Skip to content

ESET discovers PromptLock, the first AI-powered ransomware

  • ESET Research discovers PromptLock, a new type of ransomware using GenAI to execute attacks.
  • The malware runs a locally accessible AI language model to generate malicious Lua scripts in real time, which are compatible across Windows, Linux, and macOS.
  • PromptLock uses a freely available language model accessed via an API, meaning the generated malicious scripts are served directly to the infected device.
  • Based on predefined text prompts, PromptLock autonomously determines whether to exfiltrate or encrypt data.
  • While ESET considers PromptLock a proof of concept, the threat it represents is very real.

BRATISLAVAAugust 27, 2025 — ESET researchers have uncovered a new type of ransomware that leverages generative artificial intelligence (GenAI) to execute attacks. Named PromptLock, the malware runs a locally accessible AI language model to generate malicious scripts in real time. During infection, the AI autonomously decides which files to search, copy, or encrypt — marking a potential turning point in how cybercriminals operate.

“The emergence of tools like PromptLock highlights a significant shift in the cyber threat landscape,” said Anton Cherepanov, senior malware researcher at ESET, who analyzed the malware alongside fellow researcher Peter Strýček.

PromptLock creates Lua scripts that are compatible across platforms, including Windows, Linux, and macOS. It scans local files, analyzes their content, and — based on predefined text prompts — determines whether to exfiltrate or encrypt the data. A destructive function is already embedded in the code, though it remains inactive for now.

The ransomware uses the SPECK 128-bit encryption algorithm and is written in Golang. Early variants have already surfaced on the malware analysis platform VirusTotal. While ESET considers PromptLock a proof of concept, the threat it represents is very real.

“With the help of AI, launching sophisticated attacks has become dramatically easier — eliminating the need for teams of skilled developers,” added Cherepanov. “A well-configured AI model is now enough to create complex, self-adapting malware. If properly implemented, such threats could severely complicate detection and make the work of cybersecurity defenders considerably more challenging.”

PromptLock uses a freely available language model accessed via an API, meaning the generated malicious scripts are served directly to the infected device. Notably, the prompt includes a Bitcoin address reportedly linked to Bitcoin creator Satoshi Nakamoto.

ESET has published technical details to raise awareness within the cybersecurity community. The malware has been classified as Filecoder.PromptLock.A.

Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

 

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

The MSP’s Playbook for Data Loss Prevention: Building a High-Value Security Service

For consumers, a VPN is a shield for privacy. For an enterprise, an unmanaged VPN is a gaping hole in the security perimeter. When employees use consumer-grade or free VPNs on corporate networks, they create a shadow IT environment that bypasses firewalls, security policies, and monitoring tools. This introduces significant risks, from data exfiltration to compliance violations.

This is why a VPN blocker is no longer an optional tool but an essential layer of the modern enterprise security stack. It’s not about restricting privacy; it’s about regaining control. This guide explains the critical need for blocking unauthorized VPNs, the technology that makes it possible, and how to implement a strategy that strengthens security without disrupting legitimate business.

The Hidden Risks of Unmanaged VPNs

Allowing employees to use unvetted personal VPNs on corporate devices or networks is a direct threat to your security posture. According to Zscaler’s 2023 VPN Risk Report, 88% of organizations are concerned that VPNs threaten their security, and for good reason.

  • It Creates a Visibility Gap: Corporate security tools are designed to inspect traffic. An unauthorized VPN encrypts that traffic and routes it through an external server, making it invisible to your defenses. This blinds you to potential threats and policy violations.
  • It Undermines Security Policies: Employees can use VPNs to bypass web filters, data loss prevention (DLP) rules, and other controls, accessing restricted content or exfiltrating sensitive data undetected.
  • It Obscures Malicious Activity: Threat actors and malicious insiders use VPNs to hide their IP addresses, conceal lateral movement within your network, and cover their tracks during a data breach.
  • It Introduces Compliance Risks: Consumer VPNs lack the audit logs, access controls, and data residency guarantees required by compliance frameworks like GDPR, HIPAA, and PCI-DSS.

