ShadowTalk: Powered by ReliaQuest·Jun 3, 2026·20m

SonicWall, MFA Bypass, IABs: Why Patched Devices Are Still Handing Attackers Initial Access

Show notes

With initial access brokers operating on disciplined, sub-hour timelines and patch-management workflows built around a single completion step, defenders are closing tickets on devices that are still wide open.

Join hosts Tehman and John as they discuss:

How a firmware update can still leave a device fully exploitable
How initial access brokers progressed their attack in under 40 minutes
Why teams that prioritize from a single vulnerability score alone are behind

Two questions your organization should be asking right now:

Does your patch-management workflow include a separate item for post-patch manual configuration requirements?
When CISA, NVD, and the vendor publish different CVSS scores for the same CVE, does your vulnerability-management policy specify which authority takes precedence — and does it supplement static scoring with a dynamic signal like EPSS?

Tune in for expert insights, practical takeaways, and the full threat report: https://linktr.ee/ReliaQuestShadowTalk

Tehman Tariq: Sr. Manager of Cyber Operations at ReliaQuest. He has spent a majority of my career leading our Incident Response, Security Architecture, and Detection teams. As well has working hand in hand with CISOs to introduce automation allowing for the maturity of their security programs.

John Dilgen: John Dilgen is a Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.

← Previous

Device Code, OAuth, PhaaS: How Session Token Theft is Breaking the Phishing Playbook

Your team patches the device. The firmware version matches the advisory. The ticket closes. The device comes off the remediation queue. What your workflow never tracked is that the advisory also required six manual LDAP configuration steps — and without them, the authentication bypass still works. An initial access broker authenticated through the VPN, reached a domain-joined file server, and was gone in under 40 minutes. Your dashboard still showed a clean queue. With initial access brokers operating on disciplined, sub-hour timelines and patch-management workflows built around a single completion step, defenders are closing tickets on devices that are still wide open. Join hosts Tehman and John as they discuss: How a firmware update can still leave a device fully exploitable How initial access brokers progressed their attack in under 40 minutes Why teams that prioritize from a single vulnerability score alone are behind Two questions your organization should be asking right now: Does your patch-management workflow include a separate item for post-patch manual configuration requirements? When CISA, NVD, and the vendor publish different CVSS scores for the same CVE, does your vulnerability-management policy specify which authority takes precedence — and does it supplement static scoring with a dynamic signal like EPSS? Tune in for expert insights, practical takeaways, and the full threat report: https://linktr.ee/ReliaQuestShadowTalk Tehman Tariq : Sr. Manager of Cyber Operations at ReliaQuest. He has spent a majority of my career leading our Incident Response, Security Architecture, and Detection teams. As well has working hand in hand with CISOs to introduce automation allowing for the maturity of their security programs. John Dilgen: John Dilgen is a Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.