Monthly Archives: April 2026

Cyber Risk Is Enterprise Value Risk : A Practical Portfolio Approach for VC and PE Firms

Posted on by
Reply

For venture capital and private equity executives, cyber security is no longer just an IT issue. It is a valuation issue, a governance issue, a revenue issue, and a portfolio resilience issue.

GenSec

There was a time when cyber security could be treated as a technical matter.

It lived with the IT team. It showed up in diligence as a paragraph buried deep in a report. It became important only when a customer asked a hard question, a regulator came knocking, or something on the network caught fire.

That time is over.

For venture capital and private equity firms, cyber risk has become enterprise value risk. It affects valuation. It affects revenue quality. It affects debt, insurance, customer trust, regulatory posture, exit readiness, and the ability of management teams to execute without being pulled into avoidable chaos.

More importantly, cyber risk is no longer limited to the portfolio company.

The investment firm itself is a high-value target.

Deal flow, confidential financials, legal strategy, investment committee material, banking relationships, limited partner communications, M&A plans, board materials, and executive correspondence all create a concentration of sensitive information. Attackers understand this. So do regulators, insurers, strategic buyers, enterprise customers, and increasingly, boards.

The uncomfortable truth is this:

Many investment firms still manage cyber risk as a fragmented collection of one-off assessments, inconsistent vendor reports, annual questionnaires, and “we’ll fix it after close” assumptions.

That approach does not scale. It does not give partners a clear view of exposure. It does not give operating teams a consistent way to prioritize improvement. And it certainly does not create the kind of defensible evidence that boards, buyers, customers, and limited partners expect when the questions get serious.

MicroSolved’s value proposition for VC and PE firms is simple:

Help reduce cyber risk, protect enterprise value, and improve portfolio resilience through practical, expert-led security assurance that scales from the fund to the portfolio.

That sounds like a mouthful, so let’s unpack it.

The Investment Firm Has Its Own Attack Surface

Before we talk about portfolio-wide programs, we should start with the firm itself.

VC and PE firms are not just financial organizations. They are information aggregators. They hold the kind of information that criminals, competitors, and nation-state actors would love to access.

They know what companies are raising.

They know what deals are active.

They know which assets are under pressure.

They know who is negotiating, who is selling, who is buying, and what the numbers look like.

Yet many firms are intentionally lean. They are not built to operate large internal security organizations. Partners, associates, operating partners, finance teams, and administrative staff often work across a mix of cloud platforms, personal devices, travel networks, collaboration tools, mobile apps, outsourced IT providers, and boutique SaaS platforms.

That operating model is fast, flexible, and relationship-driven.

It is also exposed.

MicroSolved helps investment firms build a defensible cyber risk posture without forcing them to become something they are not. That means assessing the firm’s own controls, validating external exposure, reviewing identity and access practices, examining cloud and collaboration platforms, testing incident response readiness, and helping leadership understand the firm’s risk in plain business language.

This matters because a fund-level incident is not just an IT problem.

It can become:

A reputation problem.
An LP confidence problem.
A deal execution problem.
A legal problem.
A wire fraud problem.
A board problem.

A compromised partner mailbox can expose negotiations. A breached data room can affect a transaction. A stolen credential can open the door to payment fraud. A weak vendor can become an unexpected path into sensitive firm operations.

Security at the firm level is not about buying every tool on the market.

It is about understanding the handful of places where the firm is most exposed and tightening them before someone else finds them first.

Cyber Diligence Should Find Risk Before It Becomes Yours

Most investment professionals are comfortable with financial diligence, legal diligence, market diligence, and operational diligence.

Cyber diligence, however, is still too often treated as optional, late-stage, or highly variable.

That is a mistake.

Cyber risk can hide in the places that matter most to valuation: revenue concentration, enterprise customer expectations, intellectual property protection, regulatory obligations, cloud architecture, software development practices, third-party dependencies, identity management, backup resilience, and the ability to recover from an incident.

For a growth-stage SaaS company, weak security practices may slow enterprise sales.

