One story. Gone deep.

Google's Threat Intelligence Group dropped a report this week that should be mandatory reading for anyone who still thinks "perimeter" means something.

Four nation-states — China, Russia, Iran, North Korea — are running coordinated campaigns against the defense industrial base. Not just the primes. The subcontractors. The sub-subcontractors. The entire supply chain, simultaneously, from multiple angles.

The headline number: 393 days. That's the average dwell time for Chinese actors inside defense networks. Over a year, sitting quietly, reading everything.

But the number that should keep you up at night is zero — as in the zero corporate systems APT5 needed to touch to start their operation.

They built phishing lures around Boy Scout troop emails. Local high school events. Youth sports registrations. They targeted defense employees through personal accounts — Gmail, Yahoo, the family laptop — because personal accounts don't have your EDR. They don't have your SOC watching. They don't even have your password policy.

Once inside someone's personal life, the pivot to corporate is trivial. Shared passwords. Personal devices on corporate WiFi. A forwarded document. One link between the personal and professional, and your security program never sees the entry point.

This isn't a phishing problem. It's a complexity problem.

Defense contractors have spent billions on network security, endpoint protection, zero trust architectures. All of it assumes the attack starts at the perimeter. These attacks start at a Little League signup sheet.

Each individual system works as designed. Corporate email filters catch corporate phishing. EDR monitors corporate endpoints. DLP watches corporate data. But the attacker isn't operating inside any single system — they're operating in the gaps between systems, exploiting edges in your security architecture that your team doesn't even know exist.

China's intelligence apparatus understands the interdependencies in your organization better than your own security team does. They know which engineer's kid plays travel soccer, which program manager volunteers as a Scout leader, which executives use the same password for LinkedIn and their VPN.

That's not a vulnerability you patch. It's a complexity you govern.

Three things worth thinking about:

Your attack surface includes your people's lives. Not in a creepy surveillance way — in a realistic threat modeling way. If nation-states are mapping your employees' families and hobbies, your threat model should at least acknowledge that those paths exist.

393 days means your detection assumptions are wrong. If you're measuring mean time to detect in hours or days, you're not operating in the same reality as these adversaries. They're patient enough to watch for over a year. Your security metrics need to account for threats that don't trigger alerts.

Complicated defenses can't solve complex attacks. You can optimize a firewall. You can tune an EDR policy. But when the attack starts at a personal email account, traverses a home network, and enters your environment through a trusted employee's device — that's not a configuration problem. That's a governance problem, and it requires thinking in systems, not checklists.

The report maps campaigns from four countries operating simultaneously against the same targets. The defenders? Still organized by vendor, by tool, by compliance framework. Silos defending against systems.

Guess who wins that matchup.

*Sources: Google Threat Intelligence, [no.security

What else matters this week.

Microsoft's Six Zero-Day February — Patch Tuesday delivered 59 vulnerabilities with six actively exploited zero-days, all immediately CISA KEV'd. CVE-2026-21510 chains a SmartScreen bypass with privilege escalation for full compromise. Google TAG and CrowdStrike found professional exploit binaries in the wild. If your patch cycle is monthly, you're already behind. via Microsoft MSRC

Apple's First 2026 Zero-Day — CVE-2026-20700, a dyld vulnerability used in what Apple calls "extremely sophisticated attacks against specific individuals." Google TAG discovered it. Translation: nation-state spyware. Patch iOS 18.7.5 and macOS Tahoe 26.3. If you're a high-value target, patch today. via Apple Security Updates

Ransomware Learns to Kill EDR in One Step — Reynolds ransomware (Black Basta spinoff) bundles a vulnerable driver directly into its payload. One execution kills your endpoint protection and starts encryption — no separate BYOVD stage, no detection window. The arms race just got faster. via Symantec

Not every signal needs action.

LVMH's €25 Million GDPR Fine — Louis Vuitton, Dior, and Tiffany got hit by CNIL for consent violations. The headlines frame it as a wake-up call. It isn't. These are routine audit findings against companies with revenue measured in tens of billions. €25 million is a Tuesday for LVMH. The enforcement that matters is the kind that changes behavior — and luxury brands paying pocket change for consent form mistakes isn't that.

No answer. Just the question.

If an adversary mapped your employees' personal lives with the same rigor you map your network — what would they find that your security program doesn't cover?

Michael Faas is a fractional CTO/CISO at Echo Cyber who helps growth-stage companies build governance frameworks for technology and security.