At 02:47 the pager chirped with the kind of alert nobody configures on purpose: mass lateral movement flagged by an EDR engine that's usually half-asleep. By 02:50 the SOC runbook told us to "validate alert fidelity" while the domain controller sprayed 20,000 failed logins. We didn't have the luxury of skepticism.

Three of us pivoted into the production enclave, isolated the compromised bastion host, and watched the attacker fumble a copy-paste of Invoke-Mimikatz. They got lucky anyway—a long-forgotten service account had domain admin. We revoked the ticket, rotated the credentials, and quarantined eight workstations before the east-coast sales team noticed Slack timing out.

Debrief from the Void🔗

  • Log retention saved us. Thirty days isn't enough, but it was enough to correlate the staging host that seeded the chaos.
  • Automation without empathy burns people out. The pager escalation policy dumped everything on whoever was awake. We rewrote it before sunrise.
  • Dark humor is armor. We renamed the incident "Operation: Please Go Outside" to keep morale intact.

The compromise ended, the building lights flickered, and somebody microwaved leftover ramen in the break room. Glorious, miserable, necessary.