Regaining Control: The Technology Behind VPN Blocking

A VPN blocker is a security solution designed to detect and prevent the use of unauthorized VPNs. To counter sophisticated VPN services that use encryption and obfuscation, modern blockers employ a multi-layered approach.

  • Deep Packet Inspection (DPI): This advanced technique inspects the content of data packets, not just their headers. DPI can identify the unique signatures and behavioral patterns of VPN protocols like OpenVPN or WireGuard, even when the traffic is encrypted.
  • IP and DNS Filtering: This method blocks connections to the known IP addresses and domains used by popular VPN providers. While effective against many services, it can be bypassed by VPNs that use dedicated or frequently rotated IPs.
  • Port Blocking: A straightforward technique that blocks the network ports commonly used by VPN protocols (e.g., UDP port 1194 for OpenVPN). However, many modern VPNs can automatically switch ports to evade this.
  • Behavioral Analysis: Advanced systems use machine learning to identify traffic patterns indicative of VPN use, such as consistent packet sizes or unusual connection latency, flagging even heavily obfuscated tunnels.

A Strategic Approach: From Blanket Bans to Intelligent Policy

Should businesses block all VPNs? The answer is no. The goal is not prohibition but policy. A blanket ban can disrupt legitimate remote access for employees, partners, and vendors.

The strategic approach is to block unauthorized, consumer-grade VPNs while enabling and managing an approved, corporate security solution.

Pros of Blocking Unauthorized VPNsCons of a Poorly Implemented Policy
Greater Control over all network traffic.May disrupt legitimate remote access workflows.
Improved Threat Visibility and DLP effectiveness.Can create friction for global teams and collaborators.
Reduced Risk of shadow IT and insider threats.Potential for false positives and increased support tickets.
Strengthened Compliance with regulatory mandates.Complexity increases with BYOD and hybrid work.

Enforcing Secure Access with NordLayer

NordLayer provides a comprehensive security stack that empowers organizations to block unauthorized VPNs while delivering secure, policy-aligned access for legitimate users.

  • Detect and Block with Deep Packet Inspection (DPI): NordLayer’s DPI feature gives you the application-level visibility needed to identify and restrict unauthorized VPN services. It analyzes traffic to detect VPN protocols and tunneling behaviors, preventing bypass attempts and ensuring your security policies are always enforced.
  • Enable Secure, Approved Access: Instead of relying on unmanaged tools, NordLayer provides enterprise-grade secure access solutions that you control:
    • Zero Trust Network Access (ZTNA): Enforce strict, identity-based access to resources based on the principle of least privilege.
    • Dedicated IP: Provide a stable, trusted IP address for your entire company to simplify access rules and avoid the blocklists associated with shared consumer VPN servers.
  • Build a Layered Defense: Modern security requires more than just an encrypted tunnel. NordLayer integrates VPN control into a complete security framework that includes Malware Protection, DNS Filtering, Device Posture Security, and Multi-Factor Authentication (MFA), giving you a unified defense against a wide range of threats.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Best Secure Web Gateways (SWG) in 2025: Real-World Tests on Speed, Break/Inspect, and Privacy

The 2025 SWG Litmus Test: 3 Real-World Trials Your Security Gateway Will Likely Fail

In cybersecurity, the word “best” is subjective. For security architects, it might mean a single platform with the most features. For your employees, it means one thing: invisible.

When web pages lag, applications break, and the coffee shop Wi-Fi becomes a battle, your Secure Web Gateway (SWG) has failed the most important test. This guide moves beyond marketing hype and feature checklists to evaluate SWGs on what truly matters in 2025: speed, reliability, and privacy.

