8 min read
An investigative journalism unit attached to a mid-size media organization. The team produces long-form investigations covering corruption, organized crime, and government surveillance — the kind of reporting that regularly draws legal pressure, targeted phishing campaigns, and state-sponsored interest.
The newsroom employs 12 reporters and editors, plus a small IT team shared with the parent organization. They handle confidential sources, leaked documents, and pre-publication materials that would cause significant harm if exposed.
The team came to us with a set of concerns they'd been carrying for months but hadn't been able to address with their existing IT resources:
We started by building a realistic threat model for the newsroom — not a generic "advanced persistent threat" exercise, but a specific analysis of who might target them, with what capabilities, and through which attack surfaces.
From there, we ran a purple team engagement against their existing infrastructure. We emulated the techniques actually used by state-sponsored groups known to target journalists (credential phishing, spear-phishing with malicious documents, lateral movement through shared drives, and endpoint persistence). Every technique was mapped to MITRE ATT&CK, and we worked alongside their IT team to see which controls detected what.
The results were sobering but actionable: their endpoint suite caught about 40% of the techniques we tested. Their SIEM generated alerts for two of the 15 attack chains. The response playbooks that existed on paper hadn't been exercised and contained outdated escalation contacts.
Based on the purple team findings, we wrote custom detection rules for the gaps that mattered most — prioritized by the threat model, not by a generic severity score. We tuned their SIEM to reduce alert noise and built three focused response playbooks: one for credential compromise, one for document exfiltration, and one for compromised endpoints.
We also ran a tabletop exercise with the editorial leadership to pressure-test the human side of incident response — what happens when a reporter's device is compromised mid-investigation, and the story is two days from publication?
We deployed Matrix/Element as the newsroom's encrypted communications platform, replacing the patchwork of personal Signal accounts and inconsistent PGP usage. Matrix gives them end-to-end encrypted messaging, file sharing, and voice/video — with organizational control over keys, user management, and retention policies.
We migrated their file storage to a self-hosted Nextcloud instance running on our infrastructure in Iceland, providing encrypted cloud storage with clear data residency and no third-party subprocessors. Reporters can access files from any device, with the same convenience as a commercial cloud drive but with full organizational control.
We deployed a SecureDrop instance following the Freedom of the Press Foundation's official guidelines — including the physical security requirements. This gave the newsroom a proper anonymous tip line that sources can access over Tor, with air-gapped viewing stations for submitted documents and a clear chain of custody for sensitive materials.
After the engagement, the newsroom had:
"We went from hoping our security was good enough to knowing exactly where we stand — and having the infrastructure to back it up."
Does this scenario sound like your organization?
Every engagement starts with a scoping call — no sales pitch, just a conversation about your threats, your team, and what you need.
Schedule a call