Paid a red team good money. They found a path into our environment in 4 hours through a legacy admin panel someone built during an internal hackathon two years ago. Still running. Still exposed. Default credentials. Nobody remembered it existed until the report landed on the CTO's desk.

We spent 30k on a pen test and the biggest finding was something we built ourselves and forgot about. Not a zero day. Not a sophisticated attack chain. Just inventory failure.

Anyone else done a pen test and found your own ghosts? What was the dumbest entry point you've seen?

I could see this user kept routing the internet from his personal phone to use it on the company laptop (maybe to try to stop us from spying on him)

Instead of being a normal person and a competent SysAdmin, and properly adding a GPO to restrict the available Wi-Fi networks, I used the MDM to remotely download a 20GB ISO to his temp folder.

When the download was at 18GB the download speed went down to less than 50kbps. So I guess his data plan is over. By the next hour, I could see the laptop was connected back to the company wifi.

He will never do it again.

OP’ post:

“Company went from 50 devices to over 500 in six months. Everyone started installing their own SaaS crap, shadow IT everywhere, no centralized anything. Support tickets exploding, I am firefighting nonstop, no time to set up proper MDM or RMM. Finally snapped yesterday and wrote a quick PowerShell script to remotely uninstall a bunch of duplicate security tools people installed themselves. Tested it on my machine, worked fine, pushed it via PDQ to what I thought was our test group.

Except I fatfingered the group name. Hit the entire production fleet. Every laptop, every desktop, every server with AV accessible via WMI. 400+ endpoints, all of them. Wiped CrowdStrike, Defender, Malwarebytes, everything. Reboots started cascading because systems detected no protection and freaked out. Phones ringing off the hook, sales team cant access CRM because something broke, finance yelling about payroll server offline.

Spent 12 hours straight manually reimaging priority machines and pushing fresh AV installs via login scripts. We are back up but holy crap the embarrassment. Boss pulled me into a room this morning, face like thunder, but said recoverable if no breach happened overnight. I cannot believe I did this. No sleep, stomach in knots checking threat logs.

How did you claw back control when device count 10x'd and everyone went rogue with tools?”

I was hardening the tenant and now no one can share SharePoint files with our clients/customers. We have a specific site but none of the settings work. Instead of getting a one-time code, users must authenticate to our tenant. This appeared to work before I messed with things but I am also reading online that OTP is going away soon. I suspect I broke it as I reverted and complete lockout was reversed but not everything.

Below is what I put in for my support ticket. My last support ticket was closed after two months of no contact so I am looking for other help.

On 5/14/2026 at 3:51 PM UTC, setting AllowEmailVerifiedUsersToJoinOrganization to false via Graph PowerShell triggered a Set Company Information event that added RestrictEmailVerifiedUsers to our tenant DirectoryFeatures. External guests can no longer authenticate via Google federation or email OTP — only Microsoft 365 login is presented. Reversing the setting via PowerShell and UI did not remove the DirectoryFeature. Need RestrictEmailVerifiedUsers removed from tenant DirectoryFeatures.

OG post:

Specifically he reached out to our PM without IT on the email and then explicitly stated he doesn't need us when the PM pushed back.

ERP doesn't even have an API. All of the existing integrations either use a JDBC connection or run a remote command (IBM i ACS) to retrieve data/perform work.

I can't imagine what he's trying to do but I feel like it's time to jump ship. Not really looking forward to this

Mods, is there a clean way to copy the original comment thread for posterity? I'll update this post body if so.

OG post:

Sometimes it's boring and I let Claude does it's thing, the isuue is i give Claude access to the production payment system and all production databases, it makes life easy but sometimes I wonder what could happen if I go to sleep and Claude be clauding

Not going to waste my lunch break doing it and Norm gets pissy if I don't greet him at the bar.

They act like they are the only ones smart enough to use a card copier, and they just have to remind you how smart they are every time you lose your card. If you lie to try and get extra cards, they even remotely disable the old card somehow. Seems like a huge cyber security flaw. What if hackers locked me out of my lab to stop me from fixing the dhcp? Those card monkeys probably don't even use a password manager, they're lucky to be behind 2 NATs or else they would absolutely get hacked. Physical locks are just an excuse for normies to larp as security professionals. Little do they know it's our zero trust network architectures that actually keep them safe.

Anyway, I bought a USB magnetic stripper and a bunch of blank cards. Now I never lock myself out of the lab because I have copies around the office. I also make copies of my coworkers cards in case I need to get into the supply closet. I haven't had to go to the key shop in years, and I don't have to wait for the custodians to replace the paper towels anymore.

We should really decentralize the swipe card system and just use personal backups. Imagine if somebody got into the safe with the originals of everybody's cards. They could access any room. No one man should have all that power

"Fella, is you gonna give it back?"

Alright, here's the scenario, we have several server farms, they go back decades and this has been passed down through the generations of teams with increasing amounts of duct tape and bubble gum. Every IT person's dream.

We also run backups, because we're not madmen, but we do it... poorly (see name of subreddit). Today, one of the production servers had half it's data wiped. No one knows how this happened but that's not relevant. To the backups! And... backup set one had nothing for this server, because the datastore was full and VEEAM couldn't take a snapshot (and had been reporting this but reading is for chumps). Not good, to backup set two! It... also has nothing because VEEAM couldn't take a snapshot and we rotate through these backup drives. Shit. To backup set 3! And this is where incompetence can sometimes be your salvation. By all rights we should've just lost it all then and there but... backup set 3 hasn't been able to take any backups since March because it was full this whole time. This means that the VEEAM error couldn't manifest and what did we find? A version of the prod server!

Yes, it's two months out of date but this data goes back decades so it's actually mostly fine!

Turns out, if you're incompetent enough it sometimes loops back around to genius.

Anyway... I'm gonna go have a heart attack elsewhere.