The Router in the Hallway Is Apart of Your Attack Surface

How APT28's DNS Hijacking Campaign Targets Your Identity Fabric and Why Remote First Security Tools like WatchGuard’s FireCloud SASE are Foundational to Proactive Defense

Every article I have written so far this year has drawn the same conclusion: identity is everything now. The ShinyHunters and APT28 campaigns we analyzed earlier this year proved adversaries do not break through your firewall anymore. They walk through your front door using stolen identities. Now, APT28 has added a new dimension to their playbook: they are compromising the consumer-prosumer routers and edge devices in your clients’ hallways. Just to get in front of your identity fabric and exfil data before your controls ever see the threat. Treat this article as a field report from the front lines of proactive defense and use it to make your case to change your remote work strategies today.

Executive Summary

In early April 2026, the U.S. Department of Justice, FBI, UK National Cyber Security Centre (NCSC), and intelligence partners from 15 nations jointly exposed a large-scale campaign by Russia's GRU military intelligence unit, APT28, also known as Forest Blizzard and Fancy Bear, to compromise thousands of home and small office routers worldwide. They did not deploy malware, Instead, they exploited known vulnerabilities in TP-Link and MikroTik consumer routers to silently rewrite DNS and DHCP settings, routing all downstream traffic through Kremlin-controlled name servers. From that position, they intercepted authentication tokens, passwords, and emails from employees in government, military, critical infrastructure, and enterprise organizations, all without the victims or their IT Temas ever seeing an alert.

The FBI responded with a court-authorized disruption called Operation Masquerade, sending commands to compromised U.S. routers to collect forensic evidence, erase APT28's DNS foothold, and restore legitimate settings. At its peak in December 2025, the campaign had ensnared more than 18,000 routers across more than 23 U.S. states, with Microsoft identifying over 200 impacted organizations and 5,000 consumer devices.

For MSPs and SMBs, the lesson here is that the router in your remote worker's home is now apart of your attack surface. It sits in front of your identity fabric, your VPN, your Zero Trust policies, and your MFA enforcement. If APT28 controls the DNS, they control the path to your identity layer, even if every other control in your stack is perfectly configured.

This analysis dissects the campaign through the lens of identity-centric security, explains why perimeter-only and even identity-only thinking is insufficient without securing the network path, and spotlights how WatchGuard FireCloud Total Access SASE and the WatchGuard Zero Trust Bundle deliver the unified, identity-aware, DNS-secured access fabric that neutralizes this class of attack for MSPs and SMBs of every size.

Key Takeaways:

• SOHO routers are now a Tier 1 attack surface. APT28 treated consumer routers as passive espionage sensors, exploiting known vulnerabilities to quietly hijack DNS and intercept credentials and OAuth tokens at scale.

• DNS is a kill chain entry point. Once DNS is compromised at the router level, every downstream device inherits malicious resolvers, which opens bypassing MFA enforcement and session protections that operate above the network layer if contextual access controls are not in place.

• Operation Masquerade was disruption, not a cure. The FBI's court-authorized cleanup reset DNS on affected U.S. routers, but the underlying vulnerabilities remain in millions of deployed devices globally which you have no control over.

• WatchGuard FireCloud Total Access SASE directly severs the attack chain. By establishing encrypted, identity-aware tunnels from endpoint to cloud, FireCloud bypasses compromised router DNS entirely and enforces consistent web, threat, and access policies regardless of local network state.

• The WatchGuard Zero Trust Bundle operationalizes the Identity Fabric. AuthPoint, Endpoint Security, FireCloud, and ThreatSync together deliver the continuous identity posture, device integrity, DNS security, and XDR correlation that my ZTIA model demands.

• MSPs can package this into a differentiated, recurring service. "Remote Workforce Identity Fabric" built on the Zero Trust Bundle is not a product sale; it is a strategic outcome that clients can feel and measure every day.

Understanding the Campaign: What APT28 Actually Did

Who Is Behind This

APT28 is GRU Military Unit 26165, also formally designated as the 85th Main Special Service Centre of Russia's General Staff Main Intelligence Directorate. This is the same group that allegedly interfered with the 2016 U.S. elections. The group is tracked under multiple aliases across the industry: Forest Blizzard (Microsoft), Fancy Bear (Crowdstrike), Sofacy Group (Kaspersky), Pawn Storm, and Sednit.