For a healthcare platform, poor controls may create regulatory and contractual exposure.

For a manufacturer, a ransomware event may interrupt production and cash flow.

For a fintech company, a weak security posture may directly threaten trust, licensing, and partnership opportunities.

For a portfolio company preparing for exit, missing security evidence can create friction with strategic buyers, delay close, or create downward pressure during negotiations.

Cyber diligence does not need to become a months-long science project.

It does need to be real.

MicroSolved can help firms evaluate cyber risk before investment by performing focused, risk-based assessments designed for transaction timelines. The goal is not to create a theoretical perfect score. The goal is to answer the questions that matter to investors:

What are we buying?
Where is the company most exposed?
Could this risk affect revenue, operations, valuation, or exit?
What must be fixed immediately?
What can be handled in the post-close value creation plan?
What evidence exists to support management’s claims?

That kind of diligence creates leverage.

It gives deal teams a more complete understanding of risk. It gives operating partners a practical roadmap. It gives the board something more useful than a red-yellow-green slide. And, in some cases, it may reveal that the cyber risk is not priced into the deal.

That is exactly the point.

Portfolio-Wide Visibility Beats One-Off Firefighting

The biggest challenge for VC and PE firms is not that they have one company with cyber risk.

It is that they have many companies with different levels of maturity, different technologies, different budgets, different customer expectations, and different leadership attitudes toward security.

One company may have a mature security program and a capable CISO.

Another may have a lean engineering team and no dedicated security staff.

Another may have inherited technical debt from acquisitions.

Another may be racing to satisfy customer security questionnaires while quietly hoping no one asks for proof.

Another may have cyber insurance requirements it barely understands.

Without a standardized approach, portfolio cyber risk becomes anecdotal. The loudest incident gets attention. The squeakiest management team gets help. The companies closest to exit get a scramble of activity. Meanwhile, the rest of the portfolio may remain largely invisible.

That is not a strategy.

It is a reaction pattern.

MicroSolved helps firms implement a blanket approach across the portfolio. That does not mean every company receives the same checklist or the same controls regardless of size, sector, or risk.

It means the firm creates:

A consistent language.
A repeatable assessment model.
A practical way to compare cyber risk across companies.
A method to prioritize remediation based on business impact.

That consistency is powerful.

It allows investors and operating partners to see where risk is concentrated. It helps identify which companies need immediate remediation, which ones need strategic security leadership, which ones are ready for deeper technical testing, and which ones simply need practical policy, process, and evidence building.

A portfolio-wide approach also helps management teams.

Instead of being left to interpret vague investor concern, they receive specific findings, prioritized actions, and access to experienced practitioners who can help them move from:

“We know this is important.”

to:

“Here is what we are doing next.”

For VC and PE executives, the question is not whether every portfolio company should become a security powerhouse.

They should not.

The better question is whether each company has the right level of security for its business model, threat profile, customer expectations, regulatory obligations, and stage of growth.

That is a much more useful conversation.

The Board Needs Better Cyber Signals

Boards are increasingly expected to provide oversight of cyber risk.

But many board conversations still suffer from the same problem: they are either too technical or too shallow.

A dashboard full of vulnerability counts may not tell the board what really matters. A statement that “we passed our security assessment” may not provide enough detail to support meaningful oversight. A management update that says “we are improving security” may be true, but not actionable.

Board members and investors need signals that connect cyber risk to business outcomes.

The useful questions sound more like this:

Can the company recover from ransomware without paying?
Are the most sensitive systems protected by strong identity controls?
Is customer data appropriately segmented and monitored?
Does the company know its critical vendors?
Are backups tested?
Are software releases being reviewed for security risk?
Are security commitments in customer contracts actually being met?
Is the company ready for a buyer’s security diligence process?

These are not abstract technical questions.

They are governance questions.

They are revenue questions.

They are valuation questions.

