Inside Microsoft’s Real-Time War Against Cybersecurity Threats

At Black Hat 2025, Microsoft outlined what it takes to outsmart the world’s top-tier hackers.

From dismantling silos to building a real-time threat feedback loop, leaders from Microsoft’s threat intelligence, incident response, and hunting teams revealed how they operate as a unified front to outpace malicious actors like Star Blizzard and Mint Sandstorm. The result is a system built for speed, scale, and precision.

“We know exactly the roles and responsibilities,” said Andrew Rapp, senior director of Microsoft Incident Response. “It’s like we share a central nervous system.”

That level of coordination isn’t accidental; it’s the product of years of refinement, real-world pressure, and a deep culture of practice.

Building muscle memory before the breach

In Microsoft’s world, incident response starts long before an alert goes off. It begins with clearly defined roles, repeated exercises, and hard conversations that many organizations still avoid.

Aarti Borkar, Microsoft’s corporate vice president of Security Customer Success and Incident Response, emphasized that having a plan isn’t enough. Teams must rehearse it until the plan becomes second nature.

“Practice, practice, practice until it’s perfect,” she said. “Have someone come in and do a compromise assessment. Know what decisions you’re going to make before you’re in the middle of a crisis.”

That preparation extends far beyond technical playbooks. Effective teams, she noted, are ready to manage legal, regulatory, and executive decisions under pressure. Microsoft’s teams train for that alignment. The goal is to create what Borkar described as a “well-oiled machine,” where responders act on instinct.

However, that level of coordination remains the exception rather than the norm. Rapp pointed to a common disconnect among companies between planning and execution.

“Only 26% of organizations have an incident response plan and have actually rehearsed it,” he said. “It’s like having a gym membership and never going to the gym.”

Without practice, he added, even the best-laid plans fall apart under pressure.

What Microsoft wants every organization to know

All that preparation pays off the moment an incident begins. When Microsoft gets dropped into an active breach, there’s no time to waste. Threat actors today move faster than ever.

“Dwell time used to be measured in months or even years,” said Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy. This refers to the period between when a threat actor first gains access to a network and when they are detected or removed.

She added: “Now, we’re talking about 72 minutes [of dwell time].”

That urgency demands real-time coordination between intelligence, hunting, and response teams. Microsoft’s internal feedback loop acts like a relay. Threat intelligence analysts like Simeon Kakpovi map the broader adversary landscape, then pass rapid, actionable insights to incident responders.

“We put together a cheat sheet to hand over to these guys,” Kakpovi said. “That lets them cut down how long it takes to find adversary behaviors.”

Sophisticated attackers do their homework. They know who has access, how a network is structured, and what assets matter most. Often, by the time defenders realize what’s happening, the intruder already has the keys to the kingdom. That’s why Microsoft’s teams are trained to think like the enemy.

“Threat actors think in graphs,” DeGrippo said. “Defenders think in lists. You have to think like an attacker to beat one.”

This mindset, combined with relentless preparation and the ability to move at machine speed, is what allows Microsoft to stop threats before they spiral. It’s not just about response. It’s about anticipation, precision, and making sure the adversary never gets a second move.

Microsoft can now leverage AI to reverse engineer software to detect malware without prior knowledge or human intervention. Get the details in the TechRepublic article about Microsoft’s Project Ire.

More Black Hat coverage