What Security Leaders Should Know About Security Control Gaps in CrowdStrike Deployments

Too often, we assume that once a tool like CrowdStrike is deployed, it’s working exactly as intended. But assumptions don’t equal assurance. That’s why CrowdStrike security control validation is becoming a critical step for security leaders who want to verify that detections are firing, alerts are escalating, and teams are responding before a real attacker puts those assumptions to the test.

Some of the world’s most well-known organizations use CrowdStrike, and it’s a smart investment. But working with security leaders across dozens of industries, one thing is clear: even the best EDR/XDR deployments can fail silently. That’s not an attack on CrowdStrike. It’s the reality of enterprise-scale environments where configurations drift, people make changes, and the responsibility for detection and response is split across internal and external teams. When something breaks quietly, it doesn’t always throw an alert. So everything looks fine until a real threat slips through. And at that point, the board isn’t asking if you bought the right tool. They’re asking why it didn’t work.

What are the security control gaps in CrowdStrike deployments?

Security control gaps in CrowdStrike deployments occur when detection policies, sensors, integrations, or response workflows fail silently due to misconfiguration, drift, or untested operational assumptions.

What causes these security control gaps?

Most of the CrowdStrike customers we work with believe their security tools (EDR/XDR/SIEM), internal SOC teams, and/or Falcon Complete or third-party MDR are doing what they’re supposed to. But when we test them using real-world attack TTPs, they’re surprised by what we find.

Here’s why:

• Sensors get missed or go inactive.
• Default policies may not log or alert on real-world threat activity.
• Custom IOAs are rarely tuned to their environment.
• Updates or integrations break detection logic silently.
• 3rd-party MDR or SOC teams assume you’re handling it and vice versa.

Individually, these issues might seem minor. However, they add up to real blind spots. For example, in one recent assessment, we emulated a credential dumping technique on an endpoint with Falcon installed. Falcon didn’t alert. Why? It was a simple policy misconfiguration, and no one noticed because the control wasn’t designed to throw an error.

In another case, a customer’s integrated SIEM was ingesting Falcon data, but was configured to ignore detections below a certain severity. The SOC never saw our activity, and SLA response time tracking never even started.

These aren’t uncommon. In fact, they’re everywhere.

What can security leaders do about it?

To be clear, these issues aren’t signs of failure. They’re signs of complexity. Modern security environments are dynamic and distributed, with constant changes and shifting responsibilities.

That’s why proactive security control validation is essential. But that doesn’t mean running another audit or compliance checklist or assuming a penetration test will find these gaps. It means:

• Testing your CrowdStrike deployment in its current state, not just at initial rollout
• Simulating real-world threats, not just theoretical detections
• Validating that detections fire, alerts escalate, and response happens within SLA

This approach gives you more than a pass/fail answer. It gives you clarity on what’s working, what’s misconfigured, and what gaps are created by day-to-day operational changes.

Final thoughts on CrowdStrike operational assurance

Security leaders don’t want to guess. You want confidence. Confidence that the tools you’ve invested in are protecting the organization, and that the teams managing those tools are ready when a threat hits. Validating your CrowdStrike deployment is one of the clearest ways to build that confidence. While CrowdStrike offers Falcon Operational Support to help organizations configure and optimize the Falcon platform, our independent assessments complement these services by continuously validating whether those configurations and detection policies are working as intended—long after deployment.

While this post focused on CrowdStrike, the same guidance applies across all detection tools and MDR providers. Whether you’re using Falcon, Defender, SentinelOne, or something else entirely, security control validation helps you prove that your defenses work when it matters.

Frequently Asked Questions

 

Why do CrowdStrike deployments fail even when Falcon is installed?

CrowdStrike deployments can fail due to missed sensors, default policies that don’t alert on real-world activity, untested integrations, or unclear ownership between SOC and MDR teams.

How is security control validation different from a penetration test?

Penetration testing identifies whether attackers can gain access. Security control validation tests whether detections fire, alerts escalate, and response occurs after access is achieved.

Do security control gaps mean CrowdStrike is misconfigured?

Not always. Gaps often result from environmental complexity, configuration drift, or operational assumptions rather than a flawed tool or initial deployment.

How often should CrowdStrike deployments be validated?

Deployments should be validated regularly, especially after policy changes, integrations, onboarding MDR services, or significant environment changes.

 

Want to learn how security control validation is different than a pentest?  Security Control Validation: Why Testing Once Isn’t Enough to Stop Threats

 

About OnDefend

OnDefend stands at the forefront of preventative cybersecurity testing and advisory services, further strengthened by its proprietary automation and AI-powered technologies, including its advanced Breach and Attack Simulation (BAS) Software-as-a-Service platform, BlindSPOT. A trusted partner to organizations worldwide, OnDefend empowers companies and nations to proactively combat real-world cyber threats across software, hardware, IoT, and AI while ensuring that security investments are well-utilized, effective, and measurable. For more information, visit www.ondefend.com.

OnDefend Welcomes Terin Williams as Associate Program Director of Strategic Policy Initiatives

Terin brings a rare perspective to cybersecurity—blending national defense experience with a passion for growing cyber talent and resilience at every level. In this interview, she shares how her work with the Army National Guard and CISA fuels her mission to make cybersecurity a true national priority.

