Global · Paris Hub · Crisis Command · Major Incident Doctrine · Operational Resilience
2026: Crisis Command · Major Incident Doctrine · Decision Architecture

Control Fails Before Systems Do.

Doctrine for organisations operating under pressure, uncertainty, and systemic disruption.

Crisis does not create failure. It exposes structures that were already weak. These are not playbooks. They are decision systems for environments where information is incomplete and consequences are irreversible.

Signature Doctrine Systems

The Architecture of Crisis Coherence

Four proprietary frameworks. Control must be established before action is taken.

Control Collapse Model™

Organisations fail when decision authority fragments under pressure. This model maps the cascade from initial disruption through authority fragmentation to operational paralysis.

Decision AuthorityAuthority Fragmentation
Crisis Decision Hierarchy

Single authority. Clear escalation. No ambiguity. The structural prerequisite for coherent action under time pressure.

Single AuthorityEscalation Protocol
Failure Cascade Mapping

How small disruptions become systemic breakdowns. A diagnostic framework for identifying structural vulnerability before crisis reveals it.

Failure PatternsVulnerability Mapping
Operational Integrity Index

A measure of whether an organisation can still make coherent decisions. When this degrades, technical recovery becomes irrelevant.

Operational MetricsControl Measurement
● Live Intelligence · France · CNIL · ANSSI · NIS2

Live Threat Intelligence

Renseignements sur les menaces pondérés pour les entités régulées françaises — contrôleurs et sous-traitants supervisés par la CNIL, entités essentielles et importantes NIS2 sous ANSSI, et opérateurs d'infrastructure critique. Sources : CNIL, ANSSI, CISA, CERT-EU, ENISA, Mandiant, CrowdStrike, Cloudflare Radar, The Register, et analyse doctrinale propriétaire. Dernière mise à jour : 4 mai 2026.

Critique — CNIL · Sanction FREE 42 M€ · MFA Obligatoire · Bases de Données Clients

CNIL Inflige 42 M€ à FREE Mobile (27 M€) et FREE (15 M€) pour Sécurité Insuffisante des Données de 24 Millions d'Abonnés — L'Authentification Multifacteur Devient Exigence Opposable pour Tout Accès Distant aux Bases de Données Clients à Grande Échelle

La CNIL a prononcé en janvier 2026 des sanctions de 27 millions d'euros contre FREE Mobile et 15 millions d'euros contre FREE — 42 millions au total — à la suite d'une violation survenue en octobre 2024 exposant les données personnelles de 24 millions d'abonnés, incluant les IBAN. Dans son rapport 2025 publié en février 2026, la CNIL a formalisé une doctrine d'audit désormais opposable : toute organisation hébergeant des bases de données de plusieurs millions d'individus doit déployer l'authentification multifacteur pour l'ensemble des accès distants — collaborateurs internes, partenaires, sous-traitants et parties tierces disposant d'un accès base de données. Cette exigence MFA constitue désormais la norme de référence dans les enquêtes de la CNIL ; son absence en cas d'incident est une non-conformité caractérisée à l'Article 32 du RGPD. Pour les opérateurs numériques français — e-commerce, banques en ligne, assureurs, opérateurs télécom, régies publicitaires — l'arrêté FREE marque un durcissement doctrinal dont les effets dépassent les télécommunications : la CNIL a explicitement indiqué que sa méthodologie d'examen s'applique à tout secteur hébergeant des bases de données clients à grande échelle. La priorité d'action immédiate est l'audit des accès distants aux bases de données : cartographier les identités disposant d'un accès, vérifier le déploiement MFA, et documenter l'architecture de contrôle pour être en mesure de répondre à une enquête CNIL sur demande.

Source: CNIL (sanction-free-2026, jan. 2026), Data Protection Report (mars 2026), Termly GDPR Fines 2026, EnforcementTracker — Mis à jour le 4 mai 2026
Critical — ANTS · 19M Records · Identités Souveraines

Violation ANTS Confirmée — 19 Millions de Titres Souverains en Distribution Criminelle; La CNIL Ouvre une Enquête Préliminaire; Les Traitements KYC et les Vérifications d'Identité Document-Centriques Sont Compromis

L'Agence Nationale des Titres Sécurisés a confirmé le 22 avril que jusqu'à 19 millions de données d'identité souveraine — passeport, carte nationale d'identité, permis de conduire — sont en distribution criminelle. La détection remonte au 15 avril, l'offre criminelle au 16 avril, la divulgation publique au 20 avril, et la confirmation gouvernementale au 22 avril. Pour les organisations traitant des documents d'identité français dans des flux KYC, d'assurance d'âge, ou de vérification réglementaire, la conséquence opérationnelle immédiate est que l'hypothèse d'unicité du document est compromise : la même image documentaire et les mêmes métadonnées peuvent exister en distribution criminelle. Tout flux de vérification d'identité reposant sur un document photographique français sans re-liaison biométrique vivante est exposé à un taux de faux négatifs matériellement accru. La CNIL a ouvert une enquête préliminaire et les sous-traitants irlandais et européens traitant des données d'identité françaises peuvent recevoir des réclamations de personnes concernées.

