Note: I wrote this down for myself while going through this course by Leszek Mis.
Assume breach is a practical operating model for modern security operations. The premise is simple: at some point, somewhere in your environment, an attacker will get in. Credentials leak, phishing works, software breaks, and integrations fail. Instead of designing defenses around the hope that prevention holds, assume breach designs detection around the moment it doesn’t. The core question changes from “How do we stop attackers?” to “If someone is already inside, what will they have to do next?”
Once inside, attackers need to perform work. They enumerate the environment, search for credentials, escalate privileges, move laterally, establish persistence, and eventually stage or exfiltrate data. These steps are difficult to complete without leaving traces. Authentication events, process execution, remote administration activity, service creation, scheduled tasks, unusual command lines, and internal network movement all form part of the attacker’s footprint. Assume breach detection focuses on these behaviors rather than fragile indicators like hashes or IP addresses.
For a SOC, this means prioritizing telemetry that exposes attacker workflows: authentication logs, endpoint process creation, parent-child relationships, command-line data, remote execution methods, privilege changes, and internal network connections. Detection logic should focus on suspicious sequences of activity, not single events. Credential reuse across multiple systems, administrative tools running in unusual contexts, remote execution between hosts that rarely communicate, or persistence mechanisms appearing outside maintenance windows are all examples of signals that indicate attacker progress.
Threat hunting becomes much more focused under this model. Instead of searching for malware artifacts, hunters test hypotheses about post-compromise activity. If an attacker controlled a workstation today, how would they enumerate the domain? How would they obtain credentials? How would they move laterally? Hunting then looks for evidence of those behaviors in real telemetry. The goal is not simply to find malware, but to detect the operational steps an adversary must take to expand access.
The success metric for assume breach is straightforward: how long can an attacker operate before the SOC sees them? If lateral movement, credential abuse, or persistence attempts trigger detections quickly, the defensive model is working. If an attacker can move for days without generating signals, the SOC has visibility gaps.