The Architectural Divide: Cloud Proxy vs. On-Endpoint Inspection

Most user experience problems can be traced back to one fundamental design choice.

Cloud-Proxy SWGs route all your web traffic to the vendor’s global data centers for inspection. This is the model used by major players like Zscaler, Netskope, and Cisco Umbrella. When network conditions are perfect, it can work well. But every extra hop introduces potential latency and a point of failure.

On-Endpoint SWGs, like dope.security, place the inspection engine directly on the user’s device. Traffic goes directly from the user to its destination without a detour through a vendor’s cloud, eliminating the “backhaul tax” on performance.

This architectural difference is the key to understanding why some SWGs feel seamless while others feel like a constant drag on productivity.

Three Tests to Separate Hype from Reality

You don’t need a lab to see which architecture performs better. Run these three simple tests on any SWG you’re evaluating.

1. The Human-Eye Speed Test

Forget synthetic benchmarks. Open a few complex websites (like a news site with many ads) with the SWG turned off. Notice how quickly the page feels fully loaded. Now, turn the SWG on and repeat the test.

What to Look For: Does the page load feel just as fast? Or do you see spinners, slow-loading banners, and lagging images? That perceptible delay is the latency introduced by routing your traffic through a third-party data center.

2. The Real-Time Policy Test

Security can’t wait 30-60 minutes to update. Log in to your admin console and make a simple policy change—for example, block a new URL category. Save the change and immediately try to access a site in that category.

What to Look For: Does the block take effect instantly? An on-endpoint SWG like dope.security pushes policy updates in seconds. Many cloud architectures rely on timed polling, leaving you with a significant enforcement gap.

3. The Captive Portal Challenge

Take a company laptop to a hotel, airport, or cafe. Try to log in to their public Wi-Fi. This is where most cloud-proxy SWGs fail catastrophically.

What to Look For: Can you connect seamlessly? Cloud proxies often interfere with the redirect mechanisms of captive portals, preventing users from getting online. Because an on-endpoint SWG doesn’t re-route traffic, captive portals work exactly as they should—no help desk ticket required.

Why Performance and Privacy Are a Design Choice

A direct flight is always faster and simpler than one with a layover. The dope.security on-endpoint SWG applies this same logic to your data.

By removing the cloud proxy hop entirely, we eliminate the primary cause of latency, application breakage, and privacy concerns associated with legacy SWGs. Security policies—blocking threats, controlling application usage, and protecting data—are enforced locally on the device.

The result is a secure internet experience that feels just like it did before you added enterprise-grade security. For organizations that prioritize user productivity and a stronger privacy posture, the choice is clear.

Request a demo or trial

About Dope Security
A comprehensive security solution designed to protect individuals and organizations from various cyber threats and vulnerabilities. With a focus on proactive defense and advanced technologies, Dope Security offers a range of features and services to safeguard sensitive data, systems, and networks.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

The MSP Onboarding Playbook: A 5-Phase Guide to Building Lasting Client Partnerships

Signing a new client marks the beginning of a critical transition. The journey from a signed contract to a profitable, long-term partnership is defined by one process: client onboarding. A well-executed onboarding sets the stage for trust, efficiency, and growth. A poor one leads to misaligned expectations, scope creep, and churn. This five-phase playbook provides a structured framework to ensure every new client relationship starts on the strongest possible foundation.

Phase 1: Discovery and Planning

Goal: To replace assumptions with data and build a tailored service delivery roadmap. The first step is to gain a comprehensive understanding of the client’s environment, challenges, and goals. This is achieved with a mandatory Strategic Onboarding Questionnaire. This document serves as your blueprint for the entire relationship and provides measurable goals for future Quarterly Business Reviews (QBRs).

