Post-Breach Resistance — Engineering the Breach Surface Out, Not Defending It Better

The Perverse Mathematics of Detection-and-Response

Detection is deterrent only to adversaries without time, intelligence, and capital — and today's adversaries have all three.

The industry consensus, crystallised across a thousand vendor datasheets and compliance frameworks, rests on a comfortable myth: that better sensors, faster response times, and smarter correlation rules will eventually create a security posture worthy of the name. NIST CSF, SANS 18-Point Critical Controls, ISO 27001 Annex A, DORA operational resilience requirements, NIS2 organisational measures — all assume that breaches are detectable, and that detection at sufficient speed permits remediation before meaningful harm. This assumption has been falsified repeatedly, across billions in annual compliance spend, and the industry has responded by making the same assumption louder.

The mathematics tell a different story. Dwell time — the interval between initial compromise and discovery — remains stubbornly resistant to improvement. Mandiant's 2024 report placed median dwell time at 19 days, with elite threat actors (nation states, sophisticated criminal syndicates) routinely operating undetected for months. The Snowflake tenant cascade of 2024, where compromised credentials from one customer enabled lateral movement across the entire platform, demonstrated that even organisations with mature SOC operations cannot detect abuse of legitimate authentication tokens once an attacker has obtained them. The MOVEit zero-day vulnerability (CVE-2023-34362) was in active, weaponised exploit in March 2023 before Ivanti shipped a patch in June; organisations running detection-only stacks watched their file transfer logs for seven weeks whilst attackers extracted terabytes of data unobserved. The Change Healthcare ransomware attack in February 2024, which crippled US prescription processing for weeks, succeeded not because the attacker's tool collection was exotic, but because the attack surface itself — legacy systems, privileged access management that could not be revoked once issued, no encryption of data in motion or at rest — made detection irrelevant; by the time the compromise was detected, the data had left the building and the entire payment infrastructure had been encrypted.

This is not an argument against detection. It is an argument that detection is a contingency, not a primary defence. The primary defence must be architectural: the attacker must be prevented from arriving at the asset in the first place, and if arrival cannot be prevented, the asset itself must be designed such that its compromise yields no usable tactical advantage to the attacker.

The industry's response to each of these failures has been to propose better detection: more SIEM rules, higher-fidelity endpoint telemetry, threat intelligence enrichment, YARA rules, Sigma detection logic, SOAR orchestration to close the time-to-response gap. Crowdstrike's Falcon Index processed 300+ billion security events daily as of 2023. Organisations with mature detection stacks now routinely generate five figures of daily alerts; alert fatigue has become so endemic that the Security Incident Response Forum publishes annual guidance on "tuning" SIEM rules to lower signal-to-noise ratios. This is not progress — it is a confession that the approach itself has reached its architectural ceiling.

The Structural Vulnerability: Breach-Tolerant Design

The post-2020 security model, consolidating around "assume breach" doctrine, codified a catastrophic architectural error: it made breach tolerable and detection the entire defensive burden.

The Synnovis hack of June 2024, which paralysed pathology services across NHS trusts in London, illustrates this precisely. Synnovis ran a systems integration company — custodian of patient records, test ordering systems, and results verification for multiple hospitals. The attacker (LockBit affiliate), having obtained initial access through an unpatched vulnerability or weak credential, encrypted Synnovis's file stores and backups. Because Synnovis had invested in detection (Sentinel, Azure Defender, Windows Defender) but not in architectural separation of data and control, the attacker could move freely between systems once initial access was achieved. Because backups were stored on the same logical network with insufficient isolation, encryption of primary systems meant encryption of backups. Because the organisation ran on a monolithic Active Directory estate with shallow trust boundaries, a single compromised service account enabled movement across the entire infrastructure. The breach itself — credential compromise — was both inevitable and undetectable until the attacker chose to reveal themselves by encrypting files.

This is the core failure: the industry has designed systems that permit an attacker who reaches the interior to command the entire estate. The response has been to layer detection tools — better logging, more alert rules, threat hunting — around this fundamentally dangerous architecture. We have not engineered the breach surface out; we have merely hired more people to watch for the moment the attack succeeds.

The Scattered Spider operation against M&S in January 2025 followed the same pattern: initial access through credential theft or supply-chain compromise, lateral movement within a flat network, privilege escalation through permissive Group Policy, data exfiltration. M&S detected the breach only after the attacker had staged data for exfiltration and had begun the extraction phase itself — weeks after initial compromise. Detection is not prevention; it is announcement.

Post-Breach Resistance: Architectural Principles

Post-breach resistance is not "assume breach and detect faster". It is: assume breach and render breach worthless.

This requires five structural changes, none of which can be layered onto existing estate without foundational redesign.

Zero-Knowledge Substrate

The attacker's objective is data or control. If data does not exist at the point of compromise — if what is stored is encrypted, sharded, or structured such that no single compromise yields the plaintext — then compromise is valueless. This is not perimeter encryption (cryptographic theatre at layer 7) nor TDE (transparent database encryption, which yields to privileged process access). This is substrate-level encryption of all data at rest, with cryptographic keys that cannot be accessed by the compute layer that processes the data, and cannot be held by any single system or administrator.

This architecture is mathematically familiar — it underlies multi-party computation, secret sharing schemes (Shamir's Secret Sharing, VSS), and modern zero-knowledge proof systems. Applied to infrastructure, it means: a data layer that holds ciphertext, a compute layer that cannot decrypt, and a thin key management layer that applies decryption only at the moment of legitimate request and never holds the plaintext within the compute estate. An attacker who compromises the compute layer finds no usable data. An attacker who compromises the data layer finds no keys. An attacker who compromises the key management layer cannot extract keys without leaving forensic trace and cannot use extracted keys without triggering anomaly detection (since legitimate requests follow predictable patterns and cryptographic material that leaves the system architecture is unrecoverable in the field).