The intelligence community assesses with high confidence that APT28 is "almost certainly" an arm of Russian military intelligence, acting in pursuit of Russian government geopolitical objectives.

The Technical Attack Chain

APT28 did not need sophisticated zero-day exploits for this campaign. They exploited commonly known vulnerabilities in mass-deployed, unmanaged consumer hardware.

Stage 1: Initial Access via Router Exploitation

The primary documented exploitation method was CVE-2023-50224, an authentication bypass vulnerability in the TP-Link WR841N router. CVE-2023-50224 carries a CVSS score of 6.5 and allows an unauthenticated adversary to extract stored credentials from the router via specially crafted HTTP GET requests. Additional TP-Link models and MikroTik devices were also targeted, often using different publicly documented vulnerabilities. The same adversaries also leveraged default or weak credentials where patching had not occurred. This surfaces that even lowered scored or older vulnerabilities are not things we should overlook or not proactively plan for.

Stage 2: DNS and DHCP Poisoning

Having obtained router credentials, APT28 sent a second HTTP GET request to rewrite the router's DHCP DNS settings. The primary DNS server was replaced with an adversary-controlled IP address, while the secondary was often left as the original primary, providing failover that kept the connection looking normal. In cases where a router had been exploited multiple times, both entries were overwritten.

Because DHCP propagates DNS settings to every device on the local network, every laptop, phone, and tablet connected to that router automatically inherited malicious resolvers without any action by the user.

Stage 3: Selective AiTM Traffic Interception

The adversaries deployed an automated filtering process via their DNS infrastructure. DNS requests matching key terms associated with email applications, login pages, and authentication services, including Microsoft Outlook Web Access and OAuth flows, were resolved to adversary-controlled IP addresses. All other traffic was passed through to legitimate destinations to maintain the appearance of normal operation and avoid detection.

For selected targets, the GRU's DNS resolvers provided fraudulent DNS answers that enabled adversary-in-the-middle attacks against encrypted TLS connections. Users who clicked through browser certificate warnings, which many users do habitually, had their authentication traffic fully intercepted. Passwords, OAuth tokens, session cookies, and email content were harvested without any malware ever touching an endpoint.

Stage 4: Credential Harvesting and Escalation

Microsoft observed Forest Blizzard specifically targeting Microsoft Outlook on the Web domains, intercepting authentication tokens that were issued after MFA had already been completed. Because those tokens are issued only after successful authentication, adversaries gained direct access to victim accounts without needing to phish credentials or one-time codes. The harvested tokens could then be replayed against legitimate Microsoft services to provide them persistent access.

Microsoft noted that while targeting SOHO devices is not a new tactic, this is the first time Forest Blizzard has been observed using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.

The Scale and Scope

This campaign operated at a scale that demands serious attention from business leaders and security professionals:

·       18,000+ routers were ensnared at the peak of activity surfaced in December 2025

·       More than 23 U.S. states had compromised routers identified by the FBI

·       Over 200 organizations and 5,000 consumer devices were directly impacted per Microsoft

·       Victims spanned government, military, telecom, IT, energy, and critical infrastructure globally

·       At least three government organizations in Africa were confirmed as data exfiltration targets

Black Lotus Labs Security Engineer Ryan English described the operational elegance of the approach directly: "Everyone is looking for some sophisticated malware to drop something on your mobile devices or something. These guys didn't use malware. They did this in an old-school, graybeard way that isn't really sexy, but it gets the job done."

MITRE ATT&CK Mapping (Stage | Technique | ATT&CK ID)

• Infrastructure Setup | Acquire/Compromise Infrastructure (VPS) | T1583.002, T1583.003

• Initial Access | Exploit Public-Facing Application (Router) | T1190

• Credential Theft | Exploit Public Vulnerability for Credentials | T1584.008, T1588.006

• Persistence | Modify System Network Configuration (DHCP/DNS) | T1565, T1584

• Collection / AiTM | Adversary-in-the-Middle | T1557

• Credential Access | Steal Web Session Cookie / Authentication Tokens | T1539, T1556

• Command and Control | Application Layer Protocol (DNS) | T1071.004

Why This Campaign Succeeds: The Identity Fabric Is Exposed at the Network Path

The Problem Perimeter Thinking Cannot Solve

Traditional security models assume a clear inside and outside. Firewalls, VPNs, and NAC systems enforce that boundary at the corporate network edge. But when a remote worker connects from home, the "perimeter" is now a $60-$250 consumer-prosumer router that the organization did not procure, does not patch, has never inventoried, nor can truly manage.