Source: TechCrunch (22 avr. 2026), The Register, Cybernews, ANTS, CNIL, GDPR Articles 33/34, DPC — Mis à jour le 4 mai 2026
High — CNIL · Vague d'Enforcement ePrivacy

Amende CNIL 325 M€ contre Google — Précédent ePrivacy pour les Opérateurs Numériques Français; Bandeaux de Consentement et Architecture de Traçage sous Scrutin Actif dans tous les Secteurs

L'amende de 325 millions d'euros infligée par la CNIL à Google pour violations de la directive ePrivacy marque le déclenchement d'une vague d'enforcement pan-européen du consentement numérique. La méthodologie de la CNIL — analyse des bandeaux de consentement, des mécanismes d'opt-out, et de l'écart entre l'architecture de consentement documentée et les contrôles effectivement déployés — s'applique à toute propriété numérique française exposée aux utilisateurs. Pour les opérateurs du secteur financier, de l'assurance, du retail, et des médias numériques avec des propriétés web en France, la question opérationnelle est de savoir si la politique de cookies publiée décrit fidèlement les traitements réellement mis en œuvre — et si cette description a été testée dans des conditions adversariales. La CNIL a partagé sa méthodologie avec les autres APDs européennes via le mécanisme de cohérence RGPD ; des autorités homologues en Allemagne, aux Pays-Bas et en Belgique appliquent désormais la même grille d'analyse.

Source: Goodwin CNIL/Google Fine Analysis, CNIL Sanctions Register, Termly GDPR Fines 2026, EnforcementTracker — Mis à jour le 4 mai 2026
High — ANSSI · NIS2 Audits Actifs · Mois d'Avril

ANSSI en Mode Audit Actif depuis le 18 Avril NIS2 — France Parmi les Premiers États Membres à Passer de l'Orientation à l'Examen; Gouvernance des Accès, Journaux d'Audit et Fournisseurs SaaS en Première Ligne

Avec 22 États membres ayant transposé NIS2 et seulement 16% des organisations concernées prêtes au 18 avril, l'ANSSI a passé du mode guidance au mode audit actif. La France fait partie des trois premières juridictions — avec l'Allemagne (BSI) et les Pays-Bas (NCSC-NL) — à conduire des examens formels d'entités essentielles et importantes. Les trois axes d'audit prioritaires identifiés dans le cycle belge — gestion des accès et des identités privilégiées, complétude et rétention des journaux d'audit, et obligations de sécurité dans la chaîne d'approvisionnement (Article 21) — sont les mêmes en France. Pour les fournisseurs SaaS proposant leurs services à des entités essentielles françaises, les dispositions supply-chain de NIS2 Article 21 créent des obligations directes de sécurité : le régulateur du client peut auditer les contrôles du fournisseur. Les fournisseurs qui ne peuvent pas produire des preuves d'audit sur demande n'ont pas de marge de remédiation dans une fenêtre d'examen.

Source: EnforcementTracker, ANSSI, NIS2 Directive (EU/2022/2555), Diamatix NIS2 Enforcement 2026, ENISA — Mis à jour le 4 mai 2026
Critical — CERT-EU · EC Breach · Institutions Parisiennes

CERT-EU Confirme la Deuxième Violation de la Commission Européenne en 2026 — Données du Personnel Potentiellement Exposées; Entités Françaises avec Contreparties Institutionnelles EU Sous Risque de Hameçonnage Ciblé

CERT-EU a confirmé la deuxième violation des systèmes de la Commission européenne en 2026, attribuée au groupe TeamPCP via le vecteur de compromission de la chaîne d'approvisionnement Trivy. Des données personnelles du personnel de la Commission sont potentiellement exposées, et l'infrastructure de messagerie peut avoir été partiellement compromise. Pour les organisations françaises — ministères, agences réglementaires, opérateurs d'importance vitale — entretenant des relations formelles de communication ou d'échange de données avec des DG de la Commission, Europol, l'ABE ou l'AEMF, le risque opérationnel immédiat est l'hameçonnage ciblé à partir d'adresses officielles @ec.europa.eu dont la légitimité ne peut plus être garantie. Les responsables sécurité devraient informer les collaborateurs concernés et temporairement rehausser les protocoles de vérification pour toute demande impliquant une transaction financière, une provision d'accès ou une transmission de données sensibles prétendant provenir d'un correspondant Commission.