Data-Plane and Control-Plane Separation

Current infrastructure typically runs as a monolith: data processing, privilege escalation, audit logging, backup orchestration, and user authentication all operate within the same logical system. If you compromise one, you compromise all. This is not a bug; it is the result of decades of treating security as a feature layered onto application architecture rather than as a fundamental structural constraint.

Post-breach-resistant infrastructure requires strict separation: a data plane that processes information and cannot issue commands outside its scope; a control plane that manages configuration, authentication, privilege, and policy, but cannot access the data plane except through cryptographically signed requests; and an audit plane that records all inter-plane interactions and can be queried only through time-locked, immutable append-only logs.

An attacker who compromises the data plane cannot escalate privilege, cannot change credentials, cannot modify backups, cannot reconfigure systems. An attacker who compromises the control plane cannot read data. An attacker who compromises audit cannot erase history (because audit must be written to systems that cannot be modified by the system being audited).

This architecture is not novel — it underpins UNIX privilege separation, microkernel operating systems, and blockchain consensus mechanisms. Applied to enterprise infrastructure, it requires fundamental redesign of how systems communicate, how privilege is granted, and how policy is enforced. It cannot be retrofitted; it must be engineered into the substrate.

Continuous Adversarial Posture Drift

A system that remains unchanged is a system whose vulnerabilities remain unchanged. The industry responds to this with patch management, vulnerability scanning, and penetration testing — all reactive, all dependent on the attacker revealing themselves or on the defensive team anticipating the attack. Post-breach resistance requires continuous, domain-specific mutation of the system itself.

Consider how an operating system kernel might continuously permute its memory layout (address space layout randomisation — ASLR) and system call interfaces. Consider how a network might randomise internal routing, encryption keys, authentication credentials, and service locations on a schedule measured in minutes or seconds, not months. An attacker who performs reconnaissance and plans an attack based on discovered network topology finds that topology has changed by the time the attack is launched. An attacker who obtains a credential finds it revoked within seconds. An attacker who obtains an encryption key finds it rotated and the old key destroyed.

This requires automation and domain-specific primitives — not SIEM rules (which are reactive), but infrastructure configuration engines that apply policy to the entire estate, cryptographic systems that operate at hardware speed, and orchestration that permits state change without manual intervention or administrative bottleneck. It requires accepting that the human operator cannot keep pace with this mutation; the system must mutate itself, and the operator must understand the policy that drives mutation, not the state of the system at any given moment.

Domain-Specific Primitives, Not Generic Tools

The industry's approach — EDR agents, SIEM platforms, DLP solutions, SOAR orchestration — treats security as a generic layering problem. A EDR collects events from endpoints. A SIEM correlates events across the estate. A DLP applies policy to data in motion. A SOAR executes response playbooks. Each solves a general problem; none is engineered for the specific risks of your domain.

A financial services organisation's primary risk is not malware; it is unauthorised transaction issuance, credential compromise enabling payment diversion, and data extraction enabling fraud. The primitives must be: cryptographic controls that prevent transaction issuance without multi-party authorisation; real-time ledger verification that detects divergence between stated position and cryptographic proof of position; and data structures (append-only logs, merkle trees, cryptographic commitments) that make data extraction detectable and traceable.

A healthcare organisation's primary risk is data breach enabling medical fraud and identity theft. The primitives must be: patient record encryption with keys held by the patient, not the organisation; audit structures that detect queries outside expected parameters; and network isolation such that systems holding patient records cannot reach external networks.

An energy or critical infrastructure organisation's primary risk is operational technology compromise enabling physical harm. The primitives must be: cryptographic signatures on all control commands (supervisory control and data acquisition — SCADA — systems that cannot be modified without cryptographic proof); state machines that revert invalid state transitions; and network architecture that enforces directionality (commands flow downward, telemetry upward, but never cross-plane).

Each domain requires re-architecture. The generic tools cannot address domain-specific risks; they can only delay detection of failure.

The Regulator's Dilemma

Regulators face a structural problem: they cannot mandate architecture (that would be technology prescription), but they can mandate outcome. DORA (EU Digital Operational Resilience Act) requires "absence of incidents with significant impact" without specifying how to achieve it. NIS2 requires "cybersecurity risk management" without constraining approach. MAS TRM (Singapore Monetary Authority Transaction Risk Management guidelines) require financial institutions to "maintain security commensurate with the criticality of systems" without defining sufficient security. The FCA's Senior Managers and Certification Regime requires individual accountability for operational risk but permits latitude in how risk is managed. SEC rules require breach disclosure within 4 days of discovery (Modernised Infrastructure for Secured Transaction — M.I.S.T.), not prevention.

These frameworks incentivise compliance theatre: organisations purchase detection tools, run vulnerability scans, conduct penetration tests, and generate annual attestations. They do not incentivise architectural change, because architectural change is expensive, slow, and requires saying "no" to business demands for rapid feature deployment.

The most recent incident — M&S Scattered Spider, Synnovis LockBit, Change Healthcare ransomware — have occurred within regulatory perimeters (retail, healthcare, payments infrastructure). The attackers did not evade the regulators; they evaded the technical defences that were supposed to be in place. The regulators' response has been to increase the reporting burden (4-day disclosure rule) and to demand more technical measures (DORA's four layers of security requirements), not to mandate architectural change.

Architectural change will come only from organisations that refuse to accept the perverse economics of detection-and-response, that recognise breach as inevitable, and that engineer their systems such that breach yields no value.

---

Organisations seeking a technical briefing on post-breach-resistant architecture and domain-specific security primitives should contact PULSE under executed Mutual NDA to discuss your operational environment and regulatory constraints.