Research & Evidence

The problem KTLYST solves isn't theoretical. These are public cases, academic research, and industry data that document why security teams keep getting breached the same way twice.

By Assaf Kipnis, 12+ years in threat intelligence at Google, Meta, LinkedIn, ElevenLabs. Last updated: March 7, 2026

Re-Breach Case Studies

Five publicly documented cases where organizations responded to Breach 1 but failed to institutionalize the lesson. In every case, the learning existed. It just wasn't governed, enforced, or preserved.

Change Healthcare / ALPHV BlackCat (2024)

$872M+ in damages

CISA published advisory AA23-353A on December 19, 2023, warning about ALPHV BlackCat ransomware. 55 days later, Change Healthcare was breached using the exact techniques described in that advisory. 190 million individuals affected.

WHAT HAPPENED

ALPHV BlackCat ransomware group compromised Change Healthcare, the largest medical claims processor in the US. The attack disrupted pharmacy operations nationwide for weeks.

THE GAP

55 days between a CISA advisory describing the exact threat actor's TTPs and the breach. The intelligence existed. It wasn't operationalized.

KTLYST angle: A single CISA advisory input produces 7 governed artifacts: detection rules, hunt hypotheses, playbook updates, MITRE mappings, compliance evidence, control updates, and monitoring rules. From one input, coordinated defense across the stack. In under 5 minutes.

Sources: UnitedHealth Group congressional testimony, HIPAA Journal, CISA AA23-353A

LastPass - Same Attacker, Two-Phase Breach (2022)

$150M+ crypto theft

Breach 1 (Aug 2022): attacker compromised a developer laptop, stole source code and internal secrets. Breach 2 (same campaign): same attacker used the stolen source code as a roadmap to target one of only four DevOps engineers with backup access. Installed a keylogger on his home computer. Exfiltrated encrypted vault data for 1.6 million users.

ROOT CAUSE

After Breach 1, LastPass didn't recognize the stolen source code was a map to target specific high-value employees. Only 4 people had the keys. They should have been hardened immediately.

COST

$150M+ in cryptocurrency theft from cracked vaults (FBI-confirmed). $24.5M class action settlement. $1.2M UK fine.

KTLYST angle: A governed learning artifact from Breach 1 would have produced: "source code stolen -> maps to infrastructure -> these 4 employees are now high-value targets -> enforce: rotate credentials, harden personal devices, restrict access scope." That artifact never existed.

Sources: Krebs on Security, Cybersecurity Dive, The Hacker News

Okta - Breached 2022, Again 2023

~$8B market cap loss

Breach 1 (Jan 2022): Lapsus$ compromised a third-party support engineer. Okta took 2 months to disclose. Breach 2 (Oct 2023): employee saved service account credentials to a personal Google account. Attacker accessed support system, downloaded a report on ALL customer support users.

ROOT CAUSE

Post-2022 remediation focused narrowly on third-party access. Didn't address employee credential hygiene. Same pattern: stolen credentials -> support system access -> customer data.

COST

~$8B combined market cap loss. $60M shareholder lawsuit settlement. Downstream impact on Cloudflare, 1Password, BeyondTrust.

KTLYST angle: The learning from Breach 1 ("credential theft -> support system -> customer data") should have been enforced as a governance artifact: "any employee credential exposure -> immediate support system access review + personal account audit." That learning decayed.

Sources: Krebs on Security, CNBC, BeyondTrust

T-Mobile - 4+ Breaches in ~2 Years (2021-2023)

$550M+ total costs

Aug 2021: 76.6M records exposed. Nov 2022: API vulnerability exploited for 6 weeks, 37M customer records. Plus two additional breaches in 2023. After 2021, T-Mobile pledged $150M in cybersecurity improvements. Despite this, an API ran unchecked for 6 weeks.

ROOT CAUSE

FCC found practices "consistently below standard." Money without institutional memory. No system verified that post-incident action items were completed, validated, and enforced.

COST

$350M class action settlement. $150M security pledge. $31.5M FCC settlement. Total: $550M+.

KTLYST angle: T-Mobile pledged $150M and STILL got breached repeatedly. Money without institutional memory means throwing cash at the problem. No system ensured post-incident action items were completed, validated, and enforced.

Sources: Firewall Times, CyberScoop, Infosecurity Magazine

MGM Resorts - Same Attack Class, 4 Years Apart

$100M revenue impact

2019: 10.6M guest records stolen. Sep 2023: Scattered Spider called IT help desk, impersonated an employee using LinkedIn info, got a one-time password. Accessed Okta, escalated to Azure AD. ALPHV deployed ransomware. 10+ days of full operational shutdown across all properties.