Source: CERT-EU, Security Affairs (European Commission breach), Gibson Dunn Europe, ANSSI — Mis à jour le 4 mai 2026
Critical — NoName057(16) · Escalade DDoS Q1 2026 · 20,5 M d'Attaques Bloquées · France Cible Documentée

Cloudflare a Bloqué 20,5 Millions d'Attaques DDoS au Q1 2026 — 96% du Volume Total de 2024 Absorbé en un Seul Trimestre; NoName057(16) Maintient son Ciblage Soutenu des Infrastructures Françaises; Plafond Hyper-Volumétrique à 31,4 Tbps Dépasse les Architectures de Mitigation Pré-2024

Le rapport Cloudflare 2026 révèle que 20,5 millions d'attaques DDoS ont été bloquées au seul premier trimestre 2026 — représentant 96% du volume total enregistré sur l'ensemble de l'année 2024 — confirmant une escalade sans précédent du paysage DDoS mondial. Le plafond hyper-volumétrique documenté est désormais de 31,4 Tbps, soit une augmentation supérieure à 700% par rapport aux normes de fin 2024. NoName057(16), avec 4 693 attaques revendiquées en 2025 et une trajectoire 2026 active, maintient le gouvernement français, les opérateurs de transport, et les services financiers comme cibles documentées et récurrentes dans son corpus d'opérations. Pour les opérateurs français d'entités essentielles NIS2 — portails de services publics numériques, systèmes de transport ferroviaire et aérien, banques en ligne, opérateurs de télécommunications — le plan de gestion de crise DDoS doit avoir été réévalué contre le plafond 31,4 Tbps depuis 2024. L'ANSSI a publié des lignes directrices actualisées sur la mitigation DDoS dans le cadre NIS2 ; les entités qui ne peuvent pas démontrer une capacité d'absorption ou un plan de dégradation gracieuse documenté face à un scénario hyper-volumétrique sont exposées à des constats d'audit dans le cycle d'examen ANSSI actif. La priorité opérationnelle immédiate : vérifier que le prestataire de mitigation DDoS dispose d'une capacité contractuellement garantie supérieure à 5 Tbps, et qu'un arbre de décision de dégradation de service est disponible sans nécessiter de réunion de comité.

Source: Cloudflare 2026 Threat Report (Q1 DDoS data), Radware 2026 Global Threat Report, ANSSI, Flowtriq State of DDoS 2026, StationX DDoS Statistics 2026 — Mis à jour le 4 mai 2026
Nouveau — EDPB CEF 2026 · Atelier DPC/CCPC · IA & Consommateurs

EDPB CEF 2026 : Constatations sur le Traitement IA Transfrontalier — Atelier Conjoint DPC/CCPC le 7 Mai 2026 sur la Protection des Consommateurs IA

Le Cadre d'Exécution Coordonné de l'EDPB 2026 (CEF) publie ses premières constatations sur le traitement IA transfrontalier : lacunes dans les analyses d'impact (DPIA) pour les systèmes de recommandation, absence de base légale documentée pour les profils comportementaux, et non-conformité des mécanismes de consentement dynamique. Simultanément, la DPC irlandaise et la CCPC organisent un atelier conjoint le 7 mai 2026 sur la protection des consommateurs IA — tarification algorithmique abusive, manipulation par contenu synthétique, et obligations de l'Article 22 RGPD pour les décisions automatisées. Les entités françaises utilisant des plateformes IA avec traitement de données irlandaises ou opérant sous la surveillance de la DPC irlandaise comme autorité principale doivent revoir leurs DPIA et leur documentation d'Article 22 avant le 31 mai 2026. (EDPB/DPC/CCPC/NCSC-IE/CBI, 4 mai 2026)

Source: EDPB CEF 2026, DPC/CCPC Workshop Notice, NCSC-IE Threat Bulletin 4 May 2026 — Mis à jour le 4 mai 2026

Flux de renseignements actualisé le 4 mai 2026 — Pondéré pour les entités régulées françaises sous supervision CNIL, ANSSI et sectorielle. Sources : CNIL, ANSSI, CISA, CERT-EU, ENISA, Mandiant, CrowdStrike, Cloudflare Radar, Microsoft MSRC, The Register, et analyse doctrinale propriétaire.

Incident Domains

Major Incident Categories

Six major incident types. Each requires distinct decision architecture and recovery doctrine.

Ransomware

Enterprise Disruption. Control failure event with technical symptoms. Becomes major incident when core operations are disrupted, data integrity uncertain, authority fragmented.

Extortion AttackEncryption
Distributed Denial of Service

Operational Pressure. Attack is about which services survive sustained load. Decision architecture determines what remains available, degrades, abandoned.

AvailabilityService Prioritisation
Data Exfiltration & Breach

Information Compromise. Breach doctrine: identify scope, notify regulatory bodies, establish disclosure governance, restore stakeholder confidence.

Data IntegrityRegulatory Notification
Identity & Privileged Access Compromise

Access Doctrine. Attacker moves laterally with legitimate credentials. Access must be frozen, integrity verified, authority restored before systems return.

IAMCredential Compromise
Supply Chain Disruption

Cascade Doctrine. Third-party compromise spreads to core systems. Isolation, vendor accountability, upstream verification required. Organisation stops as a system.

