Spend nothing. We mean it.
You probably don’t have a budget problem. You have a “nobody ever switched it on” problem. Below: seven moves that cut real breach risk for exactly $0, what to stop paying for, and the honest truth about the two things people throw money at instead.
Read the seven moves ↓More budget bought more tools. It didn’t buy fewer breaches.
Spend keeps rising and stacks keep growing, but the way attackers get in hasn’t changed. The gaps that get organisations breached are rarely the gap a new tool fills. They’re controls you already pay for, sitting un-configured and untested.
Verizon 2025 DBIR, ~12,195 confirmed breaches.
Add up everything we’re about to recommend. Here’s the invoice.
Seven moves. Zero dollars.
Some of them take money off the bill. Every line is something you can do with what you already own.
Seven moves that cost nothing.
In rough priority order. None needs a procurement cycle, just an afternoon and the willingness to find out what isn’t working.
Read the bill you already pay
Pull every security licence and list the modules you’ve actually switched on. The “new” capability you’re about to buy is often a tab in a tool you already own.
Why it works: Most enterprises run too many tools, from too many vendors, delivering unevenly. Absence is rarely the problem.
Turn on what you bought
MFA on every account, not just email. EDR set to block, not just alert. Logs kept long enough to investigate. The defaults you skipped at deployment are the doors attackers walk through.
Why it works: Stolen credentials were behind 22% of breaches. Enforcing MFA closes the most-used door, for the price of a config change.
Patch the exploited 1%
You’ll never patch everything, so stop trying. Patch what’s being exploited right now, off CISA’s Known Exploited Vulnerabilities list, and your internet-facing edge and VPN first.
Why it works: Exploited vulnerabilities drove 20% of breaches and rose 34% in a year. The KEV list is free and ruthless about priority.
Delete, don’t defend
Decommission the dead server. Close the exposed RDP. Cut admin rights to who truly needs them. Every asset you remove is one you no longer have to buy a tool to watch.
Why it works: The cheapest control is a smaller attack surface. You can’t be breached through something that no longer exists.
Cancel the shelfware
Two products doing one job? Keep the one your team actually uses and cut the other. Renewals are due for things nobody has logged into in a year.
Why it works: This is the line that pays you back. Negative on the invoice, on purpose.
Test your own controls
Run free, open frameworks (Atomic Red Team, MITRE ATT&CK, Caldera) against your own EDR and SIEM. Watch what fires, and what fails silently.
Why it works: A control that passes an audit isn’t the same as one that stops an attack. The only way to know is to attack it, and the tools to do that are free.
Make people the sensor
A one-click phish-report button. Least privilege by default. Same-day offboarding so no leaver keeps access. Wire your people in as detection, not the weak link.
Why it works: The human element shows up in 60% of breaches. Reporting turns your largest group into a free sensor network.
And if you do spend — three honest cautions.
Review your vendors. Follow the money.
A lot of security tools are venture-funded companies built for an exit, not a decade. When the acquisition comes the product gets folded, repriced, or quietly sunset, and you’re buying a replacement you never budgeted for. Favour what’s durable and proven over what’s loudest and best-funded. The cheapest tool is the one you don’t have to rip out and re-buy in three years.
Use AI sparingly. It’s not a silver bullet.
And it’s not free. Every “AI-powered” tier and every query is real, often metered, dollars. It’s genuinely good at a few narrow things and badly oversold on the rest. Turn it on where it actually saves someone time, and be ruthless about the rest. “We added AI” is not a security strategy, and it will show up on the invoice.
Or just hand it to an insurer.
Some organisations decide they’d rather pay a premium than run a program: buy cyber insurance, transfer the risk, and see what happens. We’re not telling you it’s right. But we’ve seen it done, by people who ran the numbers and made their peace with it. If that’s the road, read the policy properly. Know what it requires of you and what it quietly excludes, because that’s the part that decides whether the cheque clears on your worst day.
Run the list. Here’s the before and after.
No new line item. A materially smaller attack surface, and a story the board can actually trust.
We could have made this a brochure.
We didn’t, because the honest advice is that most of what improves your security this quarter costs nothing. Do the list. You’ll stop more than most six-figure purchases will, and none of it needs us. And if you never call, we’d rather you were secure anyway.