Key Data Points for Your Questionnaire:

  • Service Tier & Requirements: Confirm the agreed-upon services, from cloud storage to system monitoring.
  • Current IT Infrastructure: Document all workstations, servers, and network hardware.
  • Existing Cybersecurity Stack: List all current tools (endpoint security, firewalls, phishing protection).
  • Key Personnel & Permissions: Identify roles, access levels, and points of contact.
  • Third-Party Contracts: Uncover existing agreements with other vendors or service providers.
  • Incident Response: Review any existing incident response plans.

The insights gathered here allow you to create a customized onboarding plan that aligns with their business objectives from day one.

Phase 2: Security and Risk Assessment

Goal: To establish a security baseline by identifying vulnerabilities and understanding the client’s unique attack surface. Before making any changes, you must understand the client’s current risk posture. A thorough assessment is non-negotiable and demonstrates immediate value. In 2024, over 35% of all breaches were attributed to third parties—a risk many clients are unaware of. Your assessment should uncover these hidden threats.

Essential Security Discovery Checklist:

  • How are user identities and access permissions managed, reviewed, and revoked?
  • Are privileged accounts, service accounts, and shared credentials actively monitored?
  • Is Multi-Factor Authentication (MFA) enforced across all critical accounts?
  • How is sensitive data classified, protected, and stored?
  • Do any third parties hold administrative access to cloud services or data?
  • Are system logs collected and analyzed for anomalies?
Pro Tip: Automate Your Security Assessment Manually auditing a new client’s cloud environment for excessive permissions and third-party risks is time-consuming. A unified security platform like Guardz can automate this discovery process, providing a comprehensive risk report in hours, not days, and identifying threats like suspicious login activity or abnormal data transfers.

Phase 3: Foundation and Expectation Setting

Goal: To build trust and prevent future churn by clearly defining the rules of the partnership. Poor communication and misaligned expectations are leading causes of client churn. A professional Client Welcome Kit is your primary tool for setting the foundation for a successful relationship.

Your Welcome Kit Must Include:

  • Summary of Services: A clear list of deliverables and project milestones.
  • Service Level Agreements (SLAs): Defined response times and support escalation paths.
  • Points of Contact: A directory of your team members and their roles.
  • Communication Protocols: Official channels for support and inquiries (e.g., email, portal, Slack).
  • QBR Schedule: Pre-scheduled dates for strategic business reviews.
  • Resource Hub: Links to FAQs, knowledge bases, and walk-through videos covering topics like IT troubleshooting and phishing awareness.

Phase 4: Technical Integration and Migration

Goal: To execute a flawless migration of user data and systems with zero disruption. This is the most delicate phase of onboarding. Migrating data from multiple sources (CRMs, email, cloud environments) carries significant risk. A single cloud misconfiguration can lead to a data breach.

Best Practices for a Safe Migration:

  • Create Dummy Data: Never test with live client data. Use dummy datasets to validate workflows, field mappings, and permissions.
  • Test Extensively: Perform multiple test runs to ensure all integrations function as expected.
  • Execute Live Import: Only after all tests are successful, proceed with the final live data migration.

Phase 5: The Strategic Kickoff Meeting

Goal: To formally launch the partnership, address final concerns, and solidify rapport with the client’s team. The kickoff meeting is more than a formality; it’s your opportunity to listen. Apply the 80/20 Rule: spend 80% of the time listening to the client’s goals and expectations, and 20% addressing questions and outlining the plan.

Kickoff Meeting Agenda:

  • Review the detailed onboarding plan and project timelines.
  • Define roles and responsibilities for both your team and the client’s.
  • Address any concerns or unique business requirements.
  • Document all action items and set reminders for follow-up.

Once this meeting concludes, the onboarding process is complete, and the long-term partnership officially begins.

Streamline Your Client Onboarding with Guardz

A secure and efficient onboarding process gives new clients immediate peace of mind. Guardz provides a unified cybersecurity platform that helps MSPs quickly assess risk, detect threats from third-party apps, and monitor cloud accounts for excessive permissions. Start every new client relationship with a foundation of security and trust.