TPRMVendor Risk
AI & Autonomous Systems

Non-Deterministic Failure. AI systems fail silently — producing plausible but wrong outputs. Traditional monitoring does not detect model drift, adversarial inputs, or training data poisoning. Blast radius determined by downstream decision dependencies.

AI GovernanceModel Risk
Major Incident Doctrine

Ransomware — Enterprise Disruption

Ransomware is not a cyber incident. It is a control failure event with technical symptoms.

Situation

Ransomware becomes a major incident when core operations are disrupted, data integrity is uncertain, and decision authority becomes fragmented.

Organisations often respond with paralysis. Attack teams move fast. Decision teams move slowly. Authority splits into technical response, legal liability, payment consideration, disclosure governance, and board notification.

This fragmentation is where control collapses.

First 60 Minutes: Control Establishment Protocol

Assign single decision authority. Board-mandated incident commander. One person. One decision chain. Speed increases when authority is single.

Halt uncontrolled system changes. Do not confuse urgency with direction. Lock all non-isolated systems. Preserve evidence integrity. Freeze all non-essential system changes.

Isolate affected environments logically, not blindly. Segment based on control plane, not just network. Preserve backups offline.

Establish communication cadence. Board briefing: minute 15, 30, 60. Stakeholder notification: minute 45. Regulatory notification: based on legal mandate (usually within 72 hours).

Decision Architecture: Five Parallel Tracks

Track 1 — Containment: Isolate affected systems. Verify isolation. Document evidence. Preserve forensics. Scope assessment. Does threat continue to spread?

Track 2 — Operational Continuity: Which systems restore first? Which operations are non-negotiable? Business continuity plan activation. Failover decisions. RTO/RPO enforcement.

Track 3 — Payment Consideration: Do not delegate. Board-level decision. Legal/regulatory consultation. Law enforcement notification. Negotiation only after board decision. Track payments if made.

Track 4 — Disclosure Governance: Who knows? Who needs to know? Regulatory filing thresholds. Customer notification timelines. Media response. Board communication.

Track 5 — Recovery Doctrine: Systems return online. Control must return to leadership. If incident commander walked into a structure that was already fragmented, fragmentation returns.

Board-Level Questions
  • Can the incident commander make a payment decision, or must that escalate to the board?
  • What is the RTO for critical operations? Is backup restoration realistic or aspirational?
  • Which regulators must be notified? What are the timelines?
  • What happens to customer data if recovery fails? What is the disclosure plan?
  • What is the organisational narrative? (Story matters. Narrative controls the regulatory response.)
Failure Modes

Fragmentation: Multiple decision makers. Multiple decisions. No alignment. Speed increases. Control decreases. By hour 4, no one knows who decided what.

Technical Confidence: Dashboards show activity. Leadership assumes progress. Reality: direction is absent.

Payment Negotiation Before Control: Attackers negotiate while organisation still cannot define scope. Payment becomes higher. Decryption tools unreliable. Recovery remains impossible.

Disclosure Delay: Regulators expect notification within 72 hours. Delaying to "understand scope" creates secondary breach. Notification is mandatory.

Operational Restart Without Verification: Systems restore. But backups were poisoned. Attacker returns. Control did not return.

Recovery Doctrine

Systems returning online is not recovery. Control returning to leadership is.

Organisations that restore systems but do not restore decision authority remain operationally unstable. This is where secondary incidents originate.

Verification: All systems must prove integrity before acceptance. Cryptographic attestation. Not visual inspection.

Structural Analysis: Why did this succeed? What control failed? Answer before resuming normal operations.

Authority Restoration: Incident commander hands control back to permanent leadership. Decision authority becomes consolidated again. Single strategic voice.

Operational Doctrine

DDoS — Service Availability Under Pressure

DDoS is not about attack. It is about which services survive sustained pressure.

Situation

DDoS becomes a major incident when critical customer-facing services degrade or fail. Unlike ransomware, data is not exfiltrated. But reputation, revenue, and trust are lost in minutes.

Decision architecture must answer: Which services must stay available? What degrades acceptably? What can be abandoned?

First 60 Minutes: Prioritisation Protocol

Identify critical services. Not all services have equal value. Payment processing outage is existential. Marketing website outage is reputational.

Activate DDoS mitigation. Upstream filtering, capacity increase, geographic load distribution.

Establish customer communication. Status page active. Public messaging. Board briefing. Regulatory notification if mandated.

Measure duration. Is attack sustained? Is attacker escalating? Or is this brief probe?

Decision Architecture: Service Hierarchy

Tier 1 (Survive): Payment systems. Authentication systems. Core operational systems. This tier must remain available.

Tier 2 (Degrade Acceptably): Customer portals. Reporting systems. Capacity can reduce. Performance degrades. Availability maintained.

Tier 3 (Abandon): Analytics. Marketing automation. Reporting dashboards. Can be shutdown without operational impact. Restore after attack ceases.

Failover decision: Geographic isolation, service shedding, rate limiting. Which tool applies to which service?

