165 organisations got hit in the Snowflake breach using no novel attack — just stolen credentials, no MFA, and nobody watching. The shared responsibility model didn’t fail technically. It failed organisationally. Security wrote the policy. Engineering assumed someone reviewed it. The platform team figured ‘managed’ meant secured. Procurement filed the SOC 2 and called it done. Nobody lied. Nobody was negligent. They just each assumed someone else had it.
Most teams think a WAF in Detection mode is partially protecting them. It isn’t. Here’s what actually happens to requests, why the logs actively mislead, and how organisations end up stuck in Detection mode indefinitely without noticing.