 Learn a little more about Terin and the expertise she brings in this one-on-one interview:   

Q: Your most recent role as Special Assistant to the Director of the Army National Guard for US Army Cyber Matters and your leadership at CISA and the National Guard Bureau gave you a unique perspective on national cybersecurity priorities. As the government’s role evolves and public-private collaboration becomes more critical, how do you see that experience shaping your work at OnDefend to help organizations build real-world resilience in the face of growing threats? 

I have had the privilege of engaging cybersecurity from multiple perspectives. At the national level, my experience includes working within the Department of Defense (DoD) and the broader federal government, providing insights into large-scale national security operations. 

While state and local governments may not typically focus on national security at this scale, my role in the National Guard has offered me a unique vantage point on state-level cybersecurity initiatives. Additionally, serving as a Cybersecurity and Infrastructure Security Agency (CISA) advisor to the state has deepened my understanding of local cybersecurity challenges and strategies. 

In the private sector, my position within the OnDefend ecosystem has allowed me to appreciate the industry’s approach to both cybersecurity and national security concerns. It’s refreshing to see that some private sector entities are taking national security seriously and, more importantly, are willing to do something about it!

Q: How did you get started in cybersecurity? 

This is a two-part answer, really:  

Part I: I was originally following the medical path, but the military kept pushing me towards information technology. I got my CISSP, and while I hated the exam, I realized my medical aspirations of helping people could be fulfilled on a computer (another passion of mine).

Part II: I started my Master’s in cybersecurity during one of my military mobilizations and got put in charge of standing up cyber in the Ohio National Guard when I returned. I attended Cyber Shield 2013 (a defensive cyber operations exercise in the National Guard) and fell in love…I credit Cyber Shield with most of my growth throughout my cyber career. 

Q: Can you walk us through some career highlights?

Honestly, the highlight of my career has been all of the phenomenal people I have had the chance to work with and learn from. But I am always ecstatic about any progress we can make towards national security.

 Q: What excites you most about joining OnDefend?

The mission and the people. While I am no longer a public servant, I get to continue to improve national security in the private sector with an amazing and extremely talented team!  

 Q: Is there a project or accomplishment you’re particularly proud of?

My kids are my greatest accomplishment and I am extremely proud of them! However I am also proud of the many people I have had the privilege to lead throughout my career. The credit is all theirs, but I have benefited from just having the opportunity to work with them!   

Q: What’s something people should know about you?

I am the least photogenic person of all times!  

Q: Where do you hope to see the state of cybersecurity in five years?

I would like the nation (and even the world) to treat cybersecurity like they do physical security. They will need to with AI and quantum, but I haven’t seen evidence of that yet. More importantly, I would like more people (everyone would be better) in the United States to understand their role in national security when it comes to cybersecurity!  

Q: Looking ahead, what would you like your legacy at OnDefend to be?  

The leaders and the talent that I help build in others AND the team effort of advancing national security for this great country.

 

Explore how OnDefend is reimagining security programs and going beyond compliance with experts like Terin Williams, bringing advanced threat emulation and real-world testing to protect organizations around the globe.

About OnDefend

OnDefend stands at the forefront of preventative cybersecurity testing and advisory services, further strengthened by its proprietary automation and AI-powered technologies, including its advanced Breach and Attack Simulation (BAS) Software-as-a-Service platform, BlindSPOT. A trusted partner to organizations worldwide, OnDefend empowers companies and nations to proactively combat real-world cyber threats across software, hardware, IoT, and AI while ensuring that security investments are well-utilized, effective, and measurable. For more information, visit www.ondefend.com.

 

OnDefend Media Contact:

Lauren Verno, Media@ondefend.com

904-299-3669

You’re Only Testing Half the Attack Surface

Many organizations run external penetration tests. They are expected. They satisfy compliance requirements. They result in a report that shows no critical findings.

Here’s the problem: attackers rarely stop at the perimeter.

Most real-world breaches start with phishing, stolen credentials, or exposed internal access. Once an attacker is inside the network, the real work begins: privilege escalation, lateral movement, data access, and disabling security controls.

External testing only evaluates how someone might get in. Internal penetration testing evaluates what happens after they do.

Compliance Is a Baseline, Not a Security Strategy

Annual external tests and vulnerability scans can make an environment look secure on paper. But they don’t answer the questions that actually matter during a breach:

• Can an attacker move between network segments?

• Are service accounts over-privileged?

• Do legacy systems expose escalation paths?

• Can credentials be reused across systems?

• Will detection tools trigger on internal attacker behavior?

Compliance-driven testing validates exposure. Internal testing validates impact.

External vs. Internal: What’s the Difference?

Note: Web applications often require separate application-layer testing. External network pentests do not evaluate business logic, authentication flaws, or application-specific abuse paths.

Why You Need Both

External tests show how attackers get in.

Internal tests show how far they can go.

Together, they provide a complete view of organizational exposure:

• Entry points

• Attack paths

• Privilege escalation routes

• Detection gaps

• Real-world breach impact

Running only external tests is like testing the locks but never checking what happens if someone gets a key. Want a breakdown of what kind of penetration testing is right for your organization? We’ll walk you through it.

Real-World Example: What Internal Testing Revealed

A regional healthcare organization had strong external test results and no history of internal penetration testing.

Once internal access was simulated, the results changed quickly.

