The hardest targets I faced while pentesting/red teaming all had one thing in common: mature, funded, and empowered vuln/patch management programs.

The hardest of all combined vuln/patch management with least privilege enforcement - and inspired the creation of #BloodHound.

Are patch/vuln management and least privilege enforcement sexy? No.

Are they easy? Hell no.

Are they worth the initial and continued investment? Absolutely yes.

The best teams have processes for pretty easily dealing with things like Zerologon. They hear about the new scary vuln, understand its impact, test patch deployment to a subset of affected systems, then deploy to all affected systems, and audit patch deployment/effectiveness.

Then they get lunch.

These folks are the unsung ass kickers of our field, and we almost never talk about them or give them praise. We once saw a team of 3 people replace a *terribly insecure* local admin credential system with the *highly superior* Microsoft LAPS in just under two weeks.

Doesn’t sound that cool until you learn their enterprise had approximately 600,000 domain-joined endpoints.

That’s beyond sexy, beyond cool. That’s a fucking miracle.

It bears repeating: the basics are the basics for a reason - they work. Patch management, vuln management, least privilege, asset inventory. The funded, empowered, and mature programs an organization builds around those basics will be what saves those organizations from disaster.