In this special live episode of Autonomous IT, Live! we walk through a high-stakes incident response drill that mimics a disturbingly realistic threat scenario: an attacker gains access to your internal tools — not by breaking in, but by logging in.

Here's the setup: a user unknowingly reuses compromised credentials with the company’s SSO provider. An attacker logs in, flies under the radar, and impersonates internal IT support using Slack, email, and calendar invites. Their goal? Convince employees to install a fake remote access tool—all while avoiding anyone likely to report suspicious behavior.

Join Landon Miles, Tom Bowyer, and Ryan Braunstein as they:

• 🔍 Investigate a suspicious login and Slack impersonation
• 🔐 Contain and remediate the breach using real-world tactics and tools
• 📉 Discuss phishing-resistant MFA, endpoint visibility, Slack impersonation risks, and more
• 🧠 Share tips on improving security awareness, incident playbooks, and interdepartmental collaboration
• 💬 Answer live audience questions about malware analysis, EDR response, and building detection rules

Whether you’re a security veteran or just starting out in IT, this episode offers an unfiltered look at how to respond when credentials are compromised and attackers act like insiders.

📎 Bonus: We also include a downloadable Incident Response Checklist to help your team run your own tabletop exercise.

🛡️ Because in today’s world, attackers don’t need to break in—they just need to log in.