We were able to:

• Move laterally between departments

• Access sensitive healthcare records

• Escalate privileges to domain administrator

• Disable detection tooling without generating alerts

None of these issues appeared in external testing. All were remediable. But only because they were identified through internal testing.

If You Only Test the Outside, You’re Guessing

Most security leaders acknowledge that breaches are inevitable. That’s why detection and response capabilities are a priority. But without testing the internal environment like a real adversary, you’re relying on assumptions, rather than evidence.

Internal penetration testing helps answer key questions:

• Are segmentation and security controls actually enforced?

• What happens after a phishing attack or credential theft?

• How quickly can privileges be escalated?

• Will security tools detect attacker behavior?

• What is the true blast radius of a compromised account?

To safely simulate this behavior continuously, organizations increasingly pair internal testing with breach and attack simulation platforms like BlindSPOT, which are designed to validate detection and response against real attacker techniques.

What to Do Next

External penetration tests satisfy compliance requirements.

Internal penetration testing validates real-world risk.

If you want to understand what an attacker could actually do inside your environment, it’s time to test beyond the perimeter.

Schedule a discovery call to discuss what an internal penetration test would look like for your organization, and what it would reveal before an attacker does.

 

OnDefend Welcomes Tim Tomes as Director of Training and Programs

Tim’s career spans elite Army Red Team operations, the development of groundbreaking cybersecurity tools, and thousands of hours spent shaping future defenders. His unique blend of deep technical expertise, instructional skill, and mission-first leadership sets him apart as a true force in the cybersecurity world.

 Learn a little more about Tim and the expertise he brings in this one-on-one interview:   

Q: What is your role at OnDefend? 

In my role as the Director of Training and Programs, I’ll be working to elevate the skill set of the entire OnDefend team in the areas of application security and Red Teaming. I’ll also be working to build an external-facing training program focused on providing technical skills development opportunities in engaging and practical environments. In my role as an Associate Program Director, I’ll be working with the Independent Security Inspector team to ensure that entities operate in good faith and protect the interests of the United States through the distribution and functionality of their U.S. applications and infrastructure.

Q: How did you get started in cybersecurity? 

Video games. I know it sounds crazy, but ever since I was a child, I’ve enjoyed video games. Video gaming during the 1980s and 90s was not easy. It required a deep understanding of systems, networking, and in some cases, code. My desire to play video games drove me to study and learn elements of all these disciplines. The technical skillset gained from an effort to play video games led to a degree in Information Systems and a commission in the U.S Army, where I eventually found myself as a team leader on the U.S. Army Red Team. This is where I discovered that everything technical I had learned was from the perspective of how things were supposed to work. The Red Team taught me to think about how things could work, for better or for worse. This changed my perspective on all things technical and launched me into a career in cybersecurity.

Q: Can you walk us through some career highlights?

Sure. The Red Team experience was certainly a highlight. That led to me being asked to lead the development of the Army’s cyber training program (more on this later), and participating in and winning the inaugural SANS NetWars competition at SANS Network Security 2010. Shortly thereafter, I was hired by John Strand as the first FTE for Black Hills Information Security (BHIS), where I helped John grow the company by building out the technical side of the consultancy. While working at BHIS, I created Recon-ng, which is probably what I am most known for in the security community. In an effort to share Recon-ng and other open source projects, I began speaking at conferences, which led to a talk I gave with Violent Python (TJ O’Connor) at ShmooCon 2013 in front of approximately 2500 people. I switched focus exclusively to application security around this time and began teaching web application penetration testing through SANS, and then for my own company in 2017. I’ve trained thousands of people in the public and private sectors and am known in the security community for being an expert in web application security and PortSwigger’s Burp Suite Pro.

 Q: What excites you most about joining OnDefend?

Being part of a team again. Mentorship is very important to me, but I’ve spent the past eight years as a team of one. At this stage of my career, I can better serve the community by passing on what I’ve learned to the next generation rather than applying it to one-off situations. The opportunity to contribute to the growing team of application security professionals at OnDefend is definitely what I am most excited about.

 Q: Is there a project or accomplishment you’re particularly proud of?

After my time on the Red Team, the Department of Defense was ramping up its cybersecurity efforts, and the Army went looking for uniformed personnel who could help build a program to train cyber operators. I was selected by the Commanding General of the Signal Corps to relocate to Fort Gordon and be the principal architect of the Army’s cyber operator training course (255S). I spent several years leading a team of talented officers and civilian personnel to establish what eventually became the basis for the U.S. Army Cyber Corps.

HoneyBadger and PushPin were two open-source software projects I built during my time at BHIS. They both focused on leveraging web-based geolocation technologies to enhance situational awareness. In the years following the release of these tools, I was made aware of situations where law enforcement leveraged these tools to increase the safety of large community events, investigate crimes, collect critical evidence, locate and apprehend fugitives, and recover abducted individuals.

Q: What’s something people should know about you?

I am an apprentice of Jesus, trying to be like him and do as he did. He was a man of action, character, humility, love, and sacrifice who elevated everyone around him. That’s who I want to be. This is what drives me. It’s the highest of standards. Impossible to achieve, but so worth trying.

Q: Where do you hope to see the state of cybersecurity in five years?

