There's a concept in military and emergency response called the fog of war — that moment when everything is happening at once, information is incomplete, and the people who trained for this have to decide right now, with what they have.

Cybersecurity incident response is that moment. Every time.

And the dirty secret is that most organizations don't have a plan that actually holds up when the fog rolls in. They have a playbook nobody has read and a response team about to find out whether their preparation was real or theoretical.

Today's guest has spent his career in that fog — and figuring out how to cut through it.

Patterson Cake is the Director of Incident Response at Black Hills Information Security. At Right of Boom 2026, he delivered a 3.5-hour workshop called IR Simplified — and that title alone is almost a radical act in a field with a complicated relationship with simplicity. The premise: complexity is the enemy of security, and nowhere is that more true than in a crisis.

We're going from 10,000 feet all the way down to hands-on-keyboard today — and I'd have a notepad nearby.

Last week at Right of Boom, something interesting happened.

In a conference full of great sessions, one stood out — not because of hype, but because of urgency. Kelvin Tegelaar’s CIPP certification session on securing Microsoft 365 was standing room only. MSPs weren’t there for theory. They were there because M365 has quietly become the single largest attack surface in most of their client environments.

And yet, despite years of focus on security… many organizations are still dangerously exposed. So today isn’t a recap. It’s a debrief.

We’re going to unpack what Kelvin saw, what surprised him most, and what the packed room of MSPs revealed about the current state of M365 security in 2026. Where are providers still overconfident? What controls actually move the needle? And where are attackers winning because of operational gaps — not technology gaps?

Most importantly, we’ll look ahead. If M365 is now the primary battleground for identity, data, and business operations… what does “good” really look like for MSPs moving forward?

Every week there’s a new zero-day, a new CVE, a new headline. But what rarely gets talked about is what real threat hunting is uncovering when you actually go looking.

Today’s conversation is about what’s happening beyond zero-days — the automated scanning, the long-tail exploitation, the shared infrastructure, and the attack behavior that lives in the background noise of the internet.

We’re joined by Vijay Akasapu, CEO of Cylerian, whose team recently went hunting for early React2Shell exploitation and instead uncovered something much bigger: a multi-layered exploitation ecosystem probing across Java, Python, and PHP stacks at the same time.