MicroSolved’s role is to turn technical findings into executive-level visibility. That means translating assessment data into risk themes, business impact, remediation priorities, and board-ready reporting. It also means helping leadership distinguish between noise and material exposure.

Not every vulnerability is a crisis.

Not every missing policy is a disaster.

Not every scary headline applies to every company.

But some weaknesses really do matter, and they need to be understood at the right level.

Good cyber reporting should help executives decide.

It should not just make them anxious.

Customer Trust Is Now a Growth Constraint

For many portfolio companies, especially in technology, healthcare, financial services, manufacturing, logistics, and B2B services, security has become part of the sales process.

Enterprise customers want evidence.

They ask for SOC 2 reports, penetration test summaries, policies, incident response plans, vendor management practices, secure development lifecycle documentation, insurance coverage, and proof that controls are not merely aspirational.

Procurement teams have become more sophisticated. Security questionnaires have become longer. Contractual requirements have become more demanding.

For early-stage companies, this can feel like a distraction.

For growth-stage companies, it can become a bottleneck.

For companies nearing exit, it can become a material diligence issue.

There is a simple reality here:

A company that cannot answer customer security questions may struggle to close larger deals.

A company that gives poor answers may create trust concerns.

A company that overstates its capabilities may create future legal exposure.

MicroSolved can help portfolio companies build the kind of practical security evidence that supports growth. That might include penetration testing, vulnerability assessment, policy development, incident response planning, executive tabletop exercises, third-party risk review, compliance readiness, or advisory support for customer security inquiries.

The aim is not bureaucracy.

The aim is sales enablement through credible security.

For investors, that matters. If security friction delays revenue, then security is not a back-office issue.

It is a growth issue.

If security credibility helps a company win enterprise customers, then security becomes part of the value creation story.

That is the mindset shift.

Exit Readiness Starts Earlier Than Most Firms Think

Too many companies treat security as an exit-readiness task that begins when the banker is already involved.

By then, the window for thoughtful improvement may be narrow.

Strategic buyers and sophisticated acquirers increasingly examine cyber risk as part of due diligence. They want to understand the company’s data exposure, history of incidents, security controls, technology architecture, software practices, regulatory obligations, and ability to integrate safely.

Weaknesses may not kill a deal, but they can create friction.

They can create escrow demands.

They can create indemnity concerns.

They can delay timelines.

They can create valuation pressure.

The problem is that real security maturity cannot be faked in a week.

Policies can be written quickly. Evidence cannot. A penetration test can be scheduled quickly. Remediation takes time. A security roadmap can be drafted quickly. Operational habits take longer. An incident response plan can be produced quickly. Practicing it is another matter.

MicroSolved’s portfolio approach helps companies build toward exit over time. That means identifying gaps early, prioritizing fixes that matter, documenting progress, and creating a trail of evidence that can withstand scrutiny.

For a VC or PE firm, this is simply disciplined value protection.

You would not wait until exit to understand financial controls, customer concentration, legal exposure, or management depth.

Cyber deserves the same treatment.

The earlier the firm builds visibility, the more options it has.

The Right Partner Matters

Cyber security is full of vendors selling dashboards, platforms, scoring systems, managed services, compliance packages, and automated reports.

Some of those offerings are useful.

Some are not.

Most are incomplete without judgment.

VC and PE firms need a partner that understands both the technical side of security and the business context of investment. The work requires more than scanning tools. It requires experience, prioritization, discretion, executive communication, and the ability to operate across different company sizes and maturity levels.

MicroSolved brings that practical blend: hands-on security testing, risk assessment, advisory support, incident readiness, and executive reporting.

The value is not just in finding problems.

Plenty of tools can find problems.

The value is in identifying which problems matter, explaining why they matter, and helping teams reduce risk in a way that fits the business.

That last part is important.

A 40-person SaaS company does not need the same security program as a global financial institution. A founder-led healthcare technology company may need focused help on customer evidence, HIPAA-related safeguards, and cloud configuration. A manufacturer may need operational technology awareness, ransomware resilience, and backup testing. A platform company pursuing acquisitions may need repeatable cyber diligence for targets. A mature portfolio company heading toward exit may need stronger documentation, technical validation, and board-level reporting.