I’m not much of a visionary. I tend to focus on what is practical here and now. But if I had to answer that question, I’d say an industry of professionals that are less reliant on AI and abstractions. I do realize that this is the opposite direction of where we are headed, and in completely opposition to where most people want to go, but I’m hoping that we’ll avoid shortcuts, and do the hard right over the easy wrong. Unfortunately, I think we’ll see humanity lean too heavily on AI and lose expertise in the foundational concepts that are used to build underlying systems. A “brain drain” so-to-speak, resulting in less people with the required level of understanding to solve problems. I believe there will be fewer experts, and the gap between users and experts will grow exponentially with AI making it less necessary to understand fundamentals. Look at something as simple as video games. My entire career was built around the struggle it was to make video games work. All my children have to do is press a single button and everything just works. Mind blowing experiences are so easy to attain. Ironically, using tech has become too easy. There are so many layers of abstraction that fundamental understanding is no longer necessary to be a user, and I believe that will have a major impact over time. So, I’m hoping it doesn’t.

Q: Looking ahead, what would you like your legacy at OnDefend to be?  

To leave things better than I found them in every possible way. I want to be remembered as someone that led with humility and character, elevated everyone on the team, and helped to create an accessible source of world class cybersecurity training.

 

Explore how OnDefend is reimagining security programs and going beyond compliance with experts like Tim Tomes, bringing advanced threat emulation and real-world testing to protect organizations around the globe.

About OnDefend

OnDefend stands at the forefront of preventative cybersecurity testing and advisory services, further strengthened by its proprietary automation and AI-powered technologies, including its advanced Breach and Attack Simulation (BAS) Software-as-a-Service platform, BlindSPOT. A trusted partner to organizations worldwide, OnDefend empowers companies and nations to proactively combat real-world cyber threats across software, hardware, IoT, and AI while ensuring that security investments are well-utilized, effective, and measurable. For more information, visit www.ondefend.com.

 

OnDefend Media Contact:

Lauren Verno, Media@ondefend.com

904-299-3669

Strengthen your cybersecurity maturity by combining penetration testing with threat detection and response validation. 

 

Penetration testing is a foundational cybersecurity practice. It helps organizations identify exploitable vulnerabilities, validate prevention controls like firewalls and antivirus, and satisfy the expectations of compliance frameworks, cyber insurers, and board stakeholders. But in today’s threat landscape, pentesting only tells part of the story. 

Pentests answer questions like: 

• Can a threat actor get in? 

• Where are the gaps in our perimeter defenses? 

• What vulnerabilities should we prioritize for remediation? 

What they don’t answer is: 

• Will our tools detect an attacker once they’re inside? 

• Will our SOC, MDR, or NDR teams respond in time? 

• Are our detection and response investments actually working? 

This is where OnDefend’s Breach and Attack Simulation platform, BlindSPOT’s Threat Detection and Response Validation comes in—and why pairing it with OnDefend’s penetration testing services creates a more complete and proactive security strategy. 

 

Penetration Testing vs. Threat Detection and Response Validation: 

Pentesting checks your locks—on doors and windows—to ensure your house is secure from outside entry. But it doesn’t test every lock, every day. And it doesn’t tell you if your alarm system works, if each sensor works, or whether anyone responds when it goes off. 

Threat Detection and Response Validation does just that.  It simulates real-world attacker behaviors to validate whether your detection tools (EDR, SIEM, NDR) and response teams (internal SOC or third-party MDR/NDR/MSSP) detect, escalate, and respond in real time. 

 

Why Threat Detection and Response Validation Matters 

Modern cybersecurity assumes breach is inevitable. That’s why mature security programs focus not just on keeping adversaries out—but on how quickly they can detect, contain, and recover from an intrusion. 

BlindSPOT adds that missing operational visibility: 

• Threat Detection Validation: Confirms your tools are triggering the right alerts using real attack simulations mapped to the MITRE ATT&CK framework. 

 

• Threat Response Validation: Measures your actual Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), benchmarking both tools and response teams against expectations and SLAs 

 

• Alert Monitoring: Notifies you when a detection fails or a response is delayed—so issues are caught before an attacker takes advantage. 

 

Why Both Are Better Together 

You wouldn’t run a business with only a financial audit—you also track performance metrics in real time. Security should work the same way. 

• OnDefend’s Penetration Testing validates perimeter security and identifies vulnerabilities before attackers do. 

 

• Threat Detection and Response validates whether your internal and external detection and response controls are functioning as expected. 

 

• Together, they provide a full-spectrum view of your readiness and resilience. 

That’s how you move from a reactive security posture to a proactive, mature one. 

 

Want to Learn More? 

BlindSPOT‘s new Threat Detection and Response Validation features are available in both our BAS platform and as a fully managed service. These features can also be bundled with OnDefend’s expert-led penetration testing. 

Whether you want to run it yourself or just get the outcomes, OnDefend can help you: 

• Find gaps in prevention and detection before attackers do 

• Hold vendors accountable to their SLAs 

• Translate technical findings into board-level risk conversations 

Learn more at ondefend.com/blindspot 

 

Security Control Validation: Why Testing Once Isn’t Enough

No security team plans for failure. Yet time and again, when real-world attack simulations are launched, critical gaps in detection and response emerge — even in well-funded, mature environments.

Why? Because traditional security assessments and out-of-the-box tool configurations aren’t enough to protect against adversaries. Organizations need continuous security control validation — real, ongoing testing to ensure their defenses are detecting and stopping threats before damage is done. This concept is reinforced by guidance from the National Institute of Standards and Technology (NIST), which emphasizes the importance of assessing whether controls are implemented correctly, operating as intended, and producing the desired outcome — not just whether they exist.