Start Free Trial

About Guardz
Guardz is on a mission to create a safer digital world by empowering Managed Service Providers (MSPs). Their goal is to proactively secure and insure Small and Medium Enterprises (SMEs) against ever-evolving threats while simultaneously creating new revenue streams, all on one unified platform.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

The Cyber Assessment Framework

Master CAF 4.0: Why a Ransomware Containment Strategy is Non-Negotiable

The UK’s updated Cyber Assessment Framework (CAF) 4.0 raises the standard for cyber resilience. It demands that leaders of essential services prove they can detect, stop, and recover from sophisticated attacks before they cause disruption.

One threat stands above all others in today’s landscape: ransomware. This is precisely where BullWall delivers a unique and measurable advantage to your security strategy.

The New Reality: Surviving the “Blast Radius”

CAF 4.0 isn’t another compliance exercise; it’s a direct challenge to withstand realistic, high-impact threats. Regulators want evidence that you can manage the critical moments after ransomware bypasses your initial defenses and begins its destructive encryption. This is the “blast radius” that can turn a single compromised device into an operational catastrophe within minutes.

Traditional prevention tools are essential, but they weren’t designed to stop an active encryption attack. Without a dedicated containment layer, you’re left vulnerable at the most critical moment.

How BullWall Delivers Demonstrable CAF 4.0 Compliance

BullWall provides a laser-focused solution to stop ransomware before it impacts your essential services, aligning directly with the core outcomes of CAF 4.0.

Managing Risk & Protecting Services (Objectives A & B)

CAF 4.0 requires you to mitigate the most realistic attacker behaviors. BullWall demonstrates this by actively protecting against ransomware, the number one threat.

  • Stops Malicious Encryption: It detects and halts ransomware encryption attempts in real time.
  • Limits Attack Impact: It automatically isolates the compromised user or device, instantly preventing the attack from spreading across your network and protecting critical data.

Mastering Detection & Incident Response (Objectives C & D)

When an attack is underway, every second counts. BullWall provides immediate detection and automates the initial response, giving your team the tools for rapid recovery and reporting.

  • Identifies Malicious Activity: It instantly recognizes the unauthorized encryption patterns that are the clearest sign of a ransomware compromise.
  • Automates Response: It triggers immediate alerts and automatically quarantines the threat, providing the forensic-quality data needed for regulator-ready investigations and post-incident reviews.

BullWall’s Contribution at a Glance

CAF Outcome BullWall’s Direct Contribution
A2.b – Understanding Threat Demonstrates active mitigation of ransomware, a primary attacker behavior.
B4.c – Malicious Code Prevention Detects and halts active ransomware encryption in real time.
B5.a – Limiting Impact Contains ransomware attacks before they can cause widespread disruption.
C3.b – Detecting Malicious Activity Identifies unauthorized encryption and triggers an immediate, automated response.
D1.a – Incident Response Automates containment of compromised assets to accelerate your response.
D2.b – Post-Incident Review Provides forensic data to inform regulator engagement and improve defenses.

The Bottom Line for Leadership

CAF 4.0 elevates ransomware from an IT issue to a board-level resilience risk. Regulators now expect proof that you can contain an attack in real time, not just after the damage is done.

BullWall delivers that proof. By instantly detecting and stopping unauthorized encryption, BullWall:

  • Strengthens cyber resilience against today’s most damaging threat.
  • Provides the verifiable evidence needed for compliance and regulator engagement.
  • Protects your ability to deliver essential services and safeguards your reputation.

With CAF 4.0 setting the new standard, the question isn’t whether ransomware will test your defenses—it’s whether you can stop it in time. With BullWall, the answer is yes.

