There Are Two Kinds of Companies: Those Who’ve Been Hacked, and Those Who Just Haven’t Checked Yet
The old saying was comforting: “There are two types of companies: those that have been hacked, and those that will be.”
It implied a future event. Something you could prepare for. Something you might still have time to prevent.
That saying is wrong.
The real two types are: those who know they’ve been hacked, and those who haven’t checked yet.
The Detection Gap
Let me tell you what I’ve seen as a pentester.
I’ve walked into companies that were 100% certain they had never been breached. They had firewalls. They had antivirus. They passed compliance audits. Their CEO would say “security is a priority” with a straight face.
Then I ran a simple scan. Checked their logs. Tested their exposed assets.
And found signs of compromise that had been there for years.
- An S3 bucket with public read access, sitting there for 14 months. An attacker had downloaded customer data 8 months ago. No one noticed.
- A database with default credentials. The logs showed foreign IP addresses querying it daily for the last 6 months.
- An employee’s credentials for sale on the dark web. Someone had been inside their VPN for weeks.
- Malware on a server that had been calling home to a command-and-control server every 6 hours for 11 months.
Every one of these companies told me “we’ve never been hacked.” They believed it. They were wrong.
- 277 days — average time to detect a breach
- 54% of companies don’t detect breaches on their own (they’re notified by an external party)
- 64% of organizations say they’ve had undetected data loss
- $4.1M — average breach cost when detected externally vs $2.8M when detected internally
Why Companies Don’t Check
The reason most companies don’t know they’ve been hacked isn’t because hacking is sophisticated. It’s because checking is uncomfortable.
If you run a vulnerability scan and find nothing, you feel good. If you run a pentest and find critical vulnerabilities, now you have a problem you need to fix.
So many companies choose not to look. Not explicitly. They just… never get around to it. “We’ll do a pentest next quarter.” “We’ll review those logs when we have time.” “We’re too busy shipping features.”
Ignorance is comfortable. Until it’s not.
And by the time it’s not, the damage is done. The data is gone. The attacker has been inside for months. The only question is how much they took.
“Haven’t found evidence” is not the same as “no evidence exists.”
The Attacker’s Advantage
Attackers know this. They know most companies aren’t looking. They know breaches take months to detect. They know they have time.
Here’s what an attacker’s timeline looks like:
- Day 1: Breach occurs. Attacker gains access.
- Day 1-30: Attacker explores. Maps your network. Finds your data. Installs backdoors.
- Day 30-90: Attacker exfiltrates data slowly. Blends in with normal traffic. No alarms trigger.
- Day 90-277: Attacker maintains access. Waits. Sells access to other criminals. Or prepares for ransomware.
- Day 277 (average): You discover the breach. Not because you found it. Because someone told you. A customer. A bank. A journalist. The attacker themselves (ransomware).
By the time you know, the attacker has been inside for 9 months. That’s not a breach. That’s a residency.
What “Checking” Actually Looks Like
Checking isn’t running a compliance scan once a year. Checking isn’t trusting your firewall dashboard. Checking isn’t assuming “no alerts means no problems.”
Real checking means:
- External penetration testing. Let someone try to break in. See what they find. Assume they’ll find something.
- Internal vulnerability scanning. Your perimeter isn’t the only risk. What’s already inside your network?
- Log review. Not just collecting logs. Actually reviewing them. Looking for anomalies. Investigating suspicious patterns.
- Dark web monitoring. Your credentials are probably for sale. Find out before an attacker uses them.
- Continuous monitoring. A point-in-time check is a snapshot. Attackers operate 24/7. So should your detection.
- Incident response planning. Not just a document. A plan you’ve actually practiced. Because when the breach happens, you won’t have time to figure it out.
Most companies do none of this consistently. Some do one of them annually. Almost none do all of them.
That’s why 54% of breaches are detected by external parties. You’re not finding them. Someone else is.
// The difference between "checking" and "believing"
function checkSecurity():
run_penetration_test()
review_logs(days=90)
scan_for_compromised_credentials()
test_incident_response_plan()
return findings
function believeSecurity():
return "We passed our audit."
// One finds problems. The other finds comfort.
The Cost of Not Knowing
Let me put this in terms your CFO will understand.
A pentest costs €750–€5,000. A full security audit might cost €15,000. A year of continuous monitoring with a retainer costs €18,000.
An undetected breach costs €4.1M on average. Plus legal fees. Plus regulatory fines. Plus customer churn. Plus stock price drop. Plus CISO getting fired.
You’re not saving money by not testing. You’re gambling. And the house always wins.
Except in this case, the house is the attacker. And they’re not playing by the rules.
Cost of a pentest: €750–€5,000
Cost of finding a breach in 3 days vs 277 days: Priceless
Every day you don’t look is a day the attacker could be inside. And you’d never know.
The Second Category Isn’t Safe — It’s Lucky
If you’re in the second category (“we haven’t been hacked, we just haven’t checked”), you’re not safe. You’re lucky.
And luck runs out.
The attacker isn’t guessing. They’re scanning. They’re probing. They’re trying credentials. They’re looking for unpatched vulnerabilities.
Every company has vulnerabilities. Every company has misconfigurations. Every company has employees who click things they shouldn’t.
The only difference between companies that get breached and companies that don’t is whether someone was looking when the attacker tried.
If you’re not looking, you’re not protected. You’re just not notified yet.
The ones that tested found out. The ones that didn’t… still don’t know.
Ignorance isn’t bliss. It’s just undiagnosed.
What to Do This Week
You don’t need to panic. But you need to act:
- Assume you’ve been breached. Start from that assumption. What would you look for? Where would you find evidence?
- Run a vulnerability scan. Find the low-hanging fruit. The open ports. The default credentials. The unpatched systems.
- Get a manual pentest. Automated scanners miss logic flaws, privilege escalation, and business logic abuse. You need a human.
- Review your logs. Look for anomalies. Unusual outbound traffic. Failed login attempts from strange IPs. Data transfers at odd hours.
- Check the dark web. Your credentials are probably for sale. Find out before someone uses them.
- Set up continuous monitoring. A point-in-time test is a snapshot. You need ongoing detection.
- Test your incident response plan. Not just read it. Practice it. Because when the breach happens, you won’t have time to learn.
The second category isn’t safe. They’re just uninformed.
> Looking doesn’t cause the breach. Not looking doesn’t prevent it. It just delays the bad news.
Check today. Because the attacker already did.
The Bottom Line
The old saying gave you hope. It suggested you might still be in the “will be hacked” category, not the “already were” category.
But you don’t know that. Not until you check.
And most companies don’t check. They assume. They hope. They wait for someone to tell them.
By the time someone tells them, it’s too late. The data is gone. The reputations are damaged. The CISO is fired. The stock has dropped.
Don’t be the company that finds out from a journalist. Be the company that found out from a pentest — and fixed it.
Check today. Because the attacker already did.
🦞 Do you know if you’ve been hacked?
I run penetration tests that find what you’re missing. DM me first. Quick chat. Then we book a call if we’re a fit.
No Calendly. Just a human who finds what’s hiding in your logs. Based in The Netherlands 🇳🇱
Leave a Reply