 

The Problem: Security Control Failures Are Everywhere 

Even in environments with top-tier security investments — endpoint protection, SIEMs, EDR/XDR platforms — critical controls often fail silently:

• Alerts don’t trigger when ransomware executes.
• Lateral movement activities go undetected.
• Evasion techniques bypass EDRs completely.
• Response teams are delayed because detections never reach them.

These gaps aren’t because teams are negligent. They’re because security control testing isn’t happening regularly enough — and attackers evolve faster than static defenses.

Why Continuous Security Validation Changes the Game

Traditional security controls assessments (often checklist-driven) validate whether a control exists — not whether it works against real threats.

Continuous security testing and validation changes the approach by:

• Regularly simulating adversary behavior mapped to the MITRE ATT&CK framework
• Testing detection, response, and containment capabilities across your live environment
• Identifying misconfigurations and telemetry gaps before attackers do
• Enabling security teams to adjust and optimize quickly, not after a breach

When security leaders embed continuous security control validation into their programs, they move from passive monitoring to proactive resilience.

How OnDefend Helps Teams Validate What Matters

At OnDefend, we specialize in threat detection and response validation that goes beyond traditional pentests. Pentests are our bread and butter, so we know the gaps our customers have. Our approach leverages real-world attack simulations — including ransomware, lateral movement, and data exfiltration — to ensure your security controls perform when it matters most.

Whether you’re validating EDR/XDR investments, preparing for regulatory audits, or strengthening your incident response posture, our testing provides the evidence you need to:

• Improve mean time to detect (MTTD) and mean time to respond (MTTR)
• Close critical visibility gaps
• Justify security investments with real outcomes

Security Controls Can’t Be Assumed. They Must Be Proven.

Every day without continuous validation is a day you’re trusting your defenses blindly. Let’s change that. Talk to our team about security control validation. Contact us here.

 

Want to learn why continuous security control validation is critical? Read this blog next.

Beyond MITRE ATT&CK Coverage: How Proactive Testing Turns Frameworks Into Real Defense

Most security teams talk about MITRE ATT&CK coverage. But attackers don’t care about your roadmap. Here’s how OnDefend combines penetration testing, attack simulations, and tabletop exercises to proactively validate security controls and prepare teams for real-world threats.

 

MITRE ATT&CK Framework Is Only the Beginning

The MITRE ATT&CK framework is a powerful tool in modern cybersecurity. It maps real-world adversary behavior in detail, helping security teams understand how attacks unfold and where controls should detect and respond. 

But there’s a gap. 

Many organizations focus on MITRE ATT&CK coverage — aligning tools and detections with as many techniques as possible. Yet this alone doesn’t answer the question that truly matters: 

“Will our security controls actually stop a real attacker, and do we have the visibility we need?” 

At OnDefend, we’ve found that while MITRE ATT&CK is the right starting point, organizations must go further. By combining penetration testing, breach and attack simulation (BAS), and tabletop exercises, security teams can continuously validate their defenses, drill their response, and measurably reduce their threat exposure. 

 

Coverage Isn’t Protection

Security tools often claim broad MITRE ATT&CK coverage. But in our work with customer environments across industries, we’ve consistently noticed that security controls fail in unexpected ways: 

• Email security gateways allowing payloads that mimicked known adversaries or ransomware delivery methods 

• Endpoint solutions missing common PowerShell-based execution tactics 

• SIEM tools logging events but failing to alert or trigger response playbooks 

• Third-party MDR vendors receive the alert, but fail to respond according to SLA 

These gaps aren’t due to lack of effort — they’re due to misconfigurations, untested assumptions, and limited visibility. And the only way to uncover them is to continuously simulate real-world attacks and observe how the environment actually responds. 

 

From Map to Mission: Turning MITRE Into Real Testing

OnDefend uses the MITRE ATT&CK framework as the foundation for our proactive internal and external testing methodology. Whether we’re simulating supply chain attacks, ransomware, phishing, lateral movement, or exfiltration, each test is mapped directly to tactics and techniques that reflect real adversary behavior. 

 This gives security teams: 

• Clarity on how tools perform against specific attack vectors 

• A prioritized view of what needs tuning or remediation 

• Evidence for internal stakeholders and auditors 

 

Combine Pentesting + Attack Simulation for Full Coverage 

Penetration testing shows where attackers can get in. Breach and attack simulations show what happens when they do. 

That’s why OnDefend helps organizations layer both: 

• Penetration Testing: Identify vulnerabilities, misconfigurations, and weak points 

• BlindSPOT Simulation: Using our Breach & Attack Simulation tool, BlindSPOT, we validate whether detection, alerting, and response tools and workflows function as intended 

This layered approach ensures that the prevention, detection, and response controls are being tested in a safe, transparent way. 

To see how attack simulation works in the real world, check out our Ransomware Defense Validation case study, where simulated attacks revealed critical detection gaps—and helped the security team fix them before a real adversary could exploit them. 

 

Validate, Then Drill: Tabletop Exercises That Stick 

After the attack simulation, the next step is training the people. OnDefend conducts tabletop exercises based on the same MITRE techniques identified during testing. 

We run custom sessions that simulate attack scenarios mapped to actual test findings.  