Failure Modes

Indiscriminate Mitigation: Shutdown all services to protect one. Result: attacker wins. Everything is offline.

Inadequate Capacity Planning: Normal load is close to capacity limit. Attack adds 10x load. Organisation cannot handle it.

No Decision Authority: Network team sheds traffic. Application team disagrees. Support team makes promises. No coordinated response.

External Dependency: DDoS mitigation is ISP-dependent. ISP cannot scale. Organisation is hostage to external capacity.

Recovery Doctrine

Recovery is stability under load, not absence of attack.

Organisations that restore service only when attack stops are not recovered. They are temporarily lucky.

Load Testing: After attack ceases, simulate attack load. Can systems sustain it? Or do they cascade?

Capacity Increase: Attack exposed capacity limits. Increase them. Permanently.

Supplier Accountability: ISP/CDN provider failed? Contract renegotiation. Backup provider activation. Do not remain dependent on single supplier.

Breach Doctrine

Data Exfiltration & Breach — Information Compromise

Breach doctrine: identify scope, notify regulatory bodies, establish disclosure governance, restore stakeholder confidence.

Situation

Data exfiltration becomes a major incident when personal, financial, or proprietary data leaves the organisation's control. Scope is unknown. Attacker retains copy indefinitely.

Regulatory response is mandatory. GDPR, CCPA, sector-specific regulations all require notification. Delay creates secondary breach.

First 60 Minutes: Scope & Notification

Identify data type. Is data encrypted in transit and at rest? Was encryption bypassed? Or was data exfiltrated unencrypted?

Quantify scope. How many records? What data elements? Personal identifiers or just usernames?

Regulatory notification. Most jurisdictions require notification within 72 hours. Begin drafting notification immediately. Do not wait for investigation completion.

Customer communication plan. What will you tell affected customers? When? Via what medium?

Decision Architecture: Five-Track Response

Track 1 — Forensics: What was exfiltrated? When? How? Preserve evidence. Do not overwrite logs.

Track 2 — Regulatory Notification: GDPR: 72 hours. CCPA: "without unreasonable delay." Other jurisdictions: varies. Do not delay for investigation completion.

Track 3 — Customer Notification: Affected customers must be informed. Notification must contain: what data, why, what steps organisation is taking, what customers should do.

Track 4 — Credit Monitoring: If financial or identity data exfiltrated, offer credit monitoring for 12–24 months. Regulatory requirement in many jurisdictions.

Track 5 — Containment: Stop the bleeding. Close the exfiltration vector. Isolate affected systems. Verify attacker cannot continue.

Board-Level Questions
  • Can scope be determined quickly, or is investigation ongoing?
  • What is the regulatory exposure? Which regulators must be notified?
  • What is the customer notification message? What are the financial implications?
  • Does the organisation have cyber insurance? Can it cover breach costs?
  • What is the organisational narrative for the market? (Third-party breach vs. internal failure = different message)
Failure Modes

Scope Creep: Investigation reveals more data than initially assessed. Each wave of discovery requires new notification. Regulatory exposure increases.

Notification Delay: Waiting for perfect investigation = regulatory violation. Notification is mandatory. Incomplete investigation is acceptable. Update regulators as scope becomes clear.

Inadequate Customer Communication: "We had a breach" is not notification. Notification requires specificity: what data, why it matters, what customers should do.

No Credit Monitoring: Many jurisdictions mandate credit monitoring for identity data breaches. Omitting it creates secondary regulatory violation.

Recovery Doctrine

Recovery is trust restoration, not data recovery (data is gone).

Stakeholder Communication: Continuous. Weekly updates to affected customers. Regulatory reports on containment progress. Board updates on resolution.

Root Cause Mitigation: Why did exfiltration succeed? Control failure? Third-party compromise? Fix it. Permanently.

Trust Signals: Third-party audit. Security certification. Regulatory validation. Visible restoration of controls.

Access Doctrine

Identity & Privileged Access Compromise

Attacker moves laterally with legitimate credentials. Access must be frozen, integrity verified, authority restored before systems return.

Situation

Identity compromise is the most dangerous major incident. Attacker has legitimate access. They look like an insider. Detection is hard. Scope is unclear.

If privileged accounts are compromised, attacker can create backdoors, steal data, modify logs, and maintain persistence indefinitely.

First 60 Minutes: Credential Freeze Protocol

Identify compromised credentials. Which accounts? Privileged or standard? How long were they active?

Freeze all affected credentials. Force password reset. Revoke API keys. Revoke session tokens. Do not wait for investigation.

Identify lateral movement. Where did attacker go? What systems were accessed? What data was touched?

Verify system integrity. Attacker may have created backdoor accounts. Search for: new user accounts, privilege escalations, new services, modified logs.

Decision Architecture: Access Restoration

Tier 1 — Credential Remediation: All affected credentials revoked. New credentials issued. Force re-authentication across organisation.

Tier 2 — Backdoor Elimination: Identify all attacker-created access points. Remove them. Verify removal.

