Reader discretion advised.
Tshhh-KRASSHH!
A beer glass crashed onto the grimy floor, bursting into a spray of jagged shards. The bartender, who had dropped it, barely flinched. Shattered glass and racket were just part of the vibe in this bar.
The place was a dive, a squalid hole where the air hung heavy with the reek of stale beer and regret. Neon buzzed overhead, flickering like a dying pulse, bathing the room in a jaundiced glow. Silas sat in the corner booth, cradling a scotch, his dark eyes glinting as they swept the crowd with a hunter’s patience. The ice in his glass clinked softly, a rhythm to his thoughts. Then the door creaked, and Owen shuffled in—a ghost of a man, his coat too big, his face too hollow.
Silas had known Owen since their college days, back when they were two kids with wild dreams of making it big in Silicon Valley. Silas had soared - big paychecks, fancy titles - while Owen had crashed, a string of bad breaks and worse choices grinding him down. Now, as Owen slumped into the booth, Silas saw the wreckage up close: the tremor in his hands, the red-rimmed eyes.
SMACK.
Silas’s tumbler hit the table, ice jangling like loose change. Owen flinched, beer sloshing in his grip.
“You know what, Owen?” Silas’s voice was low, rough-edged with something dark. “Screw NextSecure.”
Owen stared into his drink, shoulders curling inward. “What’s the point?” he muttered, voice fraying. “I’m done. Eleven months, no calls. Overqualified, they say. Olivia…” He choked, knuckles whitening around the glass. “She left. Took the house. We had a name picked out—Rebecca. Now I can’t even look at a stuffed animal without…” He trailed off, shuddering.
Silas’s jaw tightened. “When’d she leave?”
“Two weeks ago,” Owen whispered, shame dripping from every word. “I don’t blame her.”
The silence stretched, thick as the smoke curling from a nearby cigarette. Silas leaned forward, his shadow swallowing the table’s faint light.
SMACK.
The glass slammed down again, decisive. “Screw this,” he said, voice dropping to a hiss. “You and me, Owen. We’re gonna make them pay.”
Owen blinked, wary. “How?”
Silas’s lips twitched, a predator’s smile. “Craig. That skinny jean wearing jackass who pedaled your work into a promotion. Backstabbed you to save his own skin.”
Owen’s eyes flickered, bitterness sharpening them. “He’s still there?”
“With me, yeah. But I’m next on the block.” Silas leaned closer, the dim light carving his face into something feral. “We’ve got the keys, Owen. The PKI stack. We can torch their precious zero-trust system from the inside.”
Owen stiffened. “That’s prison... Silas.”
“Not if we’re smart,” Silas countered, smooth as silk. “We hijack the Intermediary Certificate Authority, pin it on Craig. They’ll never see us coming.”
He sipped his scotch, letting the idea settle. “You built their backbone with me. We know every crack. We’re gonna break it.”
Owen’s gaze darted to the table, then back. “You’re serious?”
“Yeah,” Silas said, his grin a blade.
“Just as a prank. We won’t do anything harmful to the users.”
“That’s too risky, Silas…” Owen said in a harsh whisper. “Why go that far? What’s in it for you?”
Silas’s eyes darkened. He looked away for a moment, then back.
“Remember that equity I had with them?” he muttered. “Two percent. Then they ‘restructured’ the cap table last year. Diluted it to dust.”
Owen blinked. “They screwed you too?”
“I was there from the beginning. Built almost everything. And Craig? He took the credit. I got a pat on the back and worthless options. So yeah,” Silas said, voice tightening. “I’m done playing nice.”
---
5 Days Later
Owen wrestled with it. His apartment was a prison: peeling paint, a mattress on the floor, the hum of traffic seeping through cracked windows. He paced, replaying Silas’s words, the lure of revenge gnawing at him. He saw his wife’s face, the empty crib they’d bought, the life stolen by suits who couldn’t care less. The anger burned, hot and alive as he remembered his termination letter.
Then he saw it posted on LinkedIn:
“ZTNA startup NextSecure valued at $1B in latest funding round.”
He dramatically hurled his phone to the dilapidated wall. Tears of anger, frustration, and regret started to roll off his cheeks.
He grabbed his phone, through the cracked screen he typed. “I’m in.”
---
4 Days Later
Silas stood in the “Room”, as his boss jokingly called it—a sterile vault of blinking servers and frigid air. Two-factor locks, smartcards, and air-gapped terminals. It was locked down. But Silas was already inside.
Craig and Silas were equals on paper. But Craig had the audit keys. The “merge rights.” He signed off on changes to the Intermediate Certificate Authority when key rotations came up. Which meant Silas couldn’t move alone, not without lighting up every dashboard.
So he waited. Quiet. Patient.
He had watched Craig for months, watched how his coffee breaks always landed between 2:00 and 2:30. How he’d occasionally disappear for nearly an hour each day to go "get some air”. How he sometimes didn’t pull his YubiKey from the port on those days, just locked his terminal and left—didn’t want it to look like he wasn’t ‘busy.’ He was acting like an average employee, normal.
Silas noticed Craig looked pale—maybe something he ate, maybe stress. He ducked out early, said he needed air. Perfect.
Click. The door shut as Craig left.
Silas slid over to his terminal.
He inserted a command chain into the terminal buffer. Nothing malicious, just a clone of the existing intermediate Certificate Authority script. But with one crucial edit: the keypair would be duplicated to a secure enclave he owned, under the guise of a “redundant backup.”
He didn’t sign it. Not yet.