These include:  

• Credential harvesting followed by lateral movement 

• Endpoint compromise that bypasses EDR detection 

Participants include not just the security team, but also IT, legal, communications, and executive leadership. The result? Everyone understands their role, refines their playbooks, and builds muscle memory for real-world events. 

 

Out-of-the-Box Thinking for Out-of-the-Box Threats 

Cyber adversaries evolve fast. That’s why cybersecurity leaders need more than annual checklists and static reports. They need a continuous, dynamic approach to validation that keeps up with threat actors. 

OnDefend is redefining what proactive security testing looks like by combining: 

• Real-world attack simulation 

• MITRE ATT&CK alignment 

• Transparent, non-disruptive testing 

• Realistic tabletop exercises 

 

The Takeaway 

MITRE ATT&CK is the right foundation. But attackers don’t stop at frameworks, and neither should you. 

Security leaders who want to stay ahead of real-world threats must do more than cover tactics on paper. They must simulate, test, validate, and drill — continuously. 

While many cybersecurity firms offer tabletop exercises as a stand-alone service, OnDefend integrates them directly into our proactive testing methodology. This approach ensures every exercise is rooted in actual testing results — not hypothetical scenarios. By combining penetration testing, breach and attack simulation, and collaborative tabletop exercises, we help organizations uncover vulnerabilities, validate defenses, and prepare teams to respond effectively. 

That’s how you turn frameworks into real defense. 

Ready to see how your security controls hold up to real attacks? We’ll help you connect simulation findings to technical gaps, board reporting, and actual risk reduction. Talk to our team today about running a real-world attack simulation and tabletop exercise. Contact us here.

 

Reimagining Ransomware Defense: Revealing and Removing the Hidden Risks of Security Control Failures

Are Your Security Controls Working Right Now? Let’s Prove It.

Inspired by real-world conversations between Baptist Health CISO James Case and OnDefend CEO Chris Freedman, Ransomware Defense Validation (RDV) was built as a proactive solution tailored to the unique challenges healthcare systems face every day.

When asked if their security controls are working properly and effective, we’ve often heard many security leaders respond, “Yes we think so… but there’s no good way to regularly validate it.” Without the right tools to continuously test and validate these security defenses, organizations are relying on the bad guys to do the testing for them.

Join us for this webinar where James and Chris will:

• Dive into the ransomware pandemic from a CISO’s perspective.
• Reveal how & why prevention, detection & response security control failures occur.
• Explore how Ransomware Defense Validation was innovated to solve this problem.
• Demonstrate real results & outcomes within a healthcare system implementing RDV
• Share actionable steps to prove your security controls work and provide a real-world ROI

Stop hoping your controls are working, proactively prove they are.

Download the case study here: Case Study: Prominent Healthcare System Implements Ransomware Defense Validation to Safeguard Patient Safety and Data Security

Watch the full webinar here:

 

---

Speakers:

James Case: James Case has worked in IT within the health care industry for nearly 30 years. His tenure at Baptist Health began in 2005 when he served as a senior product manager for two years. Throughout his career, he has held information security roles both within Baptist Health and outside of the organization.

In 2021, he assumed his current senior leadership position, where he is responsible for leading day-to-day operations for information security, including incident response, the education of team members, vulnerability management, risk assessment and intrusion prevention. He is also tasked with protecting clinical information and the confidentiality of patients, as well as with delivering an effective cybersecurity program.

Chris Freedman: Chris Freedman, Co-Founder and CEO at OnDefend – With a career spanning over two decades in business leadership and cybersecurity innovation, Chris leads OnDefend’s strategic vision and go-to-market strategies. His efforts have helped establish OnDefend as a trusted partner in the global cybersecurity industry, including the development of BlindSPOT, a cutting-edge Breach and Attack Simulation (BAS) platform designed to enhance clients’ security posture through proactive validation and testing. – Visit Chris’s LinkedIn Profile Here – Chris also serves as an active member of several charitable organizations, including Best Buddies and American Red Cross reflecting his commitment to both business excellence and community engagement.

About OnDefend

OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world threats. From ensuring compliance with industry standards to building out mature security programs our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. OnDefend.com

What We Learned from Nine CISOs on Ransomware Defense Strategies

Ransomware continues to be one of the most devastating and expensive cybersecurity threats. Global ransomware damages are projected to reach billions annually¹, leaving Chief Information Security Officers (CISOs) and security leaders under increasing pressure to ensure their organizations are prepared. Despite sophisticated tools and strategies, blind spots in detection and response capabilities can leave even the most mature security programs vulnerable.

The OnDefend team had the rare opportunity to be a fly on the wall as nine healthcare CISOs discussed their security programs. As a group, we identified their top ransomware challenges and collaborated on strategies for how tech vendors and security leaders can work together to address these issues.

From misconfigured tools to ineffective threat responses, blind spots in ransomware defense can have devastating consequences. This blog gives you a behind the scenes look at the top challenges these CISOs face in ransomware defense and the actionable insights discussed to overcome them.

1. Operational Assurance: Ensuring Security Controls Work as Intended

The Challenge

Security leaders face the critical challenge of ensuring that detection and response tools, such as Secure Email Gateway (SEG), Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Security Information and Event Management (SIEM), are fully optimized and functioning as intended. Without operational assurance, misconfigurations, policy drift, and untested updates can leave organizations vulnerable to ransomware threats and other cyber risks.