As Forescout Vice President of Security Intelligence Rik Ferguson stated in response to this campaign, routers present a highly attractive foothold for as because they sit at the network edge, generally face the public internet, and are easily overlooked once deployed. "Many of the weaknesses we see come from familiar, measurable issues like outdated software components, slow patching cycles, weak credentials, exposed management interfaces, and long lifespans that extend well beyond vendor support.”

Why Identity Controls Are Not Enough in Isolation

This point matters critically for everyone who has invested in Identity Fabric and ZTIA maturity. Your identity provider, your MFA policies, your ITDR alerting, and your conditional access rules all operate above the network layer. They assume the DNS resolution layer beneath them is trustworthy.

When APT28 compromises a home router, they move the attack to a layer that your identity and other security controls cannot see until it is too late. Consider what happens in a standard remote authentication flow when DNS has been poisoned:

1. The remote worker opens their browser and navigates to login.microsoft.com.

2. The browser sends a DNS query to resolve that name.

3. The router's modified settings send that query to an APT28-controlled VPS instead of a legitimate resolver.

4. The VPS returns a fraudulent IP address pointing to an AiTM proxy or lookalike portal.

5. The user authenticates. MFA completes. The adversary captures the resulting OAuth token in transit.

6. Your identity provider logs a successful authentication from a legitimate user. No alert fires.

Your Entra ID sees a legitimate authentication event. Your ITDR sees a valid token issuance. Your ZTNA sees a compliant device requesting access. The attack has already succeeded before any of your controls had the opportunity to respond.

This is not a failure of identity controls; it is a failure to secure the path to those controls. The Identity Fabric, as described in the prior articles on my blog, must extend to the access path itself, not just to what happens during and after authentication succeeds.

The Business Continuity Blind Spot Returns

Organizations that have followed this series now understand that business continuity must be part of identity architecture design. The SOHO router campaign adds a new dimension to that requirement: your remote work access policies must include provisions for untrusted network environments. If employees working remotley represent a meaningful portion of your workforce, their home networks and any other network they connect into are implicitly part of your security posture whether you govern them or not.

The question is not whether you trust those networks. Zero Trust dictates that you should not. The question shifts to whether your architecture has been designed to treat every remote network as an untrusted transport provider of your business data. In 2026, that assumption is not paranoia. It is documented doctrine of Russian military intelligence.

Vendor Spotlight:

WatchGuard FireCloud Total Access SASE

An Untrusted Router Requires Zero Trust Overlays

The solution to a compromised home router or ungoverned remote network is not to control the in place infrastructure. In most cases, that is operationally and legally impractical for an MSP or the employers MSPs serve. The path forward is to build a trusted access overlay that renders the router/network irrelevant to the security posture of the connection.

This is what WatchGuard's FireCloud Total Access SASE is designed to do.

Launched in September 2025, FireCloud Total Access is the first hybrid SASE that unifies Zero Trust Network Access, Firewall-as-a-Service, and Secure Web Gateway into a single cloud-managed platform purpose-built for MSPs and lean IT teams. It replaces the legacy VPN model with per-session, identity- and device-aware access, and delivers consistent policy enforcement to every user regardless of which network they are sitting on.

How FireCloud Breaks the APT28 Kill Chain

Problem: DNS is poisoned at the router level.

FireCloud solution: The FireCloud agent on the endpoint establishes an encrypted tunnel to WatchGuard's cloud security stack as the primary path for protected traffic. DNS queries for governed destinations are resolved through FireCloud's own secure resolvers, not the router's DHCP-provided DNS configuration. The compromised router's fraudulent DNS settings become operationally irrelevant for all traffic flowing through the FireCloud overlay.

Problem: AiTM proxies intercept TLS sessions during authentication.

FireCloud solution: FireCloud Total Access deploys AI-powered Firewall-as-a-Service that includes DNS security, intrusion prevention, sandboxing, and AI-driven threat detection through APT Blocker and Gateway Antivirus. The Secure Web Gateway enforces URL filtering and performs TLS inspection in the cloud, allowing security teams to detect and block lookalike authentication portals and AiTM infrastructure even when the local router has been subverted.

Problem: Users click through certificate warnings, enabling full traffic decryption.