About Bullwall
BullWall is a fast-growing international cybersecurity solution provider with a dedicated focus on protecting critical data during active ransomware attacks. We are the only security solution able to contain both known and unknown ransomware variants in seconds, preventing encryption and exfiltration across all data storage types.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

The Modern MSP Playbook: 8 Best Practices for Security, Scale, and Profitability

 

Managing a service provider (MSP) in 2025 is like running mission control. Amidst blinking dashboards and constant alerts, clients expect you to keep everything secure, compliant, and running flawlessly—all while costs remain predictable. That’s a tall order when threat actors are iterating faster than ever.

The good news is that a playbook for turning this chaos into routine already exists. These eight battle-tested best practices are the foundation for building a resilient, scalable, and profitable MSP. They are the habits and systems that protect client data, streamline operations, and drive confident growth.

The 8 Best Practices for Modern MSPs

These habits are designed to improve outcomes, reduce noise, and make your security services demonstrably valuable to your clients.

1. Standardize Your Stack and Your Playbooks

Pick a reference architecture—one EDR, one email security layer, one backup vendor—and standardize it. Then, document your core operational playbooks: client onboarding, offboarding, phishing triage, and ransomware response.

Why it Works: Standardization is the engine of scalability and profitability. It leads to faster deployments, fewer misconfigurations, simpler training, and clearer service boundaries, which protects your margins.

Action Steps:

  • Publish a “gold image” baseline for endpoints with security-aligned settings.
  • Maintain a shared “controls catalog” that maps your tools to specific risk scenarios (e.g., “Business Email Compromise → Identity + Email Controls”).

2. Lead with Identity-First Security

With data and applications everywhere, identity is the new perimeter. Your primary focus should be on securing credentials and access.

Why it Works: The vast majority of breaches begin with a compromised credential. Strong identity controls dramatically reduce the potential blast radius of an attack, especially in cloud and BYOD environments.

Action Steps:

  • Enforce phishing-resistant MFA methods for all admin accounts.
  • Apply the principles of “least privilege” and “just-in-time” (JIT) access.
  • Monitor for access anomalies and regularly revoke stale session tokens.

3. Make Patching and Configuration Management Boring

In security, “boring” means reliable. Put operating system and application patching on a strict schedule with clear SLAs based on severity. Actively track and remediate configuration drift.

Why it Works: Year after year, breach reports show attackers exploiting old, known vulnerabilities. A consistent and measurable patch management cadence is one of the most effective ways to shrink your clients’ attack surface.

Action Steps:

  • Define and report on vulnerability SLAs (e.g., critical vulnerabilities patched within 48 hours).
  • Use deployment rings (pilot → broad) to roll out patches without disrupting client operations.

4. Assume Compromise and Rehearse Your Response

Adopt an “assume breach” mindset. Run tabletop exercises with your clients twice a year to simulate key scenarios like ransomware or a SaaS account takeover.

Why it Works: The middle of an incident is the worst time to figure out a plan. Rehearsing clarifies roles, speeds up decision-making, and reduces panic, turning a potential catastrophe into a managed event.

Action Steps:

  • Maintain an out-of-band contact list for emergencies (since email may be down).
  • Track and report on key metrics like Mean Time to Detect (MTTD) and Mean Time to Recover (MTTR) in your QBRs.

5. Master the Basics: Passwords, Secrets, and Credentials

Strong, unique credentials and centralized management are the backbone of any security program. Enforce password complexity and audit shared accounts ruthlessly.

Why it Works: A shocking number of breaches still start with a weak or reused password. Centralizing credentials in a business-grade password manager provides the visibility and control needed to enforce good hygiene.

Action Steps:

  • Use role-based access control (RBAC) and group-based vaults so technicians only see the credentials they need.
  • Replace insecure credential sharing (e.g., via email or chat) with a secure sharing mechanism from your vault.

6. Turn Observability into Actionable Outcomes

Logs are useless if no one is looking. Design your detections around real-world attacker techniques (like those in the MITRE ATT&CK framework) and connect them to automated responses where possible.