When asked “How do you test and verify that your controls are functioning right now?”

One CISO responded, ” I don’t have enough of a team to be able to test, so I’m not aware whether these things are working correctly.”

Well, another CISO responded, ” the bad guys are technically testing us every day, right?”

But, they all agreed, they could do more.

Why It Matters

Misconfigurations and blind spots caused by outdated policies, incorrect thresholds, software updates, integration failures between tools, or unintended changes leave critical gaps that allow threat actors to operate undetected. This leads to increased dwell times, heightened risk exposure, and the potential for significant operational disruptions. Additionally, misconfigured controls can generate excessive false positives or negatives, overwhelming security teams and leading to missed detections of legitimate threats.

The Solution

CISOs and security leaders can take several proactive measures to ensure that security controls function as intended and deliver the protection their organization needs.

• Establish a Continuous Validation Program: Regularly (monthly or quarterly) test and validate security controls using tools like Breach and Attack Simulation (BAS) or managed services like OnDefend’s Ransomware Defense Validation (RDV) to ensure they are properly configured and capable of detecting and responding to real-world threats.
• Regularly Audit and Tune Configurations: Conduct routine audits of rules, thresholds, and integrations to ensure configurations are up-to-date and aligned with evolving threat landscapes. Validate that patches, updates, or policy changes do not inadvertently create vulnerabilities.
• Foster Cross-Departmental Collaboration: Collaborate with IT, DevOps, and other business units to ensure security measures are embedded into workflows and aligned with operational needs. Work closely with procurement teams to assess vendor capabilities and meet SLA commitments.
• Develop Incident Response Playbooks: Create detailed playbooks that include validated escalation paths, response protocols, and tool configurations to effectively handle various incident types. Test these playbooks through simulated exercises to ensure they work as intended during real incidents.
• Promote a Security-First Culture: Train internal teams and stakeholders on the importance of proper configurations and adherence to security protocols. Encourage a culture of vigilance where security practices are seen as critical to the organization’s success.

By taking these steps and working closely with trusted security vendors, CISOs can build a proactive, resilient cybersecurity posture that ensures security controls function as intended and evolve to meet new and emerging threats.

2. Quantifying Third-Party Vendor Efficacy: Holding Vendors Accountable

The Challenge

Managed Security Service Providers (MSSPs) and Managed Detection and Response (MDR) solutions are critical components of a ransomware defense strategy. However, these providers often fail to meet Service Level Agreement (SLA) requirements due to:

• Resource constraints
• Skill gaps
• Outdated response protocols.

5 in 10 threat response assessments result in a notification response delay or failure – (Data Collected from OnDefend Services between 2020-2024)

Why It Matters

Measuring vendor performance can be difficult due to a lack of transparency, inconsistent reporting, and limited actionable data on real-world incident response capabilities. Without clear metrics to evaluate whether vendors meet SLA commitments or effectively mitigate threats, organizations risk extended dwell times, unaddressed vulnerabilities, and reduced resilience to cyberattacks. The inability to quantify vendor efficacy leaves security leaders in the dark, undermining confidence in their security posture and complicating vendor selection, retention, or replacement decisions.

The Solution

• Regularly evaluate MDR, NDR, MSSP service providers, and other security vendors to ensure they meet SLA commitments and perform as expected. Use metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to measure vendor effectiveness and identify areas for improvement.
• Conduct regular, controlled threat detection and response exercises to measure real-world SLAs and detection and response times.
• Simulate real-world ransomware incidents to evaluate how quickly vendors detect, alert, and respond to threats.

Use these findings to hold vendors accountable or identify alternative solutions that deliver better performance.

3. Demonstrating Preparedness to Executives and Boards

The Challenge

CISOs face increasing pressure to assure executives and boards that their organizations are prepared to defend against and respond to ransomware and other cyber threats. However, demonstrating this preparedness is often hampered by the complexity of translating technical security measures into business-relevant insights.

Why It Matters

Without clear, quantifiable metrics—such as MTTD and MTTR—and tangible evidence of operational assurance, conveying the effectiveness of security controls and demonstrating cyber resilience becomes difficult. This lack of transparency can lead to uncertainty among stakeholders and diminished confidence in the organization’s cybersecurity posture.

The Solution

• Beyond traditional penetration testing: Penetration testing lacks real-world threat simulation, only provides a snapshot of vulnerabilities at a specific point in time and does not account for ongoing changes in the environment. Penetration testing reports are often technical and detail-oriented, making it challenging for CISOs to translate findings into business-relevant insights or quantifiable metrics that resonate with executives and boards. Invest in BAS tools or a managed service like Ransomware Defense Validation (RDV) to provide ongoing assurance.
• Provide Stakeholder Transparency: Communicate the status and effectiveness of security controls to executives and board members using data-driven insights and provide tangible results that stakeholders can understand. Regularly demonstrate how investments in security controls and continuous validation reduce risk and enhance organizational resilience.

By providing measurable metrics, testing real-world scenarios, and proving that security controls and processes are both resilient and effective, CISOs can ensure stakeholders that their cybersecurity efforts support operational continuity and organizational resilience.

4. Proving ROI on Cybersecurity Investments

The Challenge

CISOs are under constant pressure to secure budgets and demonstrate the value of their cybersecurity investments. However, proving ROI in cybersecurity is uniquely challenging because success is often measured by what doesn’t happen—prevented breaches, mitigated risks, and avoided costs.

