What is this
about.
Deretti Cyber Labs in plain terms — what it is, why it exists, and how to read further.
Most cybersecurity material is written for the people who already have a security team. Deretti Cyber Labs publishes for everyone else — practitioners, leadership, and adjacent professionals who need to understand the work without first having to learn the vocabulary. This document is the short introduction. Everything else on the site goes deeper.
An open library for practical security work.
Deretti Cyber Labs is an independent research and education effort. It exists to help organizations think more clearly about security — not just the tools, but the decisions that surround them. The work is open, free to use, and not tied to any vendor or product.
When something goes wrong, who decides what? What gets shut off, and what stays running? How is it communicated to leadership, to clients, to regulators? How is it learned from so the next event is easier? These are the questions Cyber Labs publishes about. The framework, the analysis, the supporting material — all of it is freely available, freely usable, and not behind a sales conversation.
Most security guidance assumes a team you don't have.
Large enterprises have the staffing and the budget that existing frameworks were written for. Mid-market firms, professional services, and smaller practices usually don't. They need something that fits the resources they actually have — not a wish list of tools and headcount.
The harder problem isn't tooling. It's decisions made under pressure. Most of what goes wrong in a security event is not the technical containment — it's the communication, the documentation, and the choices made in the first hour. A framework that helps with that part, calmly and repeatably, without needing a specialist for every step, is what's been missing.
Four moves. One loop.
IR 2.0 distills decades of security guidance — including the U.S. government's Cybersecurity Framework — into a four-step working loop. The point is not to replace existing standards. It is to give them an operating spine that actually runs.
Sense
Know what you have, where it sits, and what's changing. Most organizations skip this step and pay for it later.
Decide
When a signal comes in, have a clear way to determine what it means and what to do next. Fewer judgment calls under pressure.
Act
Take steps that are deliberate, reversible where possible, and documented. The point isn't speed for its own sake — it's defensibility afterward.
Learn
Capture what worked, what didn't, and what changes. The next event should be easier than the last one. If it isn't, the Learn phase needs reevaluation.
From "we hope nothing happens" to "we can defend our decisions if something does."
Establish baseline visibility, ownership, and the first response paths. The minimum viable evidence trail.
Tabletop the decision paths. Connect controls to the underwriter-legible artifacts they produce.
A documented loop, current evidence, and a posture that holds up to questions from auditors, carriers, and regulators.
The catalog. In brief.
A short selection of recent analysis. Each piece is written for practitioners, but accessible to anyone who reads carefully. The full catalog and reference material lives on the Cyber Labs site.
The CrowdStrike outage
Why a single security update brought global IT systems down, and what it revealed about how much trust organizations place in their tools without realizing it.
Broadcom & VMware
What happens when a critical vendor changes its commercial posture, and why "we'll figure out the renewal when the time comes" is one of the more expensive assumptions a leadership team can make.
The Cognitive Firewall
How human judgment — not tools — is the security control that matters most, and why it's also the one organizations measure least.
OneDrive sync risk
A category of exposure that sits quietly inside almost every Microsoft 365 environment, and what to do about it.
The same loop applied under fire.
A small professional services firm had its email system compromised after an attacker tricked a staff member into giving up their password. By the time anyone noticed, the attacker had been operating inside the inbox for almost a full day and had used it to send more than 800 phishing emails to people outside the firm.
The IR 2.0 loop guided the response: contain the attacker's access, harden the system, notify every party that needed to be notified (programmatically, not by hand), and document the engagement end-to-end. No specialty tools. No large team. No panic. What was left was a defensible record — usable if the question ever came up again.
Active work. Connected directly to current conversations.
Quantum computing readiness
Quantum is moving from research labs into real timelines. Some current encryption methods will eventually need to be replaced. Public-sector guidance is being published, but most private-sector organizations don't have a quantum specialist on staff. The Cyber Labs material focuses on practical sequencing — what to start thinking about now, what to defer, and how to avoid panic-driven vendor decisions over the next 24–36 months.
AI adoption posture
Generative AI is being adopted faster than most security and compliance functions can keep up with. The framing applies the IR 2.0 loop to the decision: where does the AI tool sit in the workflow, what information crosses what boundary, and what does "rolling it back" look like if something goes wrong? The intent is to make those decisions before an AI tool is in production — not after.
Where to read next.
If this is the right level of resolution, the rest of the site goes further. All material is licensed for reuse — use it, share it, build on it.