refined. Infrastructure diagrams were open across several screens as the team mapped the exact path the attackers had attempted to take.
The decoy environments were still running, but mostly idle now.
Empty.
Ari stood near the back of the room, watching the team work.
Keren noticed him.
“They're gone,” she said.
Ari nodded.
“They got nothing,” she added.
He paused for a moment before answering.
“They got something,” he said.
Keren raised an eyebrow.
“Education.”
The final report took several days to complete. Not because the attack had been complicated, but because Ari insisted it be clear. Precise. Unavoidable. Very Ari.
The document didn’t just describe what happened. It described why.
The first section detailed the intrusion attempts. The automated probing. The secondary manual access. The compression routines. The attempted command-and-control channels.
The second section showed how the SUW team had contained the attackers.
The decoy servers. The fabricated databases. And the fake command-and-control infrastructure.
Every step documented. Every decision explained.
But the most important section was near the end.
It wasn’t about the attackers. It was about the company.
The report described something Ari had been warning about for years. Security was not built on presentations. It was not built on compliance checklists. And it certainly was not built on expensive tools that looked impressive in meetings.
Security was built on foundational controls.
Strong authentication. Network segmentation. Monitoring that actually detected abnormal behavior. Systems configured to fail safely rather than conveniently.
The attack had not succeeded because those controls existed. It had almost succeeded because some of them had been weakened.
Budget adjustments.
Audit compromises.
Legal requirements that prioritized documentation over protection.
Individually, each decision had seemed reasonable. Together, they had created an opening.
The SUW team had closed that opening.
But the report made something clear.
They should never have had to.
When Ari walked into the boardroom a week later, the atmosphere was very different from the night of the incident.
The board members had read the report.
All of it.
The CEO nodded for him to begin.
Ari stood at the front of the room.
No slides.
No graphics.
Just the report.
“The attack failed,” he said. A few people shifted in their chairs.
“That doesn’t mean we were secure.”
Silence.
He explained the decoy environments, the data traps, the fake command channels. The targeted behavior of the attackers. All in a tone and language the board could understand: money.
However, most of his talk was about something else.
Foundations.
The invisible parts of security. The controls that never made headlines but prevented them. The controls that required investment, maintenance, and sometimes inconvenient decisions.
Ari spoke the way he always did: Direct. Unfiltered. Occasionally irritated.
But clear.
By the time he finished, the room was quiet.
One board member leaned forward.
“So the problem,” he said carefully, “wasn't that security cost money.”
Ari shook his head.
“The problem,” he said, “is when money gets spent on the wrong things.”
In the weeks that followed, several things changed.
Budgets were adjusted. Not dramatically, but deliberately.
Security investments moved toward the fundamentals.
And the SUW team.
The SOC expanded its capabilities as well. New detection models were built using the indicators the attackers had revealed.
The infrastructure grew stronger. Harder to enter. Even harder to stay inside.
Ari didn't celebrate any of it. He never did.
One evening, long after most of the building had emptied, he walked past the SOC.
The lights inside were still on. Analysts worked quietly at their stations.
The SUW team had one corner of the room now, their screens filled with new scripts and monitoring dashboards.
Keren noticed him passing by.
“You coming in?” she asked.
Ari glanced at the screens.
“Everything quiet?”
“For now.”
He nodded.
“Good.”
She smiled slightly.
“You know,” she said, “the board actually understood the report.”
Ari paused.
“That’s new.”
Keren laughed.
“They approved the budget changes too.”
Ari looked back at the SOC one more time. All the noise. All the systems. All the people quietly watching the network that connected everything.
Security, he thought, was rarely about heroics.
Most of the time it was about discipline.
Consistency.
And foundations strong enough that attackers simply moved on. Real security comes from the foundations you refuse to weaken, not the tools you buy.
Ari turned toward the exit.
“Good work,” he said.
Then he went home.