Why It Matters

Without quantifiable metrics like MTTD or MTTR, and tangible proof that tools and services are functioning as intended, it becomes difficult to communicate the effectiveness of security investments to executives and boards. This lack of clarity can lead to skepticism about the necessity of new investments, underfunded security initiatives, and reduced stakeholder confidence in the organization’s ability to manage cyber risks effectively.

The Solution

Use results-driven validation to demonstrate ROI:

• Continuously test and validate existing security tools and service providers to show where investments are working and where they fail.
• Present quantifiable metrics, such as SEG filtering rates or detection improvements, to justify budget decisions.
• Use data to prioritize high-performing solutions and replace ineffective tools and service providers.

When CISOs demonstrate clear, measurable value, security becomes a business enabler rather than a cost center.

5. From Reactive to Proactive: Reducing Cybersecurity Risks

The Challenge

For many organizations, cybersecurity efforts remain largely reactive, focusing on responding to incidents after they occur rather than preventing them. Many organizations only test their defenses after an incident or during annual compliance audits. This reactive approach leaves significant gaps for adversaries to exploit.

“Ransomware is the #1 risk for most hospitals, including ours. We already subscribe to the standard legacy testing practices, but we don’t have a way to continuously test and validate our defensive controls to prove they are working.” – Healthcare CISO

Why It Matters

Security teams are perpetually in crisis mode, addressing vulnerabilities and threats only after they have already impacted the organization. CISOs face the challenge of shifting to a proactive strategy that continuously identifies and mitigates risks before they are exploited. Without proactive measures, organizations remain vulnerable to evolving threats, extended dwell times, and operational disruptions, making it difficult to build a truly resilient security posture.

The Solution

Achieving this requires regular validation of security controls, real-world testing of detection and response capabilities, and actionable insights to address gaps in coverage.

• Emulate ransomware scenarios continuously to identify weaknesses across prevention, detection, and response.
• Implement Breach and Attack Simulation (BAS) tools or a managed service like Ransomware Defense Validation (RDV) to regularly validate readiness against real-world threats.
• Conduct frequent, comprehensive risk assessments to identify and prioritize vulnerabilities based on their potential impact on the organization. Leverage frameworks like NIST or MITRE ATT&CK to systematically evaluate and address risks.
• Ensure tools like EDR, NDR, and SIEM are properly configured, updated, tuned, and integrated to detect threats proactively.
• Validate incident response workflows through regular tabletop exercises and real-world simulations.

A proactive approach builds resilience and ensures defenses evolve alongside the threat landscape.

Why Continuous Validation is Essential for Ransomware Defense

For CISOs, overcoming these challenges requires moving beyond assumptions and validating defenses against real-world ransomware attacks. By demonstrating preparedness, holding vendors accountable, and continuously validating controls, CISOs can build confidence across technical teams and executive leadership, mitigate current risks, and ensure their organizations are well-prepared for the threats of tomorrow.

We learned so much by just listening to these CISOs. While they all agreed these were the biggest technical challenges they faced, the one thing that stood out most prominently when discussing ways to solve these was LIMITED BANDWIDTH. The resources needed to check all these boxes are extremely limited and they have competing priorities.

That’s why OnDefend collaborated with CISOs and security leaders to develop Ransomware Defense Validation (RDV), a fully managed service designed to do this heavy lifting for security teams.

Discover how this healthcare organization successfully implemented RDV and the positive outcomes they achieved in this case study. 

Take the Next Step

Ready to prepare your organization against ransomware? Schedule a consultation today to learn how OnDefend’s Ransomware Defense Validation (RDV) can eliminate blind spots, optimize your security tools, and ensure vendor accountability.

Watch our webinar: Reimagining Ransomware Defense: Revealing and Removing the Risks of Security Control Failures with Baptisth Health CISO James Case as he breaks down the need behind proactive security validation.

 

About OnDefend:

OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world cyber threats. From ensuring compliance with industry standards to building out mature security programs our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. For more information about their services and solutions, contact us.

Source: (Financial Times)

A Note from the CTO:

One year ago, the OnDefend team launched what could be put into the category of a ‘newsletter,’ but in reality, it’s our commitment to transparency in showcasing the latest updates and features of the BlindSPOT product. So many times, a tool you already have implemented in your system has a cool, new, and exciting feature, but no one ever told you (the user).

One year later, we’re taking the opportunity to look back at the last year and pull some of our favorite items. While it’s a lot like picking your favorite child, we picked three features to highlight, which we think reflect the growth of the BlindSPOT capabilities over the past year.

Everything on our roadmap is designed to make BlindSPOT the best option for you to safely and quickly test your defenses, and a lot of the ideas we’ve featured in these updates have come from customer feedback and suggestions, so thank you!

-Ben Finke, OnDefend Co-Founder/CTO

---

1. Alert Validation is Live

---

One Last Thing….

Whether this if your first time diving into BlindSPOT’s updates or you’ve been on this journey for a while, thank you. We plan to continue making progress and sharing those updates with you. We are committed as an organization to continue pushing boundaries within the world of innovation, BlindSPOT is the product of that.

If you want to stay in the loop about what’s happening at OnDefend & BlindSPOT, including our upcoming webinars, the latest cybersecurity trends, and product updates, then follow us on Facebook, Twitter, and LinkedIn @ondefend.