In 2026 the greatest threat to business security is no longer just a technical explosion: is the human interaction with increasingly convincing messages created by IA. The attackers use generative models to build emails, chats and files that imitate internal voices, references to real projects and even signed documents, which dramatically increases the likelihood of an employee opening a malicious link or attachment. That "first machine" compromised - the equivalent of the Patient Zero in medicine - is the spark that can light a chain response if organizational controls do not act in minutes.
Understanding why the first minutes matter is key: many modern intrusions combine credentials theft, getting tokens in memory and automated side movements. The time between the initial click and the spread to other machines is usually measured in minutes, not hours., because the tools of the attackers automate the discovery of exposed services, the collection of cache passwords and the replication of accesses. The aim of the attacker is not to stay in the first host: to reach assets with value, privileged credentials and backup.
The response to this challenge is no longer antivirus, but a mentality and architecture that assume the intrusion from design. Zero Trust is not a product feature, it's a containment principle: apply continuous verification, network segmentation and minimum privileges so that a committed device cannot move freely. The NIST technical document on Zero Trust provides a framework for translating this principle into practical controls such as microsegmentation, conditional access control and data and management plan separation ( NIST SP 800-207).
In practice, an architecture that stops Patient Zero combines endpoints detection (EDR / XDR) with automatic isolation capacity, network access control (NAC) and identity policies that can revoke sessions and real-time authentication. The immediate isolation of the compromised host - block your traffic, cut active sessions, and disconnect it from critical systems - reduces the damage window. Tools that integrate telemetry and orchestration allow to convert this isolation into reproducible and audibly correct actions.
When you discover a commitment, the first hour is a chain of technical and legal decisions that must be predefined. In addition to isolating the device, it is essential to preserve evidence: memory overflow, capture of disk images and centralized collection of logs before any cleaning. At the same time, you have to rotate credentials and tokens associated with the user and the services you may have played, because the hijacked sessions or exfiltered credentials allow the attackers to reenter even after a reboot.
Backup should also be thought of as part of containment, not just recovery. Unchangeable and disconnected backups (air-gapped or cascade-erased) prevent an attacker from reaching their backup systems from destroying the ability to restore. Proving regularly restorations in isolated environments is as important as having copies: recovery is useless if restoration is not verified.
Prevention against IA-enhanced phishing campaigns requires layers: strong and phishing-resistant authentication (such as FIDO2 / passwords), robust mail policies (SPF, DKIM, DMARC), filtering that combines reputation signals and language analysis, and continuous awareness programs that include realistic simulations. MITRE ATT & CK remains a practical reference for mapping tactics and techniques used after an initial click and planning detection and response ( MITRE ATT & CK).
No less important is human preparation: clear runbooks, table exercises and practical simulations that include the stage of Patient Zero against attack. These exercises reveal so-called broken, friction points between equipment and hidden units (e.g. services with durable credentials). Early coordination with legal teams, communications and forensic providers will accelerate critical decisions on outreach and mitigation.
Finally, adopt a continuous improvement strategy: record and evaluate each incident as a learning case, update blocking and detection policies with the observed IOCs and techniques, and maintain a constant investment in proactive hunting and deception technologies that detect abnormal activity before it reaches valuable assets. For guides and practical resources on current threats and response, see the CISA page on Ransomware and phishing reaction and its best practices ( CISA Ransomware Guidance).
The operational conclusion is clear: we cannot prevent someone from clicking on 100% of the cases, but we can design systems and processes so that that click is not the trigger of a crisis. Early containment, segregation of privileges, immutable backup and human preparation are the levers that kill Patient Zero before there is an organizational zero patient.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...