check_circleEnforce phishing-resistant MFA on every VPN, remote desktop, email, and SaaS admin account.
check_circlePatch perimeter gear (VPN, firewall, file-transfer, hypervisor) within 72 hours of vendor advisories.
check_circleSegment ESXi management from domain accounts; disable vSphere SSH unless in use.
check_circleTier admin credentials — no shared local-admin, rotate break-glass accounts monthly.
check_circleDeploy EDR across servers & DCs; alert on Rclone, WinSCP, MegaCmd, and suspicious PowerShell.
check_circleImmutable, offline backups tested quarterly with measured RTO/RPO.
check_circleBlock outbound on unused ports; restrict egress to vetted CDNs and update servers.
check_circleHunt for dropped vulnerable drivers used to kill EDR (BYOVD patterns).
check_circleRun an annual tabletop modelled on LockBit 2.0 (legacy)'s latest playbook.
check_circleHave an IR retainer identified before you need it.
