Trial by Fire: Why Incident Response Depends on Structure, Not Speed
Published
Key Takeaways
- Binalyze observes that the attackers’ advantage in a complex environment isn't technical brilliance; it's camouflage.
- Maturity in incident response isn't about headcount; it's about the ability to execute under maximum stress.
- Incident action plans should be ready, not created when a breach hits, while figuring out who's in charge.
- Sult believes the pace of modern investigations demands tools built for the age organizations are entering, not leaving behind.
- Defenders need a greater degree of expertise to identify and respond to the threat than the attacker needs to establish it.
Lee Sult, Chief Investigator at Binalyze, argues that incident response failures rarely begin with a lack of tools; they begin when teams lose discipline under pressure.
Complexity creates the opening, allowing attackers to rely on simple paths such as malicious links, reused passwords, and weak MFA because those gaps are harder to close and easier to hide inside modern enterprise environments.
It takes years to establish the tool stacks, data pipelines, and relationships that incident response teams rely on during a crisis.
A growing concern is the gap between the expertise attackers need to gain access and the expertise defenders need to identify and stop them.
What matters most is not today's capabilities, but the version two years from now, when tools that are currently expensive and tightly controlled could become affordable, accessible, and available to people with little or no formal training.
Vishwa: What operational actions should organizations take immediately after discovering an intrusion?
Lee: The first question you need to ask is: Is the fire still burning?
Incident response operates in two very different modes depending on the answer. An active intrusion is the digital equivalent of a structure fire;
- Your priority is containment, not investigation.
- You move fast, you limit the blast radius, and
- You cut off the attacker's oxygen.
- Every minute of delay is more damage, more lateral movement, more data walking out the door.
Once the fire is out, the playbook changes entirely. Now the emphasis shifts to evidence preservation and impact measurement.
Rushing to "clean up" a post-incident environment before documenting it is one of the most common and costly mistakes organizations make; you destroy the forensic record you need to understand what actually happened.
Speed matters in both phases, but what you're being fast about is fundamentally different.
Vishwa: Under what circumstances do investigations usually break down?
Lee: Most investigations break down not because of a lack of tools, but because of a lack of discipline around the Core Four — the four questions every team must answer in sequence during an active cyber incident:
- Does the attacker still have access to the environment?
- Which systems are affected?
- How did the attacker get in?
- What data is at risk?
When teams skip ahead to question three before fully answering question one, they are conducting an investigation while the attacker is still in the building.
When they jump to question four before mapping affected systems, they are measuring the wrong thing.
The Core Four aren't just a checklist — they are a forcing function for prioritization under pressure. Investigations collapse when teams lose that thread.
Vishwa: You’ve led intrusion investigations alongside federal law enforcement and Fortune 50 incident response teams. How does incident response at that level differ from most organizations?
Lee: The single biggest differentiator at that level is structure under pressure.
Elite organizations operate from frameworks built on FEMA's National Incident Management System (NIMS) and Incident Command System (ICS); the same emergency management architecture used by first responders at mass-casualty events.
That means
- Clearly defined command hierarchies,
- Unified communications,
- Pre-assigned roles, and
- Incident Action Plans that don't have to be invented in the middle of a crisis.
- When the breach hits, nobody is figuring out who's in charge because everyone already knows.
Most organizations, by contrast, are improvising. They have talented people, but no pre-built command structure to absorb the shock of a major incident. That gap, the one between having skilled individuals and having a disciplined system, is where cyber incidents fall apart at scale.
Maturity in incident response isn't about headcount or tooling. It's about the ability to execute a process under conditions of maximum stress and minimum information.
Vishwa: On building teams for investigators, by investigators, how does this team differ from others?
Lee: We build around three DFIR archetypes that we see repeatedly across the industry, and we've deliberately recruited each of them:
The Smoke Jumper (formerly: the Consulting Investigator or MSSP) — This is the Mandiant alumni.
- They drop into burning environments with minimal context, limited familiarity with the terrain, and a mandate to contain the damage.
