Defenders Go Rogue... Cybersecurity Pros Who Became Cybercriminals

In an industry built on trust, few things are more unsettling than defenders becoming attackers. Yet that’s precisely what U.S. prosecutors allege happened last week when three cybersecurity professionals, people once charged with protecting corporate networks, were indicted for running an extortion campaign alongside the ALPHV/BlackCat ransomware group.

The case reads like a cyber-thriller... incident responders moonlighting as insiders for hire, exploiting their knowledge of investigation workflows, and targeting the very types of organizations they once safeguarded.

The Breach of Trust...

According to the Department of Justice, defendants Ryan Clifford Goldberg and Kevin Tyler Martin, both veterans of cybersecurity firms, used their professional skills and privileged knowledge to infiltrate at least five U.S. companies between May and November 2023. The group allegedly collaborated with the ALPHV/BlackCat ransomware syndicate, which has been responsible for some of the most destructive and sophisticated ransomware operations in recent years.

But what sets this case apart isn’t the malware, it’s the betrayal of professional ethics. These individuals weren’t shadowy hackers operating from the dark web. They were insiders who had passed background checks, attended security conferences, and likely held certifications that implied integrity and trust.

Why It Should Matter...

This story isn’t just about one criminal act, it’s a wake-up call for the entire cybersecurity community.

1. Insider Threat Is Evolving. Traditional insider-threat models focus on disgruntled employees or compromised credentials. But this case represents something deeper: the weaponization of expertise. A skilled defender turned adversary can operate with surgical precision, knowing exactly how SOCs, IR teams, and forensics processes work, and how to evade them.

2. Ethics Are the New Perimeter. In an age of automation, AI-driven detection, and SOAR workflows, it’s easy to forget that cybersecurity still runs on human trust. No tool can detect moral decay. Every SOC, MSP, or MSSP needs to consider not only the technical safeguards but also the human governance that ensures ethical conduct across privileged roles.

3. Oversight Must Extend to the “Trusted.” When your defenders have admin rights, access to customer data, or the ability to manipulate logs, traditional least-privilege models fall short. Continuous auditing of privileged accounts, behavioral analytics, and separation of duties are no longer optional, they’re survival mechanisms.

Lessons for CISOs and SOC Leaders...

The hardest part about insider threats is that they don’t look like threats, until they do. Here are some takeaways-->

• Rotate responsibilities and access. No single person should control detection, response, and logging. Segregate those duties.

• Establish independent auditing. Use immutable logging and third-party or cross-team reviews to validate that “eyes on glass” are acting ethically.

• Enforce background checks, and renew them. Integrity can erode over time. Re-screen staff with critical system access every few years.

• Monitor privileged activity as data, not intent. Correlate anomalies in access times, tool usage, or data pulls with threat intelligence.

• Invest in culture. Ethics training and transparent leadership communication build accountability in ways policies alone can’t.

This case will likely become a teaching example for cybersecurity programs and CISOs worldwide, a reminder that trust is not a control; it’s an assumption. And assumptions don’t stop breaches.

Organizations often pour millions into tooling, SIEMs, SOARs, MDRs, and XDRs, but overlook the one vector they can’t patch: human motivation. Whether driven by greed, ideology, or opportunity, insider threats will always exploit the gap between access and accountability.

For companies that outsource security operations or rely on managed providers, this event also highlights a critical governance gap: Who watches the watchers?

In cybersecurity, betrayal rarely comes with a warning. But if this case teaches us anything, it’s that transparency, ethics, and layered oversight are just as vital as firewalls and EDRs.

As leaders, we can’t just secure systems... we must secure trust itself.