The attacker was already inside when the Monday standup happened. They were there during the Thursday all-hands. They watched the Slack messages. They enumerated the S3 buckets while the security team reviewed last week's alert queue. Twenty-six days. Average cloud breach dwell time, 2024. That number should make you uncomfortable. Not in a "we should look into this" way. In a "our entire detection philosophy is wrong" way. The Lie We've Been Telling Ourselves Here's the security industry's dirty secret: EDR, SIEM, and GuardDuty were all built for a threat model that no longer exists. They assume attackers bring something foreign into your environment — a malicious binary, a known-bad IP, an anomalous API call pattern. Catch the foreign thing. Stop the breach. Scattered Spider didn't bring anything foreign. They used a phone call and valid credentials. They moved through the network with PowerShell and the AWS CLI — tools your own admins use every day.…