An offensive security firm telling you to stop buying things

Spend nothing. We mean it.

You probably don’t have a budget problem. You have a “nobody ever switched it on” problem. Below: seven moves that cut real breach risk for exactly $0, what to stop paying for, and the honest truth about the two things people throw money at instead.

Read the seven moves ↓
01The uncomfortable math

More budget bought more tools. It didn’t buy fewer breaches.

Spend keeps rising and stacks keep growing, but the way attackers get in hasn’t changed. The gaps that get organisations breached are rarely the gap a new tool fills. They’re controls you already pay for, sitting un-configured and untested.

How last year’s breaches actually happened
22%started with stolen credentials, the single most common way in
20%came through an exploited vulnerability, up 34% in a year
60%involved a person, not just a machine
30%reached in through a third party, now double the year before

Verizon 2025 DBIR, ~12,195 confirmed breaches.

02The total at the bottom of this page

Add up everything we’re about to recommend. Here’s the invoice.

$0.00

Seven moves. Zero dollars.

Some of them take money off the bill. Every line is something you can do with what you already own.

Running total
01 · Read the bill you already pay$0.00
02 · Turn on what you bought$0.00
03 · Patch the exploited 1%$0.00
04 · Delete, don’t defend$0.00
05 · Cancel the shelfware–$$$
06 · Test your own controls$0.00
07 · Make people the sensor$0.00
Total due$0.00
03Do these first

Seven moves that cost nothing.

In rough priority order. None needs a procurement cycle, just an afternoon and the willingness to find out what isn’t working.

$0Move 01

Read the bill you already pay

Pull every security licence and list the modules you’ve actually switched on. The “new” capability you’re about to buy is often a tab in a tool you already own.

Why it works: Most enterprises run too many tools, from too many vendors, delivering unevenly. Absence is rarely the problem.

$0Move 02

Turn on what you bought

MFA on every account, not just email. EDR set to block, not just alert. Logs kept long enough to investigate. The defaults you skipped at deployment are the doors attackers walk through.

Why it works: Stolen credentials were behind 22% of breaches. Enforcing MFA closes the most-used door, for the price of a config change.

$0Move 03

Patch the exploited 1%

You’ll never patch everything, so stop trying. Patch what’s being exploited right now, off CISA’s Known Exploited Vulnerabilities list, and your internet-facing edge and VPN first.

Why it works: Exploited vulnerabilities drove 20% of breaches and rose 34% in a year. The KEV list is free and ruthless about priority.

$0Move 04

Delete, don’t defend

Decommission the dead server. Close the exposed RDP. Cut admin rights to who truly needs them. Every asset you remove is one you no longer have to buy a tool to watch.

Why it works: The cheapest control is a smaller attack surface. You can’t be breached through something that no longer exists.

–$$$Move 05

Cancel the shelfware

Two products doing one job? Keep the one your team actually uses and cut the other. Renewals are due for things nobody has logged into in a year.

Why it works: This is the line that pays you back. Negative on the invoice, on purpose.

$0Move 06

Test your own controls

Run free, open frameworks (Atomic Red Team, MITRE ATT&CK, Caldera) against your own EDR and SIEM. Watch what fires, and what fails silently.

Why it works: A control that passes an audit isn’t the same as one that stops an attack. The only way to know is to attack it, and the tools to do that are free.

$0Move 07

Make people the sensor

A one-click phish-report button. Least privilege by default. Same-day offboarding so no leaver keeps access. Wire your people in as detection, not the weak link.

Why it works: The human element shows up in 60% of breaches. Reporting turns your largest group into a free sensor network.

04Before you spend a dollar

And if you do spend — three honest cautions.

If you are going to spend

Review your vendors. Follow the money.

A lot of security tools are venture-funded companies built for an exit, not a decade. When the acquisition comes the product gets folded, repriced, or quietly sunset, and you’re buying a replacement you never budgeted for. Favour what’s durable and proven over what’s loudest and best-funded. The cheapest tool is the one you don’t have to rip out and re-buy in three years.

On the shiny thing

Use AI sparingly. It’s not a silver bullet.

And it’s not free. Every “AI-powered” tier and every query is real, often metered, dollars. It’s genuinely good at a few narrow things and badly oversold on the rest. Turn it on where it actually saves someone time, and be ruthless about the rest. “We added AI” is not a security strategy, and it will show up on the invoice.

Or don’t spend at all

Or just hand it to an insurer.

Some organisations decide they’d rather pay a premium than run a program: buy cyber insurance, transfer the risk, and see what happens. We’re not telling you it’s right. But we’ve seen it done, by people who ran the numbers and made their peace with it. If that’s the road, read the policy properly. Know what it requires of you and what it quietly excludes, because that’s the part that decides whether the cheque clears on your worst day.

05Where you end up

Run the list. Here’s the before and after.

No new line item. A materially smaller attack surface, and a story the board can actually trust.

A renewal you approve on faithA stack you’ve audited and trimmed
Controls that pass the auditControls you’ve watched stop an attack
A board report full of spendOne number you can defend
“We bought the thing”“We can prove the thing works”
The honest version

We could have made this a brochure.

We didn’t, because the honest advice is that most of what improves your security this quarter costs nothing. Do the list. You’ll stop more than most six-figure purchases will, and none of it needs us. And if you never call, we’d rather you were secure anyway.

Book a 30-min call