FireCloud solution: The SWG layer issues and validates certificates for inspected traffic through WatchGuard's managed cloud infrastructure, removing the operational burden of certificate management from MSPs while applying consistent inspection policy to encrypted sessions originating from any network the connected device originates from.

Problem: Remote workers have broad network access via legacy VPN, amplifying breach impact.

FireCloud solution: FireCloud Total Access replaces full-tunnel VPN access with Zero Trust Network Access, granting per-session, per-application access based on verified identity and current device posture. Even if an OAuth token were somehow intercepted upstream, the adversay would find that token scoped only to specific applications rather than providing broad network entry as a legacy VPN credential would.

FireCloud By the Numbers: What MSPs Get

1. ZTNA | Provides Per-app, per-session access vs. full network VPN, which limits blast radius even if token is compromised.

2. FWaaS with DNS Security | Provides Cloud-delivered DNS inspection and blocking, which bypasses router-level DNS poisoning.

3. AI-Powered IPS + APT Blocker | Detects advanced threats in real time, which catches AiTM proxy patterns and C2 traffic.

4. Secure Web Gateway + TLS Inspection | Filters and decrypts web traffic for full content inspection, which provides deep Layer 7 protections without having to manage inspection certificates.

5. AuthPoint Integration | MFA/SSO tied to access decisions, which adds identity context to every session.

6. ThreatSync XDR | Correlates identity, endpoint, and network signals, which surfaces anomalous authentication patterns, proactively responding and containing based off your automation rule.

7. WatchGuard Cloud | Single-pane multi-tenant management, which scales Zero Trust deployment across all clients with unified products that can scale with ease of operational management.

"Remote work and hybrid networks are now permanent, and organizations need a simpler way to enforce Zero Trust while protecting users everywhere," said Andrew Young, Chief Product Officer at WatchGuard. "FireCloud Total Access enables MSPs and lean IT teams to deploy in hours, apply consistent policies from WatchGuard Cloud, and replace traditional, full network access VPNs with per-application, identity-based access."

The Strategic Play:

WatchGuard Zero Trust Bundle

Beyond FireCloud: The WatchGuard Zero Trust Bundle

FireCloud Total Access addresses the network access and DNS security gap directly. But the complete answer to the APT28 campaign, and to the broader Identity Fabric and ZTIA model, requires closing identity posture, device integrity, dark web credential exposure, and XDR correlation simultaneously. This is the design intent of the WatchGuard Zero Trust Bundle.

Launched in December 2025, the Zero Trust Bundle integrates identity security, endpoint protection, secure access, and unified threat detection under simplified licensing models and a Zero Trust Control Plane managed through WatchGuard Cloud. It replaces WatchGuard's legacy Passport solution and delivers a scalable, operationally light Zero Trust architecture that is practical for organizations of every size.

What Is Inside the Bundle

1. Total Identity Security with AuthPoint

   AuthPoint provides adaptive MFA, SSO, risk scoring, and Dark Web Credential Monitoring. The Dark Web Credential Monitoring component is particularly relevant to the APT28 campaign: if harvested credentials from compromised sessions appear on dark web markets, AuthPoint can identify the exposure and trigger risk-based access decisions before adversaries can leverage stolen data against additional targets. AuthPoint's risk scoring feeds directly into FireCloud's access decisions, so an identity that presents elevated risk signals can face stepped-up verifications or if determined, access restrictions in real time.

2. Endpoint Protection, Detection, and Response with WatchGuard Endpoint Security

   WatchGuards Endpoint Security provides continuous device health validation and automated threat prevention with Zero-Trust Application Control. Before any endpoint is permitted access through FireCloud's ZTNA layer, its posture is continuously evaluated. A device with outdated security software, a compromised registry, or unauthorized applications running can be denied access or quarantined before it touches any protected application or service. This device identity layer is one of the five identity categories that a mature Identity Fabric must govern, and WatchGuard’s Endpoint Security is the anchor for it.

3. FireCloud Total Access

   As detailed in the product spotlight above, FireCloud provides the ZTNA, FWaaS, SWG, and DNS security that neutralizes the APT28 attack chain at the network path and attack surface reduction layers with conditional access rules.

4. Dark Web Credential Monitoring

   An enhancement embedded within the Total Identity Security component, this capability monitors dark web markets and breach databases for credentials associated with your organization. In a world where APT28 harvests tokens at scale and selectively weaponizes them against high-value targets, early detection of exposed credentials provides an additional proactive defensive layer before those credentials can be replayed against your stacks.

