COMMENTARY: Real security starts with one question: how would an attacker actually compromise your data?Most organizations overspend on security tools and underspend on real security intelligence. They deploy six-figure SIEM platforms, staff security operations centers around the clock, and still average 194 days to detect a breach.The tools are not the problem. The strategy is.There is a fundamentally different approach that starts with understanding how attackers would actually compromise your environment, then uses that contextualized threat intelligence to build targeted, high-confidence defenses. It costs a fraction of what most enterprises spend on detection, and it works better because every dollar is informed by real intelligence unique to your organization rather than misleading vendor marketing.Here’s how you can use contextualized threat intelligence to meaningfully strengthen your security posture even when on a restrictive budget.
Related reading:
Penetration tests that deliver contextualized threat intelligence change the equation. When you know your actual Paths to Compromise, you can prioritize remediation based on real-world exploitability rather than theoretical severity. A medium-severity vulnerability that sits at a critical pivot point in an attack chain is far more dangerous than a critical-severity vulnerability on an isolated system with no network path to sensitive data.Take the penetration test report and map each attack path end to end. Identify the pivot points, the dependencies, and the single points of failure in each chain. This map becomes your prioritized remediation plan and your blueprint for the defensive measures that follow. You fix what matters most first, and you stop wasting cycles on vulnerabilities that no attacker would actually use.Beyond auto-lockout, the broader Group Policy framework can enforce dozens of additional hardening controls like password complexity, audit logging, software restrictions, and more all at no additional cost.Every one of these measures is free or nearly free. Combined with the intelligence-driven defenses above, they create a security posture that most organizations spend hundreds of thousands of dollars trying to achieve with enterprise tools alone.
Commission a threat-informed penetration test
Everything on this list flows from one investment: a genuine penetration test. Not a vulnerability scan repackaged with a fancy report. Not an automated tool running scripted checks or AI driven services. A human-driven assessment where skilled testers attempt to compromise your environment the same way a real attacker would, with the same Techniques, Tactics and Procedures.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The output is far more than merely discovering vulnerabilities. It delivers contextualized threat intelligence specific to your organization. The testers map the Paths to Compromise: the exact chains of weaknesses that lead from initial access to your most sensitive assets. They show which credentials get harvested, which lateral movement routes lead to domain controllers and database servers, and which misconfigurations make the whole chain possible. This is not theoretical risk. It is a demonstrated blueprint of how your organization gets breached.Expect to invest $15,000 for a small organization at a minimum, depending on scope and complexity. If a vendor quotes significantly less, they are selling you a scan masquerading as a penetration test.That intelligence becomes the foundation for every defensive improvement that follows.Map your attack paths and prioritize what matters
Most organizations remediate vulnerabilities based on severity scores. A critical Common Vulnerabilities and Exposures (CVE) finding gets patched before a medium one regardless of whether either vulnerability is actually exploitable in context. This is an expensive way to stay busy without getting any safer.Deploy honeypots along real attack paths
Honeypots are inexpensive decoy systems designed to look like legitimate valuable assets. They have no production function, so no legitimate user or process ever interacts with them. When something touches a honeypot, it is either an attacker, a curious employee, or a misconfiguration. In either case, you need to know about it. This is what makes honeypots fundamentally different from every other detection technology: they produce zero false positives and create no security fatigue.The intelligence from your penetration test tells you exactly where to place them. If testers discovered that attackers would pivot through a specific subnet to reach your database servers, you place a honeypot in that subnet. If the Path to Compromise runs through a file share with weak permissions, you deploy a honey file. You are not guessing where attackers might go. You know where they will go because skilled testers already took those exact paths.Open-source honeypot platforms exist and commercial options cost a fraction of SIEM licensing. Total deployment might run $5,000 to $20,000 depending on environment size. Compare that to a SIEM at $100,000 to $500,000 annually, and the math speaks for itself.Plant credential canaries where attackers harvest
Credential theft is the engine that drives lateral movement. Attackers compromise one system, harvest stored credentials, and use them to access the next target. Most penetration tests reveal exactly which systems yield the credentials that matter and where those credentials get used.Credential canaries exploit this behavior. You plant fake accounts, API keys, and password files in the exact locations where your penetration testers harvested real credentials. When an attacker finds and uses one of these canaries, you get an immediate, high-confidence alert. No legitimate user will ever authenticate with a fake account, so every alert is a confirmed indicator of compromise.This costs almost nothing to implement. A few Active Directory accounts, some strategically placed configuration files with fake API keys, and a monitoring rule that fires when any of them are used. The penetration test tells you where to plant them. The attackers do the rest.Validate and harden your network segmentation