Tier 3 — System Integrity Verification: All systems touched by attacker must prove integrity before re-entry. Cryptographic attestation. Not visual inspection.

Tier 4 — Privilege Re-Establishment: Affected privileged users must re-validate. Identity verification. Capability verification. Slow re-certification of privilege.

Failure Modes

Incomplete Credential Freeze: Attacker still has one valid credential. Attacker re-enters systems. Incident recycles.

Missed Backdoors: Attacker created hidden user accounts, API keys, or SSH access. Organisation believes incident is closed. Attacker remains.

Premature System Restoration: Systems restored before integrity verification complete. Attacker's modifications persist.

No Privilege Re-Certification: Privileged accounts restored to same users without re-validation. If attacker stole password, attacker regains access immediately.

Recovery Doctrine

Recovery is trustworthy identity, not fast identity restoration.

Identity System Audit: All access control systems must be audited. Active Directory, Okta, privilege management tools. Attacker may have modified these directly.

Privilege Model Redesign: Why did attacker succeed with legitimate credentials? Privilege was too broad. Principle of least privilege must be enforced.

Continuous Verification: Identity compromise requires ongoing suspicion. Behaviour analytics. Access pattern anomaly detection. Continuous monitoring.

Cascade Doctrine

Supply Chain Disruption

Third-party compromise spreads to core systems. Isolation, vendor accountability, upstream verification required. Organisation stops as a system.

Situation

Supply chain incidents are distinctive. Organisation did not fail. Vendor failed. But organisation's systems are compromised.

Scope is unclear because vendor's scope is unclear. Remediation is slow because vendor drives timeline. And organisation may not even know it was compromised until attacker activates payload.

First 60 Minutes: Vendor Isolation & Assessment

Identify vendor compromise. Which product? Which version? When was it deployed?

Isolate vendor systems. If possible, network-isolate all affected systems. If isolation is dangerous (critical production), plan isolation carefully.

Assess organisational exposure. Which systems run vendor software? Which data is accessible? What is the blast radius?

Vendor communication. Request immediate technical briefing. What do they know? What have they not told you?

Decision Architecture: Isolation & Remediation

Track 1 — Network Isolation: Affected systems isolated from internet. Air-gapped if possible. Limits attacker's exfiltration capability.

Track 2 — Vendor Patch Timeline: When is patch available? Is organisation willing to patch production immediately, or does testing delay patch deployment?

Track 3 — Upstream Verification: Have other customers been compromised? Is vendor being transparent? Are regulators aware?

Track 4 — System Integrity: Even after patching, system integrity is suspect. May need rebuild from clean backup or full replacement.

Track 5 — Vendor Accountability: Contract renegotiation. Remediation timelines. Financial responsibility. Consider vendor replacement.

Failure Modes

Vendor Defensiveness: Vendor denies compromise or minimises severity. Organisation waits for truth. Delay increases exposure.

Slow Patch Deployment: Vendor takes weeks to release patch. Organisation is exposed. Patch is eventually forced, but window was long.

Insufficient Isolation: Affected system remains connected to network. Attacker continues lateral movement. Isolation was incomplete.

No Supply Chain Verification: Organisation did not verify upstream vendors. Vendor itself compromised its supplier. Chain extends further than expected.

Recovery Doctrine

Recovery is vendor independence and supply chain resilience.

Vendor Redundancy: Critical systems should have backup vendor. If primary vendor fails, secondary takes over. No single vendor should be mission-critical.

Supply Chain Audit: All vendor products must be periodically audited. Not just compliance checks. Security assessment. Code review if possible.

Contract Clauses: Contracts must include: security incident notification, remediation timeline commitments, liability for breach, supply chain transparency.

Emerging Doctrine

AI & Autonomous Systems — Incident Command

When AI systems fail, traditional incident response fails with them. Decision authority must adapt to non-deterministic systems, adversarial manipulation, and cascading model failures.

The Situation

AI systems are now embedded in critical business processes: fraud detection, credit decisioning, clinical triage, autonomous operations, content moderation. When these systems fail or are compromised, the failure mode is fundamentally different from traditional IT incidents.

Key differences: AI failures are often silent — the system continues to operate but produces wrong outputs. Traditional monitoring does not detect model drift, adversarial inputs, or training data poisoning. The blast radius is determined by how many downstream decisions depend on the compromised model.

Threat vectors (April 2026): AI-powered attacks have increased 340% since 2024; organisations face an average of 1,200 AI-enhanced attack attempts per day (WEF). Prompt injection attacks specifically rose 340% year-on-year — a single crafted sentence embedded in a document the AI was asked to summarise will instruct the model to ignore its rules and execute new ones. 59% of organisations experienced at least one deepfake attack. Arup lost $25M to a deepfake CFO video conference. Real-time voice cloning operates from seconds of audio, authorising fraudulent transfers that bypass verbal verification protocols. Adversarial inputs bypass classification models. Training data poisoning corrupts behaviour over weeks without triggering alerts. Model extraction attacks steal proprietary capabilities at scale. Agentic AI systems introduce autonomous attack chains operating without human oversight; a single over-privileged API token or misconfigured memory buffer exposes enterprise data at machine speed. The adversary no longer targets the human. They co-opt the automated employee — the agent the human built to act on their behalf.