ROOT CAUSE

Okta specifically warned MGM about targeted social engineering campaigns before the September 2023 attack. MGM did not act on the warning.

COST

$100M revenue impact (Q3 2023). $45M settlement. 10+ days operational disruption.

KTLYST angle: Okta warned MGM. The warning was received but not enforced. No governance artifact was created: "social engineering risk -> help desk verification procedure -> enforce and validate." The learning existed. It just died in someone's inbox.

Sources: Inzone Insurance, CyberArk, SDO Security

Rackspace - Chose Not to Patch, Paid 3x (2022-2025)

$5M+ direct costs

Dec 2022: Play ransomware via unpatched Exchange vulnerability. Rackspace chose mitigation over patching. Hosted Exchange permanently shut down. Sep 2024: zero-day in third-party utility. Mar 2025: CL0P ransomware gang claimed Rackspace, began leaking data.

ROOT CAUSE

Deliberately chose not to patch a critical vulnerability. Made a documented decision, but that decision wasn't governed with an expiry date, risk owner, or mitigation validation.

COST

$5M+ direct expenses from 2022 alone. Hosted Exchange offering permanently terminated.

KTLYST angle: Rackspace made a documented decision NOT to patch. That decision wasn't governed. No artifact tracked: "vulnerability disclosed -> mitigation chosen over patch -> risk accepted by [whom] -> validate mitigation effectiveness -> expiry date for review."

Sources: TechTarget, Cybersecurity Dive, Bleeping Computer

The Common Thread

Across all cases: the organization "responded" to Breach 1 but failed to institutionalize the lesson.

Narrow remediation - fixed the specific exploit, not the class of vulnerability (Okta, MGM)
Delayed/skipped patching - knowing the fix exists, choosing deferral (Rackspace, LastPass)
No closed-loop governance - no system verified post-incident actions were completed (T-Mobile pledged $150M, still missed an API for 6 weeks)
Learning decay - lessons documented but never operationalized into enforced defense (all five)

"These companies didn't lack tools, talent, or budget. They lacked a system that turns 'we learned this' into 'we enforced this.' That's what KTLYST builds."

Academic Research

The re-breach problem isn't just anecdotal. Academic research consistently documents the failure of security knowledge to flow from learning to enforcement.

Threat Intelligence Sharing: Actionability Gap

Academic research on CTI sharing effectiveness

Analysis of shared cyber threat intelligence found that only a fraction of shared indicators contain actionable detection rules. The vast majority of intelligence stays as informational context that never becomes operational defense.

0.09% of shared indicators contain actionable rules

Organizational Learning in Cybersecurity

Organizational learning theory applied to security

Documents how security organizations struggle to capture and operationalize lessons from incidents. Institutional knowledge concentrates in individuals rather than systems, creating vulnerability to turnover.

48-month average CISO/security leader turnover cycle

Detection Engineering as a Discipline

Industry trend analysis

Detection Engineering has emerged as a titled discipline, with companies now hiring Heads of Detection Engineering. This signals market recognition that the translation from intel to detection needs its own function, but most organizations still lack the infrastructure to govern the outputs.

Post-Incident Learning Decay

Security incident response studies

Research on incident response effectiveness shows that post-incident recommendations decay rapidly. Action items from postmortems are completed at low rates, and even when completed, the changes are rarely validated against future similar incidents.

Industry Data

Enterprise Security Tool Sprawl

Panaseer 2022 Security Leaders Peer Report - 1,200 enterprise respondents

The average enterprise deploys 76 security tools. These tools generate data, alerts, and findings. But no system connects what each tool learns. That's 76 muscles with no nervous system.

76 avg. security tools per enterprise

Ransomware Re-Breach Statistics

Cybereason - Global ransomware study

84% of breached organizations paid the ransom. 78% of those were breached again. 36% by the exact same attacker. Paying doesn't fix the underlying problem: learning that doesn't persist.

Regulatory Pressure for Demonstrable Learning

SEC, DORA regulatory frameworks

SEC cyber disclosure rules and DORA now require organizations to demonstrate learning from incidents. "We fixed it" is no longer sufficient. Regulators want evidence of systematic improvement.

What Practitioners Say

"If you put it in a silo you killed it."

Former CISO, Fortune 500

"There's a lot of institutional knowledge gap."

Security-focused VC partner

"Why is security threat intel admired yet dumb, and how do we make it smart and applicable?"

CISO, biotech