04 // The Levers
Five levers. Pulled in the right order.
For every attacker dependency we map, there is a corresponding environmental change available to us. We can pull every one of these without breaking your business. We do not pull them randomly. We pull them based on the intelligence map and your risk tolerance. Click each row.
Lever
What they need
What we change
PPeople
Consistent operator access, stable credentials, predictable behaviour.
Rotate privileges and passwords, enforce MFA, shorten session lifetimes, shift telemetry.
▸
In plain English: change the passwords and logins the intruder has been quietly reusing, and the keys in their pocket stop working overnight. FRICTION PROFILE Low cost to your business, high cost to mature tradecraft. Credential rotation alone often kills long-haul access. Pair with shortened session windows and shifted log collection schedules so the attacker's quiet hours stop being quiet. This is usually our first lever.
EExploits
Stable, unpatched, unchanging software versions.
Apply patches off-schedule. Move version cadence. Replace components that aged into stability.
▸
In plain English: the attacker built a tool to pick one exact lock you run. Change that lock on a day they did not expect, and the tool they paid for stops fitting. FRICTION PROFILE The attacker has paid in time and money to weaponise a specific version of something you run. Predictable patch cycles let them plan around it. Unscheduled upgrades, even minor ones, force their tooling to re-verify and re-test. Their bureaucracy shows up on our sensors.
TTools
Stable host fingerprints, standing rule exceptions, predictable telemetry.
Reset EDR exclusions, normalise configurations, rebuild golden images, shift logging.
▸
In plain English: the intruder's gear survives by hiding on your security tool's "ignore this, it is fine" list. Wipe that list, rebuild your machines from clean copies, and the hiding spots vanish. FRICTION PROFILE Almost invisible to users. Severe to mature implants. Cycle every standing exception. Reset every "temporary" allow rule. Implants designed to look like legitimate components suddenly stop blending in.
IInfrastructure
Fixed network routes, persistent jump hosts, predictable external service patterns.
Re-segment networks, change DNS, introduce ephemeral hosts, shape traffic.
▸
In plain English: the attacker memorised the corridors of your network, which room connects to which. Rearrange the corridors and their map to the exits goes wrong. FRICTION PROFILE The heaviest lever. The highest yield. We sequence it carefully, with rollback and your team in the loop. Re-segmentation is hard. So is the attacker's lateral movement plan. Short-lived hostnames and ephemeral compute turn the network into a moving target without the noise of full automation.
OOrganization
Predictable change windows, announced maintenance, observable communications.
Unannounced upgrades, simulated audits, irregular windows, fabricated oversight events.
▸
In plain English: the attacker plans their work around your calendar, your quiet weekends, your announced maintenance. Change the calendar without warning and you catch them rushing. FRICTION PROFILE Targets the attacker's calendar, not their code. Most APTs run on schedules and on the assumption that announced changes mean predictable changes. Pull this lever and they move faster than their tradecraft allows. That is when they make mistakes.
// HOW WE WORK. We never pull a lever without a written rollback plan, change-management sign-off, and an agreed escalation path with your team. Friction is not chaos. Friction is engineered. We start with the lowest-impact, highest-yield options and escalate only when the intelligence supports it.