First 60 Minutes

Minute 0–15 — Model Isolation: Identify all systems consuming output from the compromised AI model. Determine blast radius: how many business decisions are affected? Switch to manual fallback or rule-based override. Do not wait for root cause analysis to begin isolation.

Minute 15–30 — Decision Authority: AI incidents require cross-functional command. Data science alone cannot arbitrate business impact. Establish incident commander with authority over: model rollback decisions, customer communication, regulatory notification, and business continuity.

Minute 30–60 — Impact Assessment: Determine: how long has the model been compromised? How many decisions were affected? Are those decisions reversible? What is the regulatory exposure (EU AI Act, sector-specific requirements)? Begin evidence preservation for forensic analysis of model behaviour, training data, and inference logs.

Decision Architecture

Track 1 — Model Containment: Rollback to last known-good model version. If no clean version exists, switch to deterministic rules engine. Accept degraded performance over compromised AI output.

Track 2 — Impact Quantification: Enumerate every decision made by the compromised model during the exposure window. Classify decisions by reversibility: fully reversible, partially reversible, irreversible. Prioritise remediation of irreversible decisions.

Track 3 — Regulatory & Legal: EU AI Act requires incident reporting for high-risk AI systems. Determine classification of affected AI system. Prepare notification to relevant supervisory authority. Document all containment actions taken.

Track 4 — Stakeholder Communication: Customers whose decisions were affected by compromised AI must be notified. Board requires briefing on AI risk exposure. Regulators require technical incident report with model performance data.

Track 5 — Root Cause & Hardening: Was this adversarial attack, data poisoning, model drift, or infrastructure compromise? Implement model monitoring (input validation, output anomaly detection, drift detection). Establish AI-specific incident playbooks.

Failure Modes

Silent Degradation: AI model produces plausible but incorrect outputs. No alerts trigger. Downstream decisions accumulate errors over weeks. By the time detection occurs, remediation scope is massive.

Adversarial Exploitation: Attacker manipulates model inputs to produce desired outputs. Fraud detection model approves fraudulent transactions. Content moderation model approves prohibited content. Organisation does not detect manipulation because model metrics appear normal.

Cascade Through Dependencies: One compromised model feeds data to three other models. Downstream models inherit corrupted inputs. Error propagates through ML pipeline. Blast radius exceeds initial assessment because dependency mapping was incomplete.

Regulatory Exposure: Organisation fails to report AI incident within required timeframe. Regulatory authority determines AI system was high-risk under EU AI Act. Penalty is assessed not just for the incident but for failure to classify, monitor, and report.

Recovery Doctrine

Recovery from AI incidents requires more than model retraining.

Model Governance: Implement model inventory with risk classification. Every AI model in production must have: owner, risk tier, monitoring dashboard, rollback procedure, and manual fallback process.

Continuous Validation: Deploy automated model monitoring: input distribution monitoring, output anomaly detection, performance drift alerts, adversarial input detection. Alert thresholds must be set by business impact, not just statistical deviation.

AI Incident Playbook: Traditional IR playbooks do not cover AI-specific scenarios. Develop playbooks for: model compromise, training data poisoning, adversarial attack, model extraction, and AI-generated social engineering.

Board-Level AI Risk: Board must understand AI risk exposure. Quarterly AI risk briefing covering: model inventory, incident history, regulatory compliance status, and emerging threat vectors (deepfakes, prompt injection, autonomous system failures).

Flagship Intellectual Asset

Why Organisations Lose Control in Crisis

Most organisations do not collapse. They drift into loss of control. By the time this is visible, recovery is already unlikely.

The Opening

Crisis does not create failure. It exposes structures that were already weak.

Organisations with fragile governance structures, unclear decision authority, and poor communication discipline often collapse under incident pressure. But the weakness existed before the incident. The incident merely revealed it.

In Q1 2026, multiple high-profile incidents — including a healthcare provider disruption that diverted ambulances and delayed chemotherapy across two countries, a medical device manufacturer attack where 200,000 devices were reportedly wiped and 50TB of data exfiltrated, a supply chain attack that compromised the security scanners used to defend against attacks, and an npm package compromise affecting 100 million weekly downloads — all demonstrated the same failure pattern: the incident was survivable; the response was not. The technical capability existed. The decision architecture did not.

Pattern 1 — Authority Fragmentation

Multiple leaders. Multiple decisions. No alignment.

In crisis, speed is essential. But speed requires clarity about who decides what. When authority is fragmented, each function (tech, legal, finance, HR) makes local optimisations. These decisions contradict each other.

Example: Technical team decides to restore systems immediately. Legal team insists on investigation completion first. Finance wants payment consideration before committing resources. Board wants public narrative settled before any announcement. No one person arbitrates. All four decisions run in parallel. Contradictions mount. External parties (regulators, customers, media) receive contradictory messages.

Result: Organisation looks chaotic. Actual control is lost because no one controls the response.

Pattern 2 — False Technical Confidence

Dashboards show activity. Leadership assumes progress. Reality: direction is absent.

Technology teams are competent. They respond quickly. Monitoring shows activity. Alerts trigger. Response actions execute. From the dashboard, incident appears to be "under control."

But no one has decided what control means. No one decided what success looks like. No one arbitrated conflicting priorities. Technical teams responded energetically to wrong objectives.

Example: Ransomware incident. Network team isolates infected systems. But database team rolls back from backup before forensic analysis complete. Finance team negotiates payment without board decision. When technical isolation is later re-assessed, it is discovered that three additional systems were compromised but not isolated. Isolation was incomplete. The activity on dashboards was misleading.

Result: Organisation feels it is responding. In reality, response is misdirected.

Pattern 3 — Communication Collapse

Parallel conversations. Contradictory messaging. Organisation stops acting as one system.

In crisis, multiple conversations happen simultaneously. Customer communications team drafts public statement. Regulatory team prepares disclosure notice. Media relations team prepares talking points. Investor relations team prepares earnings call script. Board communications team prepares shareholder letter.

None of these conversations are coordinated. Each assumes different facts. Each optimises for different audiences. Messaging contradicts across channels.

Example: Breach incident. Public statement says "Limited impact, no personal data affected." Regulatory notice says "Personal data of 2.4M customers exfiltrated." Customer notification says "Your email address may have been compromised." Investor call says "Breach exposure is contained." External parties cross-reference. Contradictions are visible. Trust collapses. Regulator interprets contradictions as deception. Investigation deepens. Penalties increase.

Result: Organisation stops communicating as one entity. External perception is that organisation is dishonest or incompetent.

Pattern 4 — Decision Avoidance

Delay becomes strategy. Critical choices are deferred until options disappear.

Hard decisions are avoided in crisis because they are hard. Payment decisions. Disclosure decisions. Vendor termination decisions. Board escalation decisions.

Leadership defers these decisions, hoping situation will resolve on its own. But in crisis, situation rarely resolves without decision. Delay compresses the decision window. Options that were available on day 2 are no longer available on day 4.

Example: Ransomware incident. Payment decision is deferred while "exploring technical recovery options." By day 5, technical recovery has failed. Payment negotiation window is closing. Attacker demands answer. Now decision is made under pressure, with compressed options, with incomplete information.

Result: Decisions become reactive instead of proactive. Control shifts to attacker, regulator, or circumstance.

Pattern 5 — Illusion of Recovery

Systems return. Control does not. Organisation remains structurally unstable.

Technical recovery is achievable. Systems are restored. Backups are restored. Normal operations resume. From the dashboard, crisis is over.

But decision authority remains fragmented. Communication remains broken. Structural weaknesses that enabled the incident remain in place. Organisation is now operationally unstable but not visibly so.

Attacker returns. Or a different failure exposes the same weaknesses. Or next incident occurs before organisation has finished recovering from the first.

Example: DDoS incident resolved after 18 hours. Services restored. Customers resume operations. Business declared recovered. But no decision was made about capacity increases. No decision was made about additional DDoS mitigation. Next attack, same pattern repeats. Same mitigation fails. Same resolution timeline.

Result: Organisation confuses operational recovery with structural recovery. Instability persists.

The Core Conclusion

Organisations do not fail because they are attacked. They fail because they cannot decide under pressure.

Attack is external. Decision failure is internal.

The most resilient organisations are not those with the best technology. They are organisations with clear decision authority, explicit decision protocols, and communication discipline.

When crisis arrives, these organisations can respond coherently. Authority is clear. Decisions are made quickly. Messaging is aligned. Recovery is real.

The Closing

Control is not restored by technology. It is restored by structure.

Structure means: single incident commander. Clear escalation path. Board mandate. Decision authority is real, not ceremonial. Communication protocol is enforced. Messaging is verified before release. Recovery doctrine is documented before crisis.

Organisations that establish this structure before crisis will retain control during crisis. Organisations that defer this work until incident occurs will lose control during crisis.

The choice is made long before the incident arrives.

FRANCE MENACES · 1 mai 2026

CISA/NCSC advisory botnet China-nexus: Volt Typhoon/Flax Typhoon — infrastructure partagée professionnalisée; ANSSI évalue impact sur infrastructures critiques françaises. CNIL sanctions FREE MOBILE (27M€) + FREE (15M€) — jan 2026 — précédent sécurité télécoms EU. MITRE ATT&CK v19: scission Stealth/Defense Impairment; campagne C0062 APT IA (PRC). NIS2 premiers audits T-60 j (30 juin 2026). (CISA/NCSC/ANSSI/CNIL/MITRE, 1 mai 2026)

Contact Email Direct