One-size-fits-all security advice is usually bad advice.

The right approach is risk-based, business-aware, and practical enough to survive contact with reality.

What a Practical VC/PE Cyber Program Can Look Like

A strong program does not have to be overly complex.

In fact, the simpler and more repeatable it is, the more likely it is to work.

At the Fund Level

The firm should understand its own exposure.

That includes identity and access management, email security, cloud collaboration tools, data handling, vendor risk, executive devices, incident response, and wire fraud controls.

The firm should know how it would respond if a partner account were compromised, if sensitive deal material were exposed, or if a vendor incident affected operations.

At the Deal Level

Cyber diligence should be scaled to the transaction.

Not every deal requires the same depth, but every deal should have a way to identify material cyber risk. That may include external exposure review, architecture review, policy and control assessment, cloud posture checks, vulnerability testing, software security review, or executive interviews.

At the Portfolio Level

Each company should be assessed using a consistent framework that produces comparable results.

Findings should be prioritized.

Remediation should be tracked.

Board reporting should focus on business impact and progress, not technical clutter.

At the Value Creation Level

Portfolio companies should receive practical help.

That may mean remediation guidance, security roadmap development, incident response planning, tabletop exercises, compliance readiness, customer security support, or periodic technical testing.

At the Exit Level

Companies should be prepared with evidence.

They should know what a buyer will ask, where the gaps remain, what has been improved, and how to explain the security posture honestly and confidently.

That is not an academic model.

It is a workable operating rhythm.

The Conversation Investors Should Be Having Now

For partners, operating executives, and board members, the conversation should move beyond:

“Are we secure?”

That question is too broad to be useful.

The better questions are:

Where could cyber risk affect enterprise value?
Which portfolio companies have the most material exposure?
Which risks are likely to affect revenue, operations, compliance, or exit?
What evidence do we have?
What is being remediated?
Who owns the risk?
How would we respond to an incident tomorrow morning?
Where do we need expert help?

Those questions create movement.

They also create accountability.

Cyber risk is not going away. The threat landscape will keep changing. Regulatory expectations will keep rising. Customer demands will keep expanding. Attackers will keep looking for leverage.

The firms that win will be the ones that build repeatable ways to see, measure, and reduce risk before it becomes a crisis.

Why MicroSolved

The reason to use MicroSolved is not because cyber risk can be eliminated.

It cannot.

The reason is that cyber risk can be made visible, prioritized, and managed.

For the firm itself, that means a defensible posture around sensitive investment operations, confidential data, executive communications, incident readiness, and fraud prevention.

For the portfolio, it means a blanket, standardized approach that creates common language, comparable metrics, faster remediation, better board visibility, and stronger exit preparation.

For management teams, it means practical guidance instead of abstract fear.

For investors, it means knowing that cyber risk is being managed, not merely discussed.

Closing Thought

VC and PE firms are very good at identifying value, shaping strategy, and driving operating improvement.

Cyber security should be treated as part of that discipline.

Not as a side project.

Not as a compliance afterthought.

Not as something delegated entirely to IT.

The firms that do this well will not be the ones that buy the most tools or demand the longest questionnaires. They will be the ones that build repeatable, evidence-based, business-aligned security practices into the investment lifecycle.

That is the work.

Cyber risk is now enterprise value risk. Handle it with the same seriousness, consistency, and executive attention that you bring to every other driver of value.

Get In Touch

For more information, or for a discussion of how we can help, just email us at info@microsolved.com or give us a call at +1.614.351.1237 today. We look forward to putting our 30+ years of experience to work for you! 

CaneCorso™ and the Real Problems AI Is Creating for the Business

Posted on by
Reply

AI didn’t sneak into the enterprise.

It walked in through productivity.

Email triage. Document handling. Support workflows. Internal copilots. Retrieval systems. Early agentic use cases. All of it made sense at the time. All of it still does.

