Attack Surface
The statistics of holding the line — how often a well-run network actually gets breached, and why.
- ▸Traffic flows internet → perimeter (SSL-VPN, Office 365, SMTP) → endpoints
- ▸Defender AV, EDR, Conditional Access and patch cadence stop the vast majority
- ▸A probabilistic Fortinet SSL-VPN CVE model — 0-day targeting vs. n-day patch race
- ▸Tune your average time-to-patch, internet exposure and target profile
Phishing & Identity
Eight years of the inbox arms race — from stolen passwords to token theft, and the controls that keep up.
- ▸The background roar of email defence — Defender for O365 filters the flood; a trickle lands
- ▸Office 365 / Entra ID with Conditional Access, MFA, or phishing-resistant passkeys
- ▸Techniques evolve year on year: credential harvest → MFA fatigue → AiTM token theft
- ▸See exactly where MFA stops being enough — and why passkeys don’t
WordPress Server
One box on the internet — what a real WordPress compromise looks like, surface by surface.
- ▸The relentless background noise: bot scans, wp-login brute force, plugin probing
- ▸Real core & plugin CVEs 2018→2024 — RCE, auth bypass, SQL injection, DoS
- ▸Accidentally exposed MySQL :3306 and open directories leak the keys to the kingdom
- ▸Rare but massive DDoS — and the WAF / auto-update / 2FA controls that hold the line
Ransomware Kill Chain
The bad night — a hands-on-keyboard intrusion from VPN login to domain & hypervisor ransom.
- ▸Everything in Attack Surface, plus the internal estate: DC, backup, vCenter, ESXi
- ▸A no-MFA VPN login (brute force or CVE) escalates into a 15-stage intrusion
- ▸Every step tagged to MITRE ATT&CK, over a compressed “five hours”
- ▸Run it scripted (worst case) or probabilistic — your controls get a chance to contain it
Rhysida Intrusion
Follow one organisation's ransomware attack, stage by stage, over eight hours.
- ▸A real Rhysida kill chain mapped to MITRE ATT&CK — 24 stages across all 12 tactics
- ▸From a no-MFA VPN login through Zerologon, ntds.dit and exfil to domain-wide encryption
- ▸Step through it stage by stage, or watch the 8-hour timeline play out
- ▸Every step shows the technique ID, the actual tooling, and what's happening
UK Threat Map
Zoom out — 300 organisations on a live map of Britain, and the attack waves that sweep them.
- ▸300 orgs, each with a realistic exposure profile: M365, WordPress, Moodle, Citrix, Horizon, RDP, VPN
- ▸Only some expose SSL-VPN or a management interface — and those are the ones that get hit
- ▸Real campaigns sweep the map: Fortinet SSL-VPN, Citrix Shitrix & CitrixBleed, Log4Shell → Horizon, BlueKeep
- ▸Set the national security posture — hardening, monitoring, MFA, patching, WAF — and watch the breach and ransomware counts move