Fix 10%. Eliminate 90% of Your Risk.
Based on a conversation with Aaron Rosenmund, Managing Director of Tradecraft and Programs at OnDefend
Most security programs are built backwards.
You buy the tools. You staff the analysts. You run the audits. You pass the framework assessments. Then a breach happens anyway, and the post-mortem reveals something so simple: a single misconfigured checkbox. A setting that should have been false, set to true.
The 90/10 mindset would suggest a different perspective on cybersecurity risk reduction, and it is the lens through which OnDefend’s Managing Director of Tradecraft and Programs, Aaron Rosenmund, evaluates every engagement.
Direct your budget, your people, and your attention toward the fixes that eliminate the most risk. Your resources should be more heavily focused on the fixes that close the most doors, even if they aren’t always the most complex fixes or the ones that require newest tool. And when you’re competing against adversaries leveraging AI, it’s a red team’s job way to stop them quickly and efficiently. This is the 90/10 rule in practice.
“The idea is that you can put in 10% of the effort to reduce 90% of the risk.”
The Tool Problem Nobody Wants to Admit
Every RSA and Black Hat surfaces a new product promising to solve what the last one could not. And over time, many of whom came up through IT and CIO roles, have built a mental model that maps neatly into enterprise software procurement: buy a product; it does a thing, you are covered (and we’re not singling anyone out, the majority do it).
Even though we’ve been trying to make cybersecurity fit this mold for a very long time, it just doesn’t work out this way. The evidence is in the numbers. The annual cost of compromise keeps growing. We are approaching trillion dollars globally. The tools have gotten better. The breaches have gotten more expensive. Something about the industry’s approach to cybersecurity risk reduction is not adding up.
What’s not adding up is that security programs, as an industry, have been built to address the wrong third of the problem.
The One-Third Problem
Traditional penetration testing, and even the automated PTaaS platforms that replaced it for many organizations, are optimized for a specific slice of risk: known vulnerabilities. CVEs. Documented weaknesses with assigned identifiers. Things that show up clean in a scan report.
Known vulnerabilities only account for roughly one-third of how real breaches happen.
The other two-thirds live in the spaces between the documented findings. Misconfigured controls. Firewall rules that nobody has audited in six years. A dev server still running in production. A web application that will happily respond to any request coming from a command-line tool. None of it has a CVE number. None of it shows up as a critical finding in a standard report. All of it can be the single thread that unravels everything.
“Fixing this does not require a new product. It requires someone to look at the data differently.”
Technology Finds It. Humans Fix It.
The 90/10 approach is not anti-technology. It is about using technology correctly.
Our OnDefend BlindSPOT technology is what we call a force multiplier for our team. This AI-driven proprietary tech takes the work of our elite offensive security team to the next level. One of our favorite moments with clients is when we get to say something as simple as, “We need you to go change this checkbox,” and it doesn’t require the client to buy a new product or tool. So, not only are we delivering major efficiencies by cutting off the choke points with minor fixes, it saves teams from buying another tool when there are other ways to solve the problem.
“Automation is exceptionally good at being thorough. Humans are exceptionally good at understanding what the output means in the context of your organization. The combination is what makes this work.”
What This Looks Like in the Real World
The $300 Million Checkbox.
Rosenmund uses this one often. A major financial institution had frameworks. PCI DSS compliance. SOX compliance. Audits. All of it. And they still got hit for $300 million (and counting) because of a single VM with a setting that should have been false.
There is a 14-character open-source command (Scout Suite) that scans cloud environments for exactly this type of configuration weakness. A 14-character command. One checkbox. $300 million.
The 2014 elections.
During his tenure in the national guard, Rosenmund was working to defend elections during the 2014 midterms, Iranian actors were using Curl, a command-line tool that makes web requests without a browser, to scrape voter registration data at scale. They didn’t hack anything. The data was technically public. They just automated the collection of it and called it an attack.
The fix required zero new products and zero new infrastructure. When a tool like Curl makes a web request, it announces itself in a header string, “I am Curl.” Rosenmund’s team simply added a rule: do not accept requests from Curl.
A rule someone could write in five minutes disrupted an active operation.
There are workarounds. There always are. But the point stands: the simplest controls, applied correctly, stop real attacks.
The Math Behind the Philosophy
This is not security through obscurity. There is a real risk calculus at work – one that reframes cybersecurity risk reduction entirely.
Think about it in terms of expected cost. If your average breach costs $100 million and you expect to get hit roughly once every 10 years, your annual security budget should be around $10 million. That is your break-even.
Now consider, if reducing your visibility to opportunistic attackers lowers the probability of being targeted in the first place, even by a fraction, the expected time between incidents extends. Your cost per year drops.
That is not a philosophical argument. That is arithmetic.
Adding in controls that we know don’t stop things completely, but slow stuff down, or potentially get you out of being targeted in the first place. That’s where the math comes in.
Attackers, especially opportunistic ones, work through a funnel. Scan the internet. Match targets to known exploits. Narrow to exact versions. Test. Add to the list. If you exit the bottom of that funnel, you are not on the list.
The Training Gap (And Why Seasoned Teams Are Different)
Here is the uncomfortable part for the industry: new penetration testers are not taught to think this way.
They’re not particularly trained on how IT systems work, how networks are supposed to work, the expected controls versus what would be a control violation.
A firewall misconfiguration is not a CVE. It is not labeled by DHS. It will not show up in a standard vulnerability database. It requires someone who understands what the expected security posture should look like and can identify the delta between that and what actually exists. That knowledge lives in security architects and engineers, not in the penetration testing certifications that most new testers come through.
There’s no active version of the clinically trained security architect and engineer. That’s what we are building.
At OnDefend, that means pairing the depth of a seasoned red team operator with tooling designed to surface what standard scans miss, and training operators to read the metadata, the story the data tells, not just the flagged findings.
How to Tell If Your Team Is Actually Doing This
I think there are two ways to find out quickly as a security team whether your vendors are doing these things.
Test #1: Look for passive language
If your pen test report says, “this system may be vulnerable to XYZ” or “could lead to unauthorized access,” they did not finish the job. A finding is either confirmed, or it is not. Passive language means someone noted something interesting and moved on.
Test #2: Look for the boring stuff
If your report only covers vulnerabilities, domain admin paths, and tool-based findings, you are missing the most actionable output. A team operating with a 90/10 mindset should be telling you:
- Here are broken firewall rules we found in the first scan.
- You have dev and test pages still publicly accessible.
- You have no rate limiting on external-facing endpoints. Add it. Today.
- Here is technology running in your environment that your own team does not seem to know about.
“Your pen test should be telling you all these ways to harden your environment. Not just, ‘we got domain admin, you should do better at Active Directory.'”
The unsexy findings are the ones that close the doors before an attacker ever gets to knock.
The Point
The 90/10 rule is not a rigid formula. Rosenmund is the first to say it could be 80/20 or 95/5 depending on the organization. The number is an impactful headline for an idea central to real cybersecurity risk reduction, one that does not get enough airtime: the highest-impact fixes in your environment are probably not the most technically impressive ones.
They are a checkbox. A header rule. A firewall policy from six years ago. A DNS record pointing at something nobody remembers standing up.
The question is whether your security team is trained and incentivized to find them.
Connect with an OnDefender to see what is hiding in plain sight in your environment.