5. ThreatSync XDR and the Zero Trust Control Plane

   ThreatSync is WatchGuard's AI-powered XDR engine that draws telemetry from AuthPoint, Endpoint Security, FireCloud, and WatchGuard's network security stack to identify suspicious behavioral patterns and automate containment. For the APT28 campaign, this means:

• An authentication event from an unusual geography can be correlated with a device health check that shows the endpoint is on an unknown network segment.

• A spike in DNS requests to newly registered domains can trigger an alert tied to a specific user identity and endpoint.

• A token that is being replayed from an IP address inconsistent with the authenticated user's device can trigger automated session revocation before lateral movement begins.

This is ITDR behavior made operational at the MSP scale, not as a standalone enterprise tool, but as a built-in capability of a unified platform and simplified subscription or term licensing needs.

Mapping the Zero Trust Bundle to Identity Fabric Pillars

The five-pillar Identity Fabric model from Beyond Passwordless article on my blog maps cleanly to the Zero Trust Bundle's capabilities:

1. Identity Governance and Administration (IGA)

   AuthPoint SSO and MFA with directory integration; access lifecycle tied to identity risk scoring

2. Privileged Access Management (PAM)

   ZTNA scopes access per-session per-application; Endpoint Security controls application execution on endpoints

3. Identity Threat Detection and Response (ITDR)

   ThreatSync XDR correlates identity, endpoint, and network signals; AuthPoint risk scoring triggers adaptive responses

4. Device Identity and Integrity

   Endpoint Security provides continuous device health validation as a condition of ZTNA access

5. Agentic AI and Non-Human Identities

   ThreatSync NDR (Upsell to XDR) can detect identities not attached to humans, correlate signals from the various sources and surface anomalies for automated or manual response based on your automation rules

The Zero Trust Bundle does not replace your broader Identity Fabric strategy. It is an operational foundation that makes ZTIA principles executable for organizations that do not have a 30-person identity engineering team. It is the "Identity Fabric out of the box" that MSPs can deploy, manage, and report on under a single platform, today.

Operationalizing the Defense:

What Can Be Done Right Now

For Technical Security Leaders

These are the immediate actions that matter most given the confirmed APT28 campaign:

1. Inventory your remote worker router landscape. You likely do not know which models your clients/employees are running at home. Start there. Survey home router models in use. Cross-reference against NCSC and FBI indicators of compromise.

2. Verify DNS settings on managed endpoints. Check that managed laptops are not relying solely on DHCP-provided DNS from home routers for sensitive application resolution. Consider forcing DNS-over-HTTPS or pinning to organizational resolvers on managed devices as an interim measure.

3. PoC and Deploy FireCloud Total Access to remote workers. This is the architectural fix, not just a compensating control. FireCloud removes the dependency on home router DNS for all protected traffic and applies consistent FWaaS and SWG policy to your endpoints.

4. Enable Dark Web Credential Monitoring. Given the confirmed token and credential harvesting at scale, assume some percentage of your users' credentials are already circulating. AuthPoint's monitoring capability gives you early warning.

5. Review and expand ITDR detection coverage. ThreatSync should be configured to correlate authentication anomalies, including impossible travel, new device sign-ins, and token reuse from unexpected IP addresses, with endpoint posture signals from Endpoint Security.

6. Conduct a tabletop exercise scoped to DNS hijacking. Simulate a scenario in which a remote worker's home router has been compromised and DNS has been poisoned. Walk through your detection, containment, identity revocation, and communication procedures. Most incident response playbooks have never addressed this specific attack vector since the affected device is out of managed scope.

For MSP Business Leaders and Solution Architects

The APT28 router campaign is a market moment. Remote work is permanent. Consumer router risk is documented, confirmed, and now publicly disclosed by three governments simultaneously. Your clients may already be exposed, and most of them do not know it yet. That is a service opportunity with an urgent timeline.

Consider how you position this:

• Lead with the risk briefing, not the product pitch. A 30-minute "Remote Work Risk Briefing" that shows a client how a $60 TP-Link router can silently intercept their Microsoft 365 credentials is a far more compelling door-opener than a slide deck on SASE features.