But something changed along the way.

We didn’t just adopt AI—we embedded it into workflows that can influence decisions, expose data, and take action.

That’s where the problem starts.

And it’s exactly where CaneCorso™ is designed to operate.

CaneCorsoAI

AI Risk Isn’t a Model Problem — It’s a Workflow Problem

There’s a persistent misunderstanding in the market right now.

Most conversations about AI security still center on the model—what it knows, how it behaves, whether it can be tricked.

That’s not where the real risk lives.

The real risk shows up when:

  • Untrusted content enters a workflow
  • That workflow uses AI to interpret or transform it
  • And the output influences business operations

That content might come from:

  • Email
  • Documents
  • OCR pipelines
  • Retrieved knowledge (RAG)
  • Support tickets
  • External data sources

Once it’s in the workflow, it’s no longer just data.

It’s influence.

CaneCorso™ exists to control that influence—before it becomes an operational problem.

The Perimeter Moved — Most Organizations Didn’t

Traditional security models assume boundaries.

Applications. Networks. Endpoints. Users.

AI workflows don’t respect those boundaries.

They collapse:

  • Data
  • Instructions
  • Context
  • Intent

…into the same channel.

That creates an entirely different risk profile:

  • Prompt injection (direct and indirect)
  • Data exfiltration through prompt manipulation
  • RAG poisoning and retrieval contamination
  • Multimodal attacks through documents and images
  • Unsafe tool usage triggered by manipulated inputs

These are not theoretical edge cases.

They are natural outcomes of how AI is being used today.

CaneCorso™ addresses this by acting as a shared AI Application Firewall—a control layer that sits in front of real workflows, not just models.

Small Businesses: The Problem Is Safe Adoption

Small organizations aren’t trying to solve AI security academically.

They’re trying to use AI without breaking the business.

They typically don’t have:

  • Dedicated AI security engineering
  • Time to build custom controls
  • Resources to continuously test workflows

But they still face the same risks.

For them, the core problem is simple:

How do we use AI without creating exposure we don’t understand?

CaneCorso™ answers that by providing:

  • A reusable control layer
  • Business-safe handling decisions (allow, sanitize, tokenize, block)
  • Protection against injection and data leakage
  • Minimal disruption to workflow performance

The goal isn’t perfection.

It’s safe, practical adoption.

Mid-Size Organizations: The Problem Is Inconsistency

Mid-market firms hit a different wall.

AI use spreads quickly—but control does not.

You end up with:

  • One team securing prompts one way
  • Another team building ad hoc filters
  • A third team doing nothing at all

What looks like progress is actually fragmentation.

And fragmentation creates risk.

Because now:

  • Policies are inconsistent
  • Logging is inconsistent
  • Enforcement is inconsistent
  • Assurance is impossible

CaneCorso™ solves this by introducing a single control plane across workflows.

Not by replacing tools.

But by normalizing how risk is handled across:

  • Inputs
  • Prompts
  • Retrieved data
  • Outputs

That shift—from local fixes to shared control—is what enables real governance.

Enterprise: The Problem Is Scale and Assurance

Enterprises don’t struggle with whether to use AI.

They struggle with using it at scale without losing control.

The complexity shows up quickly:

  • More workflows
  • More data sources
  • More sensitive content
  • More downstream impact

Risk concentrates in places like:

  • Document ingestion pipelines
  • Retrieval systems
  • Internal copilots
  • Agent-driven workflows
  • Tool-connected AI systems

At that scale, the question changes.

It’s no longer:

“Are we protected?”

It becomes:

“Can we prove we are operating safely?”

CaneCorso™ addresses both sides:

  • Centralized protection across workflows
  • Measurable assurance through testing and auditable decisions

Because at enterprise scale, security without evidence is just opinion.

The Difference: Protect the Workflow Without Breaking It

This is where most approaches fail.

Traditional security thinking leans toward blocking.

If something looks suspicious, stop it.

That works—until it breaks the business.

