The most damaging cyberattacks of the past two years had different targets, different attackers, and different industries. Change Healthcare. Salt Typhoon. Ivanti. The U.S. Treasury. Jaguar Land Rover.
Different victims. Same story.
Each attack succeeded not because the perimeter failed — but because there was no meaningful boundary inside it. One compromised endpoint became a highway to everything else.
The Five Incidents
Change Healthcare (February 2024) — The ALPHV/BlackCat ransomware group infiltrated a processor handling 15 billion healthcare transactions annually. Lateral movement encrypted data across the entire network. 100 million patient records compromised. $22M ransom paid. $870M+ in recovery costs. Pharmacies across America couldn't fill prescriptions for weeks.
Salt Typhoon (Late 2024) — Chinese state-backed hackers spent months operating silently inside eight major U.S. telecom carriers, siphoning call metadata, geolocation data, and audio recordings targeting senior government officials. The Senate Intelligence Committee chair called it "the worst telecom hack in our nation's history."
Ivanti VPN Zero-Days (January 2025) — Critical authentication bypass vulnerabilities in Ivanti Connect Secure VPN triggered emergency alerts worldwide. The deeper problem wasn't the vulnerability itself — it was that organisations had built their entire security posture around perimeter VPN technology. When the VPN failed, everything behind it was exposed.
U.S. Treasury / BeyondTrust (December 2024) — Attackers used a compromised BeyondTrust API key to access Treasury workstations and ~3,000 documents linked to senior officials. The vendor didn't confirm the breach until six days after detecting it. Six days of uncontested access inside one of the world's most sensitive government environments.
Jaguar Land Rover (August–September 2025) — A vishing campaign by a collective combining Scattered Spider, Lapsus$, and ShinyHunters halted all three UK manufacturing plants for five weeks. UK car production fell 27% — the worst since 1952. Total economic impact: £1.9 billion.
The Common Thread
Every one of these attacks followed the same pattern:
- A single point of entry — phishing, a zero-day, a compromised vendor
- Unobstructed lateral movement across a flat or insufficiently segmented network
- Detection that came too late, or not at all
The entry point wasn't the problem. The hallway was.
What Changes With Threatmatic
Threatmatic's Zero Trust architecture closes the hallway.
Microsegmentation via QSchannel™ means a compromised device cannot reach systems it has no reason to reach. Lateral movement — the mechanism that turns a single breach into an enterprise-wide crisis — is structurally impossible.
Continuous identity mapping means every network flow is verified on both user and application axes. Silent, long-dwell persistence like Salt Typhoon's becomes visible immediately rather than months later.
Sub-50ms containment means the window between detection and isolation is measured in milliseconds, not days. A compromised device is quarantined before damage can cascade.
VPN elimination means there is no authentication bypass to exploit. Threatmatic replaces VPN infrastructure entirely — the attack surface the Ivanti exploits depended on simply doesn't exist.
We've published a full intelligence brief examining all five incidents in detail — including the specific Threatmatic capabilities that would have blocked each attack, and the summary matrix mapping root causes to solutions.