Black Hat 2025: How Insider Risk Became the Frontline of Conflict

Insider risk has shifted from an internal compliance concern to a frontline in modern warfare. That reality was made clear at Black Hat USA on August 6, 2025, during a closed-door executive session hosted by SentinelOne. The panel brought together leading voices in cybersecurity to examine how geopolitical cyber risk, insider threats, and critical infrastructure security are now inseparably linked.

Today’s nation-state adversaries aren’t just breaching perimeters; they are embedding themselves deep inside enterprise networks — armed with legitimate credentials, fulfilling contracts, and blending seamlessly into daily business operations. China, Russia, Iran, and North Korea (DPRK) are executing long-term infiltration campaigns, from China’s Thousand Talents program and decades-old Unrestricted Warfare doctrine to DPRK IT workers gaining trusted access through legitimate contracts.

For business leaders, the question is no longer if insider risk will collide with geopolitical conflict, but when — and whether their organizations are ready to detect, contain, and withstand it.

The session featured:

• Marshall Heilman, CEO of DTEX Systems, who described North Korea as running itself “more as a criminal enterprise than nation-state.”
• Steve Stone, SVP of Threat Discovery and Response at SentinelOne, who observed that “everything we expected to see about cyberwar went out the door in the first 90 days of Russia’s war on Ukraine.”
• Nicole Perlroth, author of This Is How They Tell Me the World Ends and former New York Times cybersecurity journalist, who cautioned: “Companies aren’t focused on China. They’re focused on ransomware — because ransomware hits the bottom line this quarter. China hits it five years from now.”

Insider threat protection as a strategic imperative

Insider risk is no longer a compliance silo; it is a strategic imperative. Adversaries don’t just exploit access — they exploit assumptions. HR vetting, procurement workflows, and academic partnerships all become potential infiltration vectors.

What was once a background check is now a continuous process to counter AI-enhanced employment fraud. The session underscored the need for direct, in-person engagement to verify identity. Organizations must be certain the “employee” is truly who they claim to be. 

Heilman’s advice to the question, “If you could only do one thing?”: “Meet your candidate in person.” 

Stone described how one group of applicants hired a professional actor to attend an in-person interview. 

The takeaway?Organizations must focus on behavioral intelligence and redesign their trust models, because when infrastructure becomes terrain, every credential is a potential entry point.

Geopolitical cyber risk and critical infrastructure security

Enterprise infrastructure was built to enable access — not validate identity. That design choice is now a liability, especially as China’s Unrestricted Warfare doctrine expands targeting of critical infrastructure: water systems, transportation networks, and energy grids.

Governments are no longer speculating. Many now warn that China is successfully infiltrating critical infrastructure in preparation for future conflict. Remote onboarding, federated logins, and third-party integrations create seams ripe for exploitation.

When infrastructure substitutes for identity, compromise is not a breach — it’s a design flaw. 

When a network assumes someone is who they claim to be simply because they possess valid credentials, the organization is operating on a brittle trust model. Credentials, contracts, and access tokens are often mistaken for proof of personhood when, in reality, they are only artifacts of system compliance. This creates a dangerous inversion: the more seamless the infrastructure, the more invisible the identity gaps. In such environments, anomalous actions become normalized — not because they evade detection, but because the architecture enables them. 

Restoring integrity means identity cannot be assumed; it must be continuously reasserted and validated across time, context, and affiliation. The question is not just whether someone can pass technical thresholds, but whether their behavior aligns with operational expectations.

Reframing insider risk management

The panel reframed risk as a strategic inevitability.

Heilman urged: “Expect to be compromised.” This is not pessimism but rather a call to focus on resilience. Remote work, dual allegiances, and infiltration vectors like the Thousand Talents Program demand risk models that anticipate deception and civil-military fusion.

Risk leaders must examine not only access points, but also the affiliations and incentives that drive them. Understanding individual behavior is essential — and must be paired with timely, proactive action when risks emerge.

Stone stressed: “Understand your adversary.” Without attribution — knowing the actor, motive, and method — deterrence collapses, and response becomes performative. 

Perlroth exposed a dangerous bias: “Companies are more worried about ransomware than slow PRC infiltration.” This reflects a short-term pain threshold rather than a long-term strategic threat model.

The panel urged a diagnostic shift: “Companies analyzing risk need to understand what they can live without.” This led to a wide-ranging discussion on functional fragility, and what systems, if disrupted, would cause business cessation.

Private sector in the geopolitical crosshairs

Private companies are no longer peripheral to geopolitical entanglements; they are embedded within it. Not as passive observers, but as active participants, targets, and proxies. Companies must keep an eye on geopolitical realities. The blurred line isn’t metaphorical, it’s operational. Infrastructure decisions, identity protocols, and risk postures now carry geopolitical consequences. Companies must keep an eye on geopolitical realities. 

The strategic imperative was clear: contingency planning for geopolitical conflict must be formalized at the C-suite level. War readiness is no longer a military prerogative; it’s a business continuity requirement.  When war arrives, as it did when Russia invaded Ukraine in February 2022, companies found themselves having to make decisions, whether infrastructural, communicative, or symbolic, that were being interpreted by not only those at war, also by their own employees, their insiders.

From compliance to business continuity in insider risk

Nation-state actions and geopolitical realities directly affect corporate stability. Insider risk is not a niche concern — it is a strategic lens for evaluating identity, infrastructure, and affiliation.

Resilience begins with knowing exactly who is inside your organization. Insider risk is now an all-of-company responsibility. In today’s connected environment, clarity is no longer optional — it is mission-critical.

C-suite key takeaways: Insider risk in the age of geopolitical conflict

In today’s environment, insider risk is not just a security problem — it’s a board-level issue that directly impacts operational resilience, brand integrity, and national security alignment. The panel’s insights serve as a roadmap for leaders navigating this new reality.

Key takeaways for the C-suite:

• Treat insider risk as a strategic imperative, not a compliance exercise — integrate it into enterprise risk and business continuity planning.
• Reinforce identity verification protocols — meet candidates in person where possible, validate identities continuously, and counter AI-enhanced employment fraud.
• Reassess critical infrastructure dependencies — know which systems are most vulnerable and which you cannot operate without.
• Understand your adversary — invest in attribution, intelligence, and geopolitical awareness to anticipate state-aligned threats.
• Eliminate brittle trust models — do not mistake credentials for identity; validate behavior against operational norms.
• Elevate geopolitical contingency planning — formalize war-readiness protocols at the C-suite level, recognizing that business decisions now carry strategic consequences.

The message from Black Hat’s closed-door session was unequivocal: insider risk has moved from the margins to the center of corporate and geopolitical strategy. Nation-state adversaries are embedding themselves inside enterprise ecosystems, and the organizations that endure will be those that build resilience into their identity processes, infrastructure design, and decision-making.

In this blurred landscape, insider threat protection is no longer a security department’s problem — it is an enterprise-wide responsibility. Leaders who treat insider risk as a dynamic, strategic priority will be better positioned to withstand both the slow-burn infiltration of hostile actors and the sudden shocks of geopolitical crises.

In a world where critical infrastructure and geopolitical conflict are increasingly linked, staying ahead requires timely intelligence. DTEX offers confidential threat briefings with the latest behavioral indicators and insider risk insights, giving leaders the foresight to act before threats escalate. To strengthen your defenses, request a threat briefing.