When Craig returned, Silas didn’t look up.
“Hey, I queued up the CA refresh for the test cluster. Jenkins is acting up again with the validation script. Please approve it.”
Craig groaned. “Right now? Seriously?”
Silas shrugged. “Yeah. Kamal’s team’s bitching. Pipelines are down. It’ll escalate.”
Craig’s eyes flicked to the clock. 3:52 PM. If he left soon, he’d still make his date.
Craig, disgruntled, scanned the pending tasks, saw Silas’s name on the PR, glanced at the output hash, and signed the new intermediate CA.
It was clean. It looked like every other certificate update they’d ever done. Logged. Approved. Reviewed.
What he actually signed was the digital equivalent of a master skeleton key—an intermediate Certificate Authority with silently expanded trust, backdated validity, and no path linting to warn about new trust chains. It passed because it looked like it always had.
By 5 PM, NextSecure-CoreINT02 was trusted by over 700 systems. OT vendors, internal services, client tunnels. Even the ZTNA appliances trusted it.
That was the point. Break the trust root, and everything above it falls.
And the only name on the audit trail?
Craig.
Silas leaned back, adjusted his lanyard, and smiled.
“So much for your zero trust.”
He mused:
ZTNA isn’t a fortress.
It is cathedral, built on blind faith of authorities.
They trusted no one, except the things that couldn’t be questioned.
And he just deployed a corrupt bishop.
---
3 Days Later
Owen sat in his miserable apartment. His laptop glowed. His hands shook as he typed, sweat beading on his brow.
Owen triggered the payload. Nothing destructive. Just humiliating. A simple screen saying “you have been pwnd”.
He hit a few client-facing systems. Rebranded dashboards. Altered cert chains. A few errant logins.
Just enough to rattle cages.
And then, he posted.
Reddit. X.
“NextSecure is a Joke”
The post got some views, some clicks…
Not enough. he thought, so he expanded the network, if NextSecure didn’t issue an acknowledgment soon, he would pawn some more.
---
2 Days Later
Silas and Owen met at the same bar, same booth, same drinks. Silas raised his glass. “You’re in deep now?”
Owen nodded, forcing himself to sound calm. “Yeah. Press release soon, I bet.”
Silas chuckled, a low, satisfied sound. “Cheers to that.”
They drank. The noise of the bar hummed around them, muffled and distant.
Owen shifted in his seat. “You ever think about what comes next? I mean—this isn’t small stuff. What we did…”
Silas leaned back. “This? Nothing to worry about. You and I got our revenge, now we just walk away, laughing all the way...”
“Next round’s on me,” Silas said as he slid out of the booth, brushing off his coat. “But skip the beer. Celebrate. Get something fun.”
“Sure,” Owen said with a half-smile. “I’ll have what you’re having.”
Silas winked and headed to the bar.
From across the room, under the jaundiced glow of flickering neon, he held up two fingers. The bartender nodded.
And as he leaned on the counter, casual as ever, Silas reached into his coat pocket and subtly palmed a small packet.
His smile never faltered.
---
1 Day Later
In Owen’s apartment, Silas operated coldly, almost clinically.
Wearing surgical gloves, he inserted a USB into Owen’s computer. Years of code distilled to one payload.
Malware that didn’t tease or ransom—just spread and destroy.
It slithered into NextSecure’s client networks. OT systems. Fortune 500’s. Municipal energy grids.
The first wave didn’t even touch disk. It just fingerprinted environments and quietly rewrote local trust anchors. No EDR alerts. No signature triggers. It looked like patch automation.
---
Several Days Later
Headlines read: “Massive Industrial Disruption as Supply Chains Collapse Across North America.”
“Certificate Compromise Leads to Catastrophic OT Outages—NextSecure Under Scrutiny.”
Wall Street: Red.
The ensued chaos and noise was starkly contrasted to Owen’s eerily silent apartment.
BANG. Blinding white.
A SWAT team burst into Owen’s apartment. Kevlar. Flashlights. Screams.
They found a toppled chair and Owen, cold and dangling.
Silas was gone.
END.
———
This is a work of fiction, inspired by real-world incidents and events.
Any references to names, companies, or events is purely coincidental.
How to Prevent This Attack
This attack highlights the dangers of implicit trust, which is ironic given that the vendor, NextSecure, was selling zero trust network access. If only there had been a little less trust in NextSecure internally, and if their clients had trusted them a little less.
A very good mental model to approach this from is to assume that your vendor has been compromised. Does the architecture of their solution effectively address this scenario or are there weak points like a certificate authority?
♦️ Third-party trust is sometimes necessary because it makes scale more efficient. However, industries that have critical equipment should carefully consider the implications of this, especially with sensitive systems like access control: if it fails everything behind it is jeopardized.
♦️ Better alternatives for high-security use-cases can be found in Bastionne's Armory: secure access solutions for critical infrastructure that do not have assumed trust or third-party attack vectors, as Bastionne's core technologies do not use CAs, brokers, etc. in the first place.
♦️ Implement XDR and other detection systems, with the caveat that your XDR vendor themselves must not be compromised! All tools are potential entry points if adversaries can compromise them.
♦️ A more expensive and manual, but safer, approach is to publish updates to an internal quarantined zone and let them sit for a period before pushing them to production stacks. This isn’t always feasible, especially with critical patches, and it introduces some operational risk. But it’s a tradeoff worth careful consideration, especially for sensitive systems.
⚰️ Read the full breakdown in POST_MORTEM: a cyber-thriller for some, a real-world playbook for those defending critical infrastructure.