AI workflows are different.

They require more nuance.

CaneCorso™ is built around that reality:

  • Allow when safe
  • Sanitize when needed
  • Tokenize when privacy matters
  • Block when necessary

That model matters.

Because the goal is not to stop work.

The goal is to keep safe work moving.

The Reality Behind the Threats

It’s easy to focus on the technical attacks:

  • Prompt injection
  • Indirect injection
  • Data exfiltration attempts
  • RAG poisoning
  • Tool abuse

But in practice, those attacks succeed because of how systems are built and used.

  • Developers concatenate untrusted input into prompts
  • Teams trust retrieved content without validation
  • Users paste sensitive data into workflows
  • Agent permissions expand faster than controls
  • Deployments happen without adversarial testing

These are normal behaviors.

CaneCorso™ works because it assumes those realities—not ideal conditions.

What Actually Changes

When organizations put a control layer like CaneCorso™ in place, the impact is operational.

Not theoretical.

You see:

  • Reduced likelihood of avoidable AI-driven incidents
  • Less sensitive data leakage
  • Fewer workflow failures from brittle controls
  • Faster, safer AI adoption
  • A clearer story for auditors, customers, and leadership

That last point matters more than most people realize.

Because AI isn’t just a technology decision anymore.

It’s a business trust decision.

Final Thoughts: Rational AI Security

There are two bad approaches to AI right now.

Move fast and ignore the risk.

Or lock everything down and lose the value.

Neither works.

What organizations actually need is a rational approach:

  • Small businesses need safe adoption
  • Mid-size businesses need consistency
  • Enterprises need scale and assurance

CaneCorso™ aligns with that reality.

Not by trying to “solve AI.”

But by solving the actual problem:

controlling how untrusted content influences real business workflows.

That’s the shift.

And it’s where AI security either becomes operational—or irrelevant.

More Info

To learn more, just give us a call at +1.614.351.1237, or drop us a line at info@microsolved.com. We’d love to walk you through how CaneCorso can help you secure the AI future of your business! 

 

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

Introducing CaneCorso: An AI Application Firewall Built for Real Workflows

Posted on by
Reply

AI has officially crossed the line from experiment to infrastructure.

Email flows into copilots. Documents feed RAG pipelines. Support tickets trigger agents that can take action. The convenience is real—and so is the risk.

What hasn’t caught up is security.

Most security models were built for a world where inputs were predictable and trust boundaries were well-defined. That world doesn’t exist anymore. Today, untrusted content flows directly into systems that can reason, decide, and act.

That’s exactly where things get interesting—and dangerous.

When Good Data Carries Bad Instructions

One of the biggest misconceptions about AI security is that it’s a model problem. It’s not. It’s a workflow problem.

Attackers don’t need to break in anymore. They ride along with legitimate data—emails, PDFs, tickets, knowledge base entries—and inject instructions that your AI system may interpret as truth.

Think about what that means in practice:

  • A support ticket that contains hidden instructions
  • A PDF with embedded prompt injection
  • A knowledge base entry that poisons RAG outputs
  • An approval workflow manipulated through summarization

Layer in human behavior—blind trust, over-privileged access, weak validation—and you’ve got a system primed to fail in ways that traditional controls simply won’t catch.

CaneCorsoAI

A More Rational Approach to AI Security

CaneCorso™ takes a different path.

Instead of trying to block everything suspicious (and breaking workflows in the process), it follows what’s described in the Rational AI Security model —security that behaves more like an immune system than a wall.

That means:

  • Detecting and isolating threats without stopping the system
  • Treating all inbound content as untrusted by default
  • Preserving business continuity while reducing risk
  • Producing measurable, auditable outcomes

This isn’t theoretical. It’s a direct response to how AI systems actually behave in production.

One Control Plane for AI Workflows

At its core, CaneCorso gives you a shared AI Application Firewall—a single control plane that sits between your workflows and your models.