• Package FireCloud and the Zero Trust Bundle as a "Secure Everywhere Access" managed service. Unified subscription pricing aligns with recurring revenue models. WatchGuard's multi-tenant WatchGuard Cloud simplifies policy management across your entire client base.

• Differentiate on identity outcomes, not just technology. Clients who have already invested in Microsoft Entra and MFA will be receptive to a conversation about why those controls alone are insufficient when the DNS layer beneath them is compromised. This is the conversation that positions you as a strategic advisor, not a vendor or solution provider.

For Business Owners and Executive Leaders

Here is what you need to understand without needing to know the technical details:

Your employees who work from home are connecting to your company's systems through internet routers that you did not buy, do not control, and have never checked. Russian military hackers have been quietly compromising thousands of those routers and using them to silently steal the usernames, passwords, and login tokens that your employees use to access Microsoft 365, your email, your business systems, and your sensitive files.

The FBI stepped in and cleaned up thousands of affected U.S. routers in April 2026. But the vulnerability that made those routers targets has not gone away. And the adversaries are not going away either.

The protection your business needs does not require replacing every employee's home router. It requires software that, when installed on your employees' work devices, creates a secure, monitored connection directly to your business systems that does not depend on the home router being safe. That is what WatchGuard FireCloud does. Combined with strong identity verification and endpoint security, it is the practical, affordable answer for businesses of every size.

Ask your IT team or MSP: are our remote workers protected if their home router is compromised? If the answer is not a confident yes, that conversation needs to happen today.

Our Paths Forward

For Technical Leaders:

Schedule an architecture workshop with your trusted advisors to map your current remote access design against the APT28 threat model and identify gaps. They should be able show you exactly where your current controls would and would not have caught this attack, and design a FireCloud-anchored Zero Trust access architecture scoped to your environment.

For SMB Owners and Executives:

Request a Remote Work Risk Briefing from your MSP or IT Team. The should show you how this specific attack works in plain language, what it would mean for your business, and what it costs to prevent it.

For MSPs and Security Service Providers:
Talk with your advisors about how to build and package a "Remote Workforce Identity Fabric" managed service using the WatchGuard Zero Trust Bundle. They should help you design the offer, scope the pricing, and position the conversation so that it leads with client outcomes rather than product features. Pax8’s Security Solutions Consultants are par for course to get you the information you need to move forward.

Forward Unto Dawn.

Michael Carter II

References and Further Reading

• U.S. Department of Justice — Operation Masquerade press release, April 7, 2026

• FBI and Partners — I-260407-PSA: Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information, April 7, 2026

• UK National Cyber Security Centre — APT28 Exploit Routers to Enable DNS Hijacking Operations, April 2026

• KrebsOnSecurity — Russia Hacked Routers to Steal Microsoft Office Tokens, April 8, 2026

• Cybersecurity Dive — US Operation Evicts Russia from Hacked SOHO Routers, April 7, 2026

• Help Net Security — Russian Hackers Hijack Internet Traffic Using Vulnerable Routers, April 7, 2026

• Infosecurity Magazine — US Thwarts DNS Hijacking Network Controlled by Russian APT28, April 7, 2026

• The Hacker News — Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Campaign, April 6, 2026

• WatchGuard Technologies — FireCloud Total Access Press Release, September 2025

• WatchGuard Technologies — FireCloud Total Access Product Page

• Digitalisation World — WatchGuard Reveals Zero Trust Bundle, February 2026

• MITRE ATT&CK — Adversary-in-the-Middle Techniques

• CISA — Edge Device Security Guidance

About the Author

Michael Carter II leads identity, network, and endpoint security initiatives as a Sr. Solutions Engineer and serves as CEO of Nomaden Limited, parent company of Nomaden Technologies and Nomaden Studios, a Colorado-based cybersecurity consulting and multimedia firm. He specializes in helping MSPs and enterprises design identity-centric security architectures and Zero Trust programs that are practical, outcome-driven, and built to survive the adversarial conditions that exist in 2026. Carter has an unwavering mission: to Secure All of Our Futures, Together.

This article is part of an ongoing thought leadership series on Identity Fabric and Zero Trust Identity Administration. Previous articles explored ShinyHunters and APT28's identity exploits, and the architectural blueprint for Identity Fabric and ZTIA.

Connect with Carter on LinkedIn to discuss identity-centric defense strategies, WatchGuard solutions, and how you can turn these security strategies into client outcomes.