Hoplite

Attacks on RIAs have been on the rise, and this should be a wake-up call for firms that still think they’re too small or too niche to be worth targeting. #RIAs are often more attractive targets than they realize. Not because they’re massive organizations, but because they manage high-value personal assets, publish advisor names and emails publicly, and often treat security like a compliance task instead of a technical risk. Many firms assume that the same person handling compliance, audit, or operations can “own security” as well. Those functions matter, but they are not the same thing. Compliance can tell you whether disclosures are right, and an audit can tell you whether a process exists, but neither tells you whether your applications, portals, identity controls, or internal environment would actually hold up under real testing. When you’re managing personal money, that distinction matters. Attackers don’t care how many employees you have; they care what you have access to. If your firm manages significant assets, your reputation is at stake. If you’re an RIA and want an outside view of where your actual exposure may be, reach out to the Hoplite Consulting team. We work alongside internal teams to pressure test assumptions, validate risk, and find the gaps before someone else does. https://bit.ly/4rvH63

Q4 is the most common time to conduct a Pen Test, but is that really the best time to have one done? Teddy Guzek shares his thoughts on this phenomenon and why we encourage conducting your tests earlier in the year to remediate before your environment changes. Tests aren't a checkbox; they're an opportunity for improvement. https://lnkd.in/gdrVqFZW

A week ago, Anthropic announced Claude Code Security, and the media had a heyday. "This is the end for cybersecurity companies," the headlines rang. In his latest blog, Michael W. sets the record straight for what the introduction of this technology actually means for practitioners and the security landscape as a whole. https://lnkd.in/gCf8rsiH

We just sent out the first issue of Hoplite Labs, our monthly newsletter sharing what we’re seeing in the field across offensive security work. After eight years of doing this, some patterns keep repeating themselves: 1) Identity is still the easiest way in. A lot of organizations are deep into Microsoft and cloud migrations and assume that if they have MFA, they’re covered. But security in these environments is configuration driven. It’s about defining access correctly and maintaining it over time. 2) Conditional access gaps are everywhere. What we see most often isn’t a lack of MFA. It’s policies that look solid on paper but have real gaps. Exceptions pile up. Certain apps can’t support MFA. Executives want less friction. Travel creates edge cases. Over time, those exceptions become the policy. 3) ADCS issues are still common. They’re poorly understood and rarely reviewed from an adversary perspective, which makes them easier to exploit than most teams realize. 4) AI is being deployed faster than it’s being secured. As companies roll out AI internally, new layers of access and permissions are being added inside environments like M365. Most teams haven’t fully thought through the operational security impact. If your confidence is based on “we have MFA,” it’s worth taking a closer look. If you want to sanity check how your identity controls actually behave in the real world, let’s talk. Check out Issue #1 here: https://lnkd.in/gAxecqyk

Your team passes a cybersecurity audit. The report is finalized, findings are filed, and everyone breathes a little easier. It feels like the hard part is over. That reaction makes sense. But it’s often where risk begins. Passing an audit doesn’t mean you’re secure. It means you met a defined standard at a specific moment in time. Audits confirm controls exist and were operating during the review window. They don’t prove those controls will hold up as systems change, permissions drift, or new integrations are added. They don’t show how far someone could move once they’re inside. Most breaches don’t happen because companies ignored security. They happen because teams trusted that what passed last year is still working today. The strongest teams know compliance and protection aren’t the same. They pass the audit, then they validate what the audit assumed. Passing is necessary. Ongoing testing is what actually protects you. Read more in our blog: https://lnkd.in/gkqxDQ3y #cybersecurity #compliance #riskmanagement #securitytesting

Don’t OverReact. If your feed made it seem like every React or Next.js app was seconds away from collapse, take a breath. Framework level vulnerabilities often sound catastrophic because the software is everywhere, but most coverage skipped key nuance: 👉 Only very specific versions and configurations are actually exposed 🚫 Many organizations don’t use React Server Components at all 📦 Widely deployed production versions of Next.js are often not vulnerable Before you scramble to patch or push untested updates, ask one question: Are we actually running the affected components and versions? If not, your risk is dramatically lower than the headlines imply. Responsible security means validation, prioritization, and calm execution. Read more in our blog: https://lnkd.in/g4Fd6qan Written by Michael W. and Nathaniel Enos

We're starting the year with something big, because we've just launched our new website and we're excited for you to see it. It gives a clearer view of who we are and how we help organizations protect their data, and it shows how seriously we take cybersecurity while still keeping things practical and understandable. This is also a year where we're planning to be much more present in Indianapolis, so you'll be seeing a lot more of Hoplite around town. We'll be showing up at more local events and meeting more business leaders, and we'll be having more real conversations about what good security looks like for companies in our city. Our team cares about this community, and we want people to know they have a local security partner they can reach out to before problems arise, not just after. If you're curious about what we do or how we think about security, you can start by exploring the new site and keep an eye out for us throughout the year. We're looking forward to meeting more of you, working together, and helping build a stronger and more secure Indy. Check out our new website here: https://lnkd.in/gvvKqDXB Teddy Guzek Michael W. Matthew Guzek Nathaniel Enos #newwebsite #indianapolis #pentesting #offensivesecurity