Last week, CISA published an incident response report detailing how a federal civilian executive branch (FCEB) agency was breached through exploitation of a known and documented vulnerability in GeoServer (https://www.cisa.gov/news-events/alerts/2025/09/23/cisa-releases-advisory-lessons-learned-incident-response-engagement). This was not a “sophisticated zero-day,” but a widely reported weakness defenders have been aware of for some time (https://nvd.nist.gov/vuln/detail/cve-2024-36401).
This breach underscores a sobering reality: attackers don’t need innovation when defenders rely on assumptions.
Known Exploits, Unknown Effectiveness
Each time an advisory like this is released, many CISOs and CTOs are left asking the same question: “Would this have worked against us?”
The uncomfortable truth is that in many environments, the answer is uncertain. Security leaders often deploy products with the expectation of protection, but without direct validation, those expectations may not hold under real-world attack conditions.
This is why we at NSS Labs regularly evaluate security products against actual exploit samples going as far back as 10 years—including the very vulnerability used in this breach. That type of validation gives defenders evidence, not just hope, that their technologies will withstand known threats.
The Flaw in “Defense-in-Depth by Assumption”
Defense-in-depth is a well-established strategy. Multiple layers of technology—firewalls, intrusion prevention, endpoint agents, and monitoring—create redundancy and resilience. But the mere presence of these controls is not enough.
- Deployment ≠ Effectiveness. A product installed in the stack doesn’t guarantee it will perform as intended.
- Context Matters. Effectiveness depends on how controls are configured, tuned, and integrated into the environment.
- Silent Gaps Exist. Without validation, security teams may not realize that certain attack vectors bypass defenses entirely.
The CISA advisory makes clear: organizations cannot rely on “best practice” architectures alone. They must prove their defenses actually work.
Validation as the Next Frontier
Cybersecurity has long emphasized the importance of prevention and detection. The next frontier is validation: treating effectiveness as a measurable, verifiable outcome.
Validation is not theoretical—it’s practical. The critical difference between assumption and assurance is data. Testing security products against real exploits, simulating adversarial behavior, and quantifiably measuring whether defenses hold provides assurance that investment translates into protection. Independent testing bodies such as NSS Labs help provide this evidence, bridging the gap between vendor claims and operational reality.
A Practical Checklist for CISOs
Security leaders looking to strengthen their posture against known vulnerabilities can use the following framework:
- Inventory What Matters
- Catalog critical applications, platforms, and workloads.
- Prioritize those most tied to mission outcomes.
- Map Defenses to Assets
- Identify which controls protect which workloads.
- Look for overlaps, blind spots, and single points of failure.
- Validate Against Exploit Samples
- Test defenses against real-world exploits and malware, not just lab simulations.
- Leverage independent testing where available.
- Simulate Adversarial Behavior
- Ensure that each component in the defensive chain is independently tested and validated.
- Focus on tactics, techniques, and procedures (TTPs) that correspond to those utilized by threat actors in the current threat landscape.
- Make Validation Continuous
- Move from one-time testing to an ongoing validation cycle.
- Adjust configurations, patching, and investments based on results.
Final Thoughts
The lesson from this breach is clear: known vulnerabilities remain one of the most significant risks to enterprise security. Defense-in-depth alone is insufficient if it is built on untested assumptions.
The industry must embrace validation as a core pillar of cybersecurity strategy. By demanding measurable proof of effectiveness—through independent testing, adversarial approaches, and continuous validation—CISOs and CTOs can move from assumption to assurance.
The goal is simple yet profound: to ensure that when the next advisory is issued, leaders can answer with confidence:
“Yes—our defenses will hold.”