Network segmentation is one of the most effective controls in security, and one of the most poorly implemented. Organizations draw segmentation on architecture diagrams, configure firewall rules they believe enforce it, and rarely verify that the segments actually hold up under attack. Even worse, over time exceptions are made to allow traffic to pass from one restricted segment into the next.A penetration test exposes the gaps. Testers find the firewall rules that are too permissive, the VLANs that bleed into each other, and the legacy systems that bridge segments that were supposed to be isolated. These findings enable you to deploy changes that directly disrupt proven attack paths.Fixing segmentation issues is largely a configuration exercise. It does not require new hardware or expensive software. Tighten a firewall rule, reconfigure a VLAN, remove a dual-homed system that should not exist. Each fix eliminates or complicates a real lateral movement path that your testers demonstrated. The cost is your team's time. The impact is an attacker who can no longer move freely through your network and gives up.Harden systems based on real exploit chains
Generic hardening guides tell you to disable unnecessary services, enforce strong passwords, and keep systems patched. That advice is fine as far as it goes, but it treats every system the same regardless of its role in an actual attack.Contextualized threat intelligence lets you harden with precision. If testers exploited a misconfigured service account to escalate privileges on a database server, you lock down service account permissions on that specific server and audit similar configurations across the environment. If they leveraged a default credential on a network appliance to pivot between segments, you rotate credentials on every appliance in your inventory and disable default accounts.This is not about running through a compliance checklist. It is about breaking the specific exploit chains that were proved to exist within your environment. Each fix removes a link in a demonstrated attack chain. Stack enough of these fixes, and the attacker's cost to compromise your organization increases dramatically while your spend remains minimal.Run recurring validation cycles
Defenses degrade. Configurations drift. New systems get deployed without the same hardening standards and exceptions get made. The segmentation you fixed six months ago may have new holes because someone added a rule to troubleshoot a production issue and never removed it.Annual threat-led penetration testing refreshes your contextualized threat intelligence and validates that the defenses you built still hold. Each cycle generates updated attack path maps, which inform updated honeypot placement, new credential canary locations, and revised hardening priorities. It is a feedback loop: test, build defenses, validate defenses, repeat.Organizations that adopt this cycle don’t just get a compliance report once a year. They build a threat-informed security program that continuously adapts to their changing environment and bad actors. A real penetration test is not a checkbox exercise; it’s the engine that enables everything else.What you can do today for free
The measures above require some investment, but there are immediate, practical steps any organization can take right now at zero or near-zero cost that meaningfully reduce attack surface. None of these replace a genuine penetration test, but they shrink the playing field an attacker has to work with and make the intelligence-driven defenses above even more effective.- Enable host-based firewalls on all endpoints. Windows Firewall and iptables on Linux are built into the operating system. Turning them on and configuring basic rules costs nothing and limits lateral movement between workstations.
- Implement a password filter for domain-joined computers. Password filters prevent users from setting weak or commonly breached passwords at the Active Directory level, cutting off one of the easiest attack vectors.
- Deploy a password manager organization-wide. Tools like Bitwarden, 1Password, and KeePass eliminate password reuse, which is the single behavior that makes credential stuffing and lateral movement so effective.
- Automate security updates. WSUS, the PowerShell Update module via Task Scheduler, or unattended-upgrades on Linux can push security patches automatically. Most RMM tools have this built in. The Apache Struts vulnerability that led to the Equifax breach had a patch available months before the attack.
- Enforce account lockout policies via Group Policy. Group Policy is one of the most powerful and underutilized security tools in any Windows environment. A standard lockout policy that locks an account for five minutes after five failed attempts reduces an attacker's throughput from thousands of guesses per second to just 60 per hour, increasing the time required to brute-force a password by a factor of roughly 60,000. This alone renders most online brute-force attacks impractical.
- Remove local admin rights from general users. If a user account gets compromised and it has local admin privileges, the attacker inherits those privileges. Removing local admin from standard users is one of the highest-impact changes you can make at zero cost.
- Use separate admin accounts for administrative tasks. Administrators should use a standard user account for daily work like email and web browsing, and a separate privileged, non-shared account only when performing administrative tasks. This limits the impact when a phishing email lands.
- Implement basic uptime monitoring. Deploy free monitoring tools for continuous availability visibility. Tools like Uptime Kuma, Nagios, Grafana, and the Elastic Stack provide real-time insight into system and service availability at no licensing cost. This matters because availability is one of the three pillars of the CIA triad (Confidentiality, Integrity, and Availability), making unexpected downtime a security event by definition. More critically, unexplained downtime can be the first observable symptom of an active attack.
- Run free vulnerability scans and prioritize intelligently. OpenVAS and Nuclei are free, open-source vulnerability scanners. Pair scan results with CVSS scores, EPSS exploit probability data, and the CISA Known Exploited Vulnerabilities catalog to prioritize what actually matters. This takes more skill to set up, but the tools cost nothing.
- Monitor for breached credentials. Services like Have I Been Pwned let you check whether your organization’s credentials have appeared in known data breaches. If your employees’ passwords are already circulating on the dark web, no firewall in the world will keep attackers out.
- Do not use company email addresses for third party accounts. Never use company email addresses for third-party accounts. When external services get breached, stolen credential databases are searched by domain. Attackers extract your employees' email and password pairs, then test them against your VPN, Microsoft 365, and other business services, a technique called credential stuffing. Password reuse makes this alarmingly effective. Require employees to use burner or alias emails (SimpleLogin, Firefox Relay) for all third-party signups, keeping your corporate domain out of breach databases entirely.
