OllieAFeb 23
BrianKrebs

Bloomberg did some terrific and deep reporting last week on how private equity debt likely contributed to a series of major compromises at Ivanti at the hands of China-backed hacker groups. They touch on several other examples, but it seems like the list could be quite long at this point.

https://www.bloomberg.com/news/features/2026-02-19/vpn-used-by-us-government-failed-to-stop-china-state-sponsored-hackers

https://archive.ph/BkzSX

The guys at the Risky Business podcast have been talking forever about major breaches and code compromises that occurred after various security companies were acquired by private equity firms and loaded with debt. They've argued (correctly, in my book) that when you see this happening with a vendor you use, it's a good signal to find a suitable alternative to whatever that platform does for you.

Feb 23 at 2:57pmWeb
Show threadṫẎℭỚ◎ᾔ ṫ◎ℳFeb 23
@briankrebs what book 📖?
Show threadGraham Sutherland / PolynomialFeb 23
@briankrebs good infosec reporting from Bloomberg!? what has the world come to
Show threadMattFeb 23
@briankrebs quickly replacing PE-acquired infosec vendors was already a good practice: prices skyrocket at renewal & service quality decreases as PE guts the expensive talent & expertise that make the platform work. Glad to see this coverage of the phenomenon from Bloomberg.
Show threadBrandonFeb 23
@briankrebs This is one of the many things that makes security/IT leadership so hard. Now we also have to evaluate the market landscape for product & services we already have and use (I mean, we already are but now there's a better established precedent on why).
Show threadTodd KnarrFeb 23
@briankrebs I think it's a good rule in general: if private equity gets involved with any entity you do business with, start removing any dependence on that entity immediately. PE is frankly toxic, anything it touches dies.
Show threadMichael HorowitzFeb 23
@briankrebs Thanks for the heads up Brian
Show threadf15simFeb 23
@briankrebs If they were using their brains, they wouldn't be priests in the first place.
Show threadSebastian ZdrojewskiFeb 24

@briankrebs In our risk assessment practices, whenever a company is acquited by a private equity, it is a big red flag. There are some early signs (like massive conferences, marketing events, etc.) that suggests they are just speculative tools and not security businesses.

Not to mention how they thrive on not solving problems, but that's jusy my personal opinion.