Incident Commander during a major ransomware attack at a Fortune 500 company. Hundreds of locations. Hundreds of engineers. Tens of thousands of employees. $0 ransom paid. Full recovery in 24 hours.
Skills Applied
- Served as Incident Commander, directing containment sequencing across hundreds of locations and hundreds of engineers simultaneously
- Isolated site operations from the corporate network while maintaining uninterrupted revenue across all locations
- Cut all outbound network traffic and rearchitected network topology to create new chokepoints with full visibility into lateral movement
- Identified and severed the active command-and-control channel through the new bottleneck architecture
- Maintained secondary revenue channel continuity on redundant infrastructure while rebuilding compromised clusters
- Shut down all accounts organization-wide and rebuilt identity on cloud-first architecture with zero global admin privileges
- Designed and deployed a hierarchical re-enrollment process — photo ID verification for tens of thousands of employees, cascading from executives through managers to front-line staff
- Enforced MFA across the entire organization, deploying hardware tokens where authenticator apps were not viable
Results
- Revenue impact: zero. All locations operated throughout. Industry baseline: 75% of organizations report significant revenue loss from ransomware.
- Ransom paid: $0. Industry median exceeds $1.5M.
- Containment: hours from detection to full network lockdown. Industry average recovery: 24 days.
- Identities re-enrolled: tens of thousands with photo-verified, MFA-enforced cloud-first accounts.
If you want to understand how your architecture would hold up under isolation pressure, that conversation is worth having.