Why it Works: Tuning your alerts to reduce noise means your team can focus on real threats faster. This improves both security outcomes and technician morale.

Action Steps:

  • Build a “top 20 detections” list tailored to your stack (e.g., suspicious PowerShell scripts, impossible travel alerts, MFA fatigue attempts).
  • If an alert hasn’t provided value in 90 days, tune it or remove it.

7. Package Compliance as a Service

Clients don’t want to read regulatory documents; they want to pass audits with minimal stress. Turn your operational discipline into audit-ready artifacts.

Why it Works: Translating complex compliance requirements into concrete controls and evidence is a high-value service that differentiates your MSP from the competition.

Action Steps:

  • Automate quarterly user access reviews and document approvals.
  • Offer pre-audit readiness checks as a fixed-fee service package.

8. Communicate Value Relentlessly

Security is invisible when it’s working, so your job is to make it visible. Use Quarterly Business Reviews (QBRs) to connect your activities to business outcomes.

Why it Works: Clients renew and expand when they understand the value you provide. Clear reporting and storytelling are essential for retention and growth.

Action Steps:

  • Present each client with a simple “security scorecard” showing metrics like patch compliance, MFA coverage, and backup success rates.
  • Maintain a backlog of recommended “next best actions” to create a forward-looking security roadmap.

Powering Your Playbook: Centralized Credential Security with NordPass

A playbook is only as effective as the tools you use to execute it. Credential security is a cornerstone of this playbook, touching on identity, compliance, and incident response. NordPass, with its dedicated MSP Admin Panel, is designed to help you implement these best practices at scale.

  • Enforce Identity-First Security (Practices #2 & #5): Use role-based access and group-based vaults to create segmented spaces for your team and each client, ensuring technicians only see the credentials they need.
  • Automate Compliance & Reporting (Practice #7): Leverage detailed audit trails and activity logs to provide clients and auditors with the evidence they need—who accessed what, when, and why.
  • Standardize Secure Workflows (Practice #1): Replace risky, ad-hoc practices with built-in password generators, health reports, and secure sharing, making good hygiene the default.
  • Integrate with Your Stack: With support for SSO, MFA, and SCIM provisioning, NordPass aligns with your overall identity strategy and simplifies user onboarding and offboarding.

By combining this playbook with a focused toolset—like NordPass for credentials, NordLayer for secure network access, and NordStellar for threat intelligence—MSPs can build a resilient, low-drama operating model that proves its value month after month.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

The Corporate Blind Spot: Why Your Business Must Block Unauthorized VPNs

In today’s hyperconnected economy, organizational data is a high-value target for sophisticated threats beyond simple hacking, such as Advanced Persistent Threats (APTs) and targeted phishing. Enterprise data security is defined as a combination of policies, technologies, and practices aimed at protecting sensitive information from unauthorized access, alteration, or loss across all states—at rest, in transit, and in use. This security is a business imperative because data breaches are costly, trust is fragile, compliance is mandatory, and vulnerabilities are expanding due to ransomware and remote work.

Common Challenges to Enterprise Data Security

  • Data sprawl across various platforms.
  • A lack of visibility into where sensitive data resides.
  • The use of unsanctioned tools (shadow IT).
  • The vulnerabilities of legacy systems.
  • Insider threats.

Best Practices for Enterprise Data Security

To address these issues, the article provides a list of best practices, including:

  • Controlling access with role-based controls.
  • Using strong encryption.
  • Regularly updating and patching systems.
  • Adopting multi-factor authentication (MFA).

Modern Solutions

The post also discusses the role of modern solutions in strengthening an organization’s defense posture, such as:

  • Data Loss Prevention (DLP)
  • Identity and Access Management (IAM)
  • Zero Trust Network Access (ZTNA)

The article concludes by explaining how NordLayer helps protect enterprise data through features like network visibility, an Enterprise Browser (coming soon), built-in MFA, and support for regulatory compliance and secure remote work.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.