Instead of every team building its own brittle filters, you get consistent, reusable protection across:

  • Email triage and analysis
  • RAG pipelines and knowledge systems
  • Document AI and OCR ingestion
  • Support and ticketing workflows
  • Agent-driven automation

The platform delivers:

  • Runtime decisions: allow, sanitize, tokenize, or block
  • Privacy controls: redact or tokenize sensitive data before model exposure
  • Audit-ready logs: reasons, scores, and evidence you can actually use
  • Adversarial validation: Injection Scanner proves controls before and after deployment

This isn’t just about stopping attacks—it’s about making security operationally usable.

How It Works (Without Breaking Everything)

CaneCorso is built around a simple but effective model:

  1. Connect the workflow
    Mailboxes, agents, or document pipelines send raw content through a single control point.
  2. Evaluate risk
    The system analyzes both security threats and privacy exposure in real time.
  3. Apply the right action
    Policies determine whether content is allowed, sanitized, tokenized, or blocked.
  4. Keep work moving
    Safe content continues downstream with context, scores, and auditability intact.

The key difference? It doesn’t rely on hard blocking as the default.

Inline tokenization replaces only the unsafe portion of content—meaning the workflow continues, the business operates, and the risk is neutralized.

Why This Matters Right Now

The perimeter has moved.

AI systems don’t just process data—they act on it. That turns every input into a potential control decision.

The threat landscape outlined in the workflow map highlights the shift:

  • Indirect prompt injection from internal or trusted sources
  • Multimodal attacks hidden in images, PDFs, or OCR text
  • Human-in-the-loop deception during approvals
  • Over-privileged workflows amplifying impact

These aren’t edge cases. They’re becoming normal operating conditions.

Measurable Security, Not Assumptions

One of the most important shifts CaneCorso introduces is moving security from belief to proof.

The Injection Scanner continuously tests workflows against adversarial scenarios, providing measurable evidence that controls work:

  • Before deployment
  • After changes
  • During audits or customer reviews

That matters for engineering teams. It matters for security teams. And it definitely matters when someone asks, “How do you know this is safe?”

Final Thoughts: Security That Matches Reality

For years, security teams have had to choose between protection and usability.

In the AI era, that trade-off doesn’t hold up.

CaneCorso is built on a simple idea: protect the workflow without breaking it. That means embracing how AI systems actually work—messy inputs, probabilistic outputs, and human decision-making in the loop.

If you’re deploying AI in any meaningful way, the question isn’t whether you’ll face these risks.

It’s whether you’ll be ready when you do.

Learn More

To learn more about CaneCorso, schedule a demo, or discuss your environment:

Rethinking Account Lockouts: Why 15 Minutes Isn’t a Strategy

Posted on by
Reply

There’s a moment in almost every security program where someone asks a deceptively simple question:

“Is 15 minutes a standard account lockout duration?”

The short answer? No.
The more honest answer? It’s common—but often wrong for the environment it’s deployed in.

And I’ve seen more than a few organizations learn that the hard way.

3Errors

The Myth of the “Standard” Lockout

If you go looking for authoritative guidance—from Center for Internet SecurityFFIEC, or CISA—you’ll notice something interesting:

They don’t tell you what number to use.

Instead, they consistently emphasize:

  • Risk-based decision making
  • Balancing usability and security
  • Detecting and responding to threats—not just blocking them

That’s not an accident. It’s an acknowledgment that static controls like lockouts are blunt instruments in a very dynamic threat landscape.

What We Actually See in the Real World

Across environments—financial services, healthcare, SaaS, manufacturing—the patterns are pretty consistent:

Setting Typical Range
Failed attempts before lockout 3–10
Lockout duration 5–30 minutes
Most common default 10–15 minutes

So yes, 15 minutes sits comfortably in the middle.

But “common” and “effective” are not the same thing.

Where 15 Minutes Breaks Down

1. It Punishes Users More Than Attackers

A 15-minute lockout sounds reasonable—until you multiply it.