- Like wildland firefighters who jump from aircraft into an active fire, they operate on speed, pattern recognition, and battle-tested instinct.
The DFIR Product Builder: This archetype has lived inside a smoke-jumping IR team or an enterprise security function and then channeled those operational workflows into products that other investigators can use.
- Think Palantir's forward-deployed engineering model applied to forensics; building tools shaped by the people who will actually use them.
The Internal Incident Manager: This person has owned an enterprise incident response program at a large multinational
- navigating legal,
- communications,
- regulatory, and
- technical tracks simultaneously.
- They understand what it takes to mature a program over the years and steer it through organizational complexity.
We've drawn from all three archetypes. Our mission is to democratize enterprise-grade IR — building capabilities that meet Mandiant and Palantir-caliber standards but are usable by investigators everywhere, not just at the organizations that can afford teams of that size.
Vishwa: From your experience handling intrusions, how are attackers becoming stealthier when targeting enterprises?
Lee: In well-fortified environments, the most reliable attack paths aren't sophisticated; they're simple.
- A user clicks a malicious link.
- Passwords are manually synchronized across SaaS platforms and internal tools.
- MFA is absent or inconsistently enforced.
- These are not advanced techniques; they are entry points that remain open because the complexity of modern enterprise environments makes them hard to close and easy to hide within.
The attacker's advantage in a complex environment isn't technical brilliance; it's camouflage. Large organizations generate enormous amounts of telemetry, and the signal-to-noise problem is severe.
An attacker who gains access through a stolen credential or a phishing lure doesn't need to be sophisticated. They just need to move quietly through an environment where defenders are already overwhelmed by volume.
That's a tooling and proceduralization problem, not a human failure problem; and it's one we take seriously.
Vishwa: As one of the people who helped shape Palantir’s forward-deployed security model, what does it look like when security technology is built alongside operators instead of separately from them?
Lee: The big part here is working with our product team to make sure our platform integrates with a customer’s existing workflow rather than making our fellow investigators adapt to workflows that we think are the “best”.
It takes years to establish tool stacks, data pipelines, and relationships in IR - our mission is to amplify that existing hard work, not start from scratch.
Vishwa: Across enterprise intrusions and crisis-level incidents, what usually helped attackers in environments that appeared well-fortified?
Lee: Humans clicking on things, manual password synchronization across SaaS platforms and internal tools, lack of MFA. There are a few more, but it boils down to attackers taking advantage of complex environments where it’s easier to hide in the noise.
Vishwa: What are your thoughts on attacker sophistication versus the complexity of enterprise environments?
Lee: This one is straightforward: the more complex the environment, the less skilled the attacker needs to be to get in.
Environmental complexity degrades visibility. When defenders can't see clearly, the bar for initial access drops dramatically. A moderately capable attacker in a complex, noisy environment can achieve what would require elite skills in a well-instrumented one.
That said, initial access is only the first problem. After gaining a foothold, doing something meaningful with it — executing objectives, moving laterally, exfiltrating data without triggering detection — probably does require significant skill.
And here's the asymmetry that keeps me up at night: defenders need an equivalent or greater degree of expertise to identify and respond to the threat than the attacker needed to establish it. That gap is what Mythos is affecting dramatically; but in the wrong direction.
Claude Mythos, Anthropic's frontier AI model, can now autonomously chain vulnerabilities, execute multi-stage attacks, and compress what once took elite operators weeks into hours.
I read that the UK's AI Security Institute found it succeeds on expert-level cyber tasks 73% of the time, tasks no model could complete before 2025. Mythos doesn't scare me in its current form.
It's restricted, it's expensive, and access is tightly controlled through Project Glasswing. What concerns me is the version two years from now; if or when that capability is affordable, accessible, and in the hands of someone with no formal training. That's not a nation-state weapon anymore. That's a weapon anyone can pick up at the corner store.
The answer isn't panic. It's proceduralization and speed. Investigations need to move at machine speed, and that requires tools built for the age we're now in, not tools built in the age we came from. That's the work we're doing at Binalyze with Fleet, our AI-native investigation platform.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular