Insights News

Evolution Equity Partners’ Portfolio Companies Tackle a Cyber Crisis

By Patrick “PO” Orzechowski
April 7, 2025
4 Minute Read
Follow along in this retelling of a cyber crisis simulation, hosted by Evolution Equity Partners to showcase portfolio companies including Torq’s AI-driven Hyperautomation platform

Contents

Patrick Orzechowski (also known as “PO”) is Torq’s Field CISO, bringing his years of experience and expertise as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. You can find him talking to SOC leaders and CISOs from major brands at cybersecurity events around the world.

I recently took part in a cyber crisis simulation event which showcased Evolution Equity Partners’ portfolio companies and made Torq’s real-world value strikingly clear.

The simulation presented a realistic scenario: a data breach at a fictional wealth management firm, with the attack’s progression followed through detection, investigation, response, and resolution. Participating companies included Torq, Sweet Security, Oleria, Halcyon, and Cytactic

This cyber simulation reinforced the need for proactive security: automation, robust identity management, and agile cloud response. It also underscored the importance of having a crisis management system in place for simulating a live event — so when the inevitable happens, all teams, stakeholders, and external parties that need to be involved in resolving a major incident are included from the beginning.

A Cyber Crisis Simulation Unfolds

1. Detecting the Impossible Alert

The initial attack factor in the simulation was a compromised credential initially identified by an “impossible journey” detection in Torq’s AI-native Hyperautomation platform. Torq was able to identify this impossible travel through authentication logs that contained geographical source login information. 

The targeted financial services company had several layers in place to detect and respond to these types of attacks, so the incident was kicked off through the initial case management system in Torq. 

Through its AI-powered automated response capabilities, Torq’s platform triaged, enriched, and investigated the alert, ultimately determining that it required escalation.

Inside Torq’s platform, this event could then be tracked by the SOC throughout the incident lifecycle until being handed off to Legal, PR, and potentially cyber-insurance and external incident response partners. 

2. Confronting the Extortion

After the initial attack, it was determined that the user did in fact access sensitive information contained in an S3 bucket, which was detected by Sweet Security’s unified detection and response platform. 

Once the attacker procured the data, they sent an extortion threat letter to the company which included screenshots of contracts and other sensitive information. At this point, management had to:

  • Decide whether or not to disclose the breach
  • Determine whether or not the breach was “material”
  • Assess if they need to contact their customer base. 

From there, Oleria identity security platform discovered the attacker had gained access to an insecure SharePoint site, but only accessed a limited amount of sensitive data.It was determined that the SharePoint site needed to be secured and, due to the limited data exposure, a negotiation team was brought in. They then found that the attacker was attempting to move laterally through the company’s systems.

3. Stopping Ransomware Escalation

From there, the company deployed Halcyon’s ransomware defense solution to determine if ransomware was active. Halcyon successfully detected and blocked infections on the systems where it was installed, but the attacker was able to begin encryption on systems where it was not.

The company then engaged Halcyon’s Professional Services to attempt to decrypt what the attacker was encrypting without having to pay for the keys.he keys. 

Minimal Damage, Maximum Defense

In the end, the company was able to handle the incident without a breach disclosure and minimal impact to customer operations. This event could have been much worse if the services company did not have advanced detection and response capabilities already deployed within its security stack.

  • Torq streamlined detection and initial investigation through SOC automation and integration with the entire security stack
  • Sweet Security correlated alerts and prevented exfiltration attempts in the cloud.
  • Oleria uncovered user account activities and assessed breach scope.
  • Halcyon blocked ransomware escalation and secured endpoints.
  • Cytactic enhanced tracking and decisionmaking capabilities for incident response.

Learn how Torq and Sweet Security operationalize cloud security automation >

Building Cyber Resilience through Proactive Simulation

This “impossible journey” simulation demonstrated the critical importance of establishing effective cybersecurity strategies and deploying innovative security solutions.

Proactive cyber crisis simulations enable businesses to build resilience and minimize the impact of potential attacks by:

  • Identifying vulnerabilities.
  • Improving mean time to detect and respond
  • Testing incident response plans
  • Improving decision-making under pressure
  • Understanding the impact of cyberattacks
  • Facilitating learning and continuous improvement

Want to learn more about leveling up your SOC’s automation and autonomous response capabilities? Read the SOC Automation Pyramid of Pain.

Read the Pyramid of Pain
Share

Related Articles