  • A clinician locked out mid-shift
  • A call center agent missing SLAs
  • A trader unable to access systems during market hours

Now multiply that by repeated lockouts from cached credentials, mobile devices, or service accounts.

You don’t just have a security control—you have an operational problem.

2. It Doesn’t Stop Modern Attacks

Attackers have evolved. Most environments haven’t.

Today’s common attack patterns:

  • Password spraying (low-and-slow, avoids thresholds)
  • Credential stuffing (valid credentials, no lockout triggered)

A longer lockout duration doesn’t meaningfully impact either.

If anything, it gives a false sense of security while the real attack path goes untouched.

What Actually Works: A Layered Approach

This is where the conversation needs to shift—from “what’s the right number?” to “what’s the right strategy?”

1. Lockouts Are Supporting Controls—Not Primary Defenses

If you’re relying on lockouts as your main protection, you’re already behind.

At a minimum, you should be pairing with:

  • MFA everywhere it’s technically feasible
  • Conditional access (device, location, behavior)
  • Authentication throttling and smart detection

2. Tune for Risk, Not Defaults

A more balanced configuration tends to look like:

  • 5–10 failed attempts
  • 5–10 minute lockout
  • Reset counter after a defined cooldown window

This reduces user friction while still slowing down brute-force attempts.

More importantly—it acknowledges that lockouts are a speed bump, not a wall.

3. Progressive Delays Beat Hard Lockouts

One of the most underutilized strategies is progressive delay:

  • Attempts 1–2 → no delay
  • Attempts 3–5 → 30–60 second delay
  • Continued attempts → increasing delay

This approach:

  • Degrades attacker efficiency
  • Preserves user productivity
  • Avoids helpdesk spikes

It’s a far more surgical control than a blanket 15-minute lockout.

4. Detection Over Punishment

Modern security programs don’t just block—they observe.

You should be:

  • Logging all failed authentication attempts
  • Alerting on patterns (spraying, geographic anomalies)
  • Correlating identity signals across systems

Lockouts should be one signal among many—not the primary response.

Implementing This in Active Directory

Let’s get practical.

In on-prem Active Directory, you’re working primarily with Group Policy.

Recommended Baseline

In your domain or fine-grained password policy:

  • Account lockout threshold: 5–10 attempts
  • Account lockout duration: 5–10 minutes
  • Reset account lockout counter after: 10–15 minutes

Where to Configure

  • Group Policy Management Console (GPMC)
    • Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Account Lockout Policy

Advanced Considerations

  • Use Fine-Grained Password Policies (FGPP) for high-risk accounts (admins, service accounts)
  • Monitor Event IDs:
    • 4625 (failed logon)
    • 4740 (account locked out)
  • Feed logs into your SIEM for correlation and alerting

Implementing This in Microsoft 365

In Microsoft 365, the model shifts significantly.

You don’t directly control “lockout duration” in the same way—because the platform is already applying smart lockout behavior.

Smart Lockout (Azure AD / Entra ID)

  • Automatically tracks failed attempts
  • Uses adaptive thresholds
  • Differentiates between familiar and unfamiliar locations

What You Should Do Instead

1. Enable and Enforce MFA

  • Conditional Access → Require MFA for all users (with staged rollout if needed)

2. Configure Conditional Access Policies

  • Block legacy authentication
  • Require compliant devices
  • Apply geographic restrictions where appropriate

3. Monitor Identity Signals

  • Azure AD Sign-in logs
  • Risky sign-ins and users
  • Integration with Defender for Identity / Sentinel

4. Tune Smart Lockout (if needed)

  • Default threshold is typically sufficient
  • Adjust only if you have a strong operational reason

The Bottom Line

A 15-minute lockout isn’t wrong.

It’s just incomplete.

  • ✔️ It’s common
  • ❌ It’s not a standard
  • ⚠️ It can create more operational pain than security value

The real shift is this:

Stop treating account lockouts as a primary control. Start treating them as part of a layered identity defense strategy.

Because in today’s environment, the goal isn’t just to block access.

It’s to understand it.

 

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.