The breach headlines have not slowed down. They have accelerated.
In the last sixty days: TeamPCP breached GitHub's internal repositories through a malicious VS Code extension. ShinyHunters took Canvas offline during finals week, exposing data on 275 million students across 8,800 institutions. Before that, a supply chain attack swept 4 terabytes from Mercor, including VPN configurations, SSH keys, and 40,000 contractors' personal records.
These are not small companies caught flat-footed. GitHub is owned by Microsoft, one of the largest security spenders on the planet. Canvas runs on infrastructure purpose-built for a significant fraction of the global higher education sector. Mercor counts OpenAI, Anthropic, and Meta among its clients. Every one of them had dedicated security teams, layered defenses, and tools most organizations would envy. Every one of them was breached anyway.
If the question is "what could they have done differently," the honest answer is: not much, within the framework they were using. That framework is the problem.
The Threat Landscape Is Not the Same as It Was Five Years Ago
Security practitioners have watched the threat environment shift in ways that most organizations have not yet absorbed.
For most of the last two decades, a well-resourced attacker was still a human-paced threat. Reconnaissance took time. Exploit development required specialized skill. Phishing campaigns needed to be written and targeted by hand. The defenders had time. The attackers had to choose their targets carefully because every campaign was expensive.
That constraint is gone.
AI-powered attack tooling has industrialized every phase of the offensive playbook. Phishing emails that once required a skilled social engineer to craft convincingly are now generated at scale, personalized to the target, and indistinguishable from legitimate communications. Vulnerability discovery that once required weeks of manual analysis is now partially automated, with AI systems scanning codebases and configurations for exploitable patterns faster than any human team. Malware is being written and adapted in hours rather than weeks.
The supply chain attacks that hit Trivy, LiteLLM, and ultimately GitHub and Mercor followed a pattern that was methodical, patient, and precise. The window between initial compromise and credential exfiltration was measured in minutes. The coordination suggests tooling, not improvisation.
The volume of attacks is not increasing because there are more attackers. It is increasing because each attacker can do dramatically more.
Quantum Computing Is Not a Future Problem
The standard objection to quantum computing as a near-term threat is that fault-tolerant quantum computers capable of breaking current encryption standards do not yet exist at meaningful scale. That objection is technically accurate and practically irrelevant.
Nation-state actors and well-resourced threat groups are harvesting encrypted data today. The strategy is straightforward: collect now, decrypt later. Intercepted VPN traffic, exfiltrated databases, stolen backups — all of it is being stored against the day when quantum computing makes current encryption standards breakable.
NIST finalized its first post-quantum cryptography standards in 2024. The standards exist because the cryptographic community reached consensus: the question is not whether current encryption will be broken, but when. Most organizations are still running infrastructure that depends entirely on the encryption those standards are designed to replace.
Your VPN traffic from three years ago is already in someone's archive. The scramble to migrate to post-quantum standards will not reach it.
Why Software Security Is Losing Ground
Every security product deployed in a typical organization operates on the same foundational assumption: that the person or system presenting valid credentials is who they claim to be.
That assumption made sense when credential theft was difficult. It does not hold anymore.
Stolen credentials are now the leading initial attack vector in data breaches, involved in over a third of all incidents according to IBM's 2024 report. The direction has been consistent for years. Once valid credentials are in an attacker's hands, every layer of software-defined security becomes a door, not a wall. The VPN authenticates them. The zero-trust platform grants access based on their role. The SIEM sees normal activity from a known user.
And credentials are everywhere. They live in environment variables, configuration files, build pipelines, and developer environments. The GitHub breach demonstrated that a malicious extension running in a developer's editor can reach every secret that developer's environment contains. The Mercor breach demonstrated that a compromised CI/CD pipeline sweeps credentials from every system that pulls its packages. There is no perimeter around a file system that a running process can access.
The deeper issue is that software security products are, by design, software. They run on operating systems that receive updates. They have configuration that can drift. They have codebases that accumulate vulnerabilities. The tools themselves are now targets — and security tools, running with elevated access and handling sensitive credential material, are especially attractive ones.
The Scale Is Not Going Down
There is no version of this trajectory that ends with the software security industry catching up. The economics do not support it.
A defender has to protect every surface, all the time. An attacker has to find one opening, once. AI-powered automation has made that asymmetry more brutal, not less. The cost of conducting a sophisticated attack is falling. The cost of defending against a sophisticated attack is rising. Organizations that were not worth targeting two years ago are now within reach of threat actors who previously only had the resources to pursue high-value targets.
Mid-market companies, healthcare providers, educational institutions, regional MSPs: the organizations that built their security posture around the assumption that they were too small to be worth attacking are now discovering that the calculation has changed.
What Has to Change
The answer is not more software security. Adding another credential-based layer to a credential-dependent architecture does not solve the structural problem. It adds complexity and cost while leaving the underlying weakness in place.
The shift that is happening in the security industry, slowly and unevenly, is a move toward hardware-enforced security at the network layer. Not as a replacement for software security, but as a foundation that does not share its weaknesses.
A network connection secured in hardware, between specific physical devices, using cryptographic keys that exist only in silicon and cannot be extracted, copied, or swept by a compromised process, does not have a credential surface. There are no keys to steal. There is no configuration file to exfiltrate. There is no software daemon to compromise. The connection either exists between those two physical devices or it does not.
This is not a theoretical position. It is the answer to a specific and documented failure mode: the case where every software control has been correctly deployed and correctly configured, and the attacker walks through anyway because they have valid credentials.
The organizations being breached today are not making obvious mistakes. They are operating sophisticated, layered security programs, and they are losing to attackers who have found the layer that all software security shares: the credential.
Removing your network infrastructure from that credential surface is one of the most concrete steps available. The window to do it before the threat environment gets significantly worse is open. It will not stay open.
Teleportal establishes hardware-enforced connectivity between physical devices using cryptographic keys that never leave the hardware. There are no credentials to steal, no configuration to compromise, and no software attack surface on the network path.
Interested in what Teleportal can do for your network?
Learn More