At 8:42am on a Tuesday, a Private Equity client forwarded an email to Black Creek Cybersecurity.
Subject line: “User Account Compromise”
They proceeded to outline the timeline of events and steps taken.
- Account compromised confirmed by Microsoft 2/3/2026 at 3:44:49 PM CST via Azure portal
- Alert notification received 2/3/2026 at 3:46 PM CST
- User account sessions revoked at 3:55 PM CST
- User account disabled at 4:01 PM CST
- Password changed at 4:02 PM CST
The internal IT team had done the right thing. Now the PEG wanted to know:
- Is this contained?
- Is this serious?
- And what do we do next? (Without turning it into a six-figure technology shopping spree)
What follows is a demonstration of what the Black Creek proposition looks like in practice, when your portfolio companies are subscribed to either to our Incident Response Coach or PortfolioProtect service looks like when a breach occurs
(It’s worth pointing out that while this specific incident ended up being a relatively minor event (unlike this more serious and costly $400k incident) it aims to demonstrate the peace of mind BCC clients get by having an expert on call with direct experience managing well over 100 incidents. This support is critical in the early stages of an incident, and is vital in helping with fast, educated decision-making on if and when you do need to bring in forensic or legal experts for deeper understanding.)
Step 1: Calm, Fast Triage
Within minutes of seeing the email chain, BCC responded. No buzzwords. No panic. Just focus.
Seven simple questions were put to the team, the kind that cut straight to the signal in the noise and help to quickly assess both the gravity of the breach and the opportunities to remediate in both the short and longer term:
- Which system(s) triggered the alert, and do you know why?
- Which system or human revoked the session?
- Which system or human disabled the account?
- Did you see any other suspicious activity from other accounts? (Lateral movement is common.)
- Were any mailbox rules created in the impacted account(s)?
- Did any fraudulent emails go out from the user account? If so, how many?
- Can you identify the phishing email the employee clicked? (A redacted version makes a great training tool.)
Notice what’s not in the response?
No recommendation to “immediately deploy three new security platforms.”
No suggestion to “re-architect your cloud estate.”
No mention of re-writing SOPs
Just disciplined triage.
Cyber incidents are about timelines. Who acted? When? What moved? What changed?
If you understand those four things, you can understand 80% of the risk.
In this case, the PEG could quickly see:
- The alert fired within 2 minutes
- The session was revoked within 11 minutes
- The account was disabled within 17 minutes
That’s not negligence. That’s reasonably strong containment.
Now we move from panic to proportion.
Step 2: The PortCoShield Advantage
Here’s where BCC’s proprietary PortCoShieldTM dashboard changes the conversation.
Instead of treating this incident in isolation, BCC and the PEG Cyber Lead pulled up:
- Prior incidents at the PortCo. and across the PEG portfolio
- How the PortCo’s designated “Cyber Lead” responded before
- What remediation decisions were made
- Which investments actually reduced risk
And here’s the uncomfortable part.
A year earlier, another PortCo had a near-identical phishing incident. In the aftermath, they overreacted – approving a costly security tool that didn’t materially reduce phishing exposure. It made everyone feel better, but it didn’t fix the root issue: user awareness and mailbox rule monitoring.
PortCoShieldTM made that pattern visible in seconds.
Without it, the PEG might have been about to repeat the same decision.
This is where independence matters. BCC doesn’t sell technology or earn commissions. The incentive is alignment, not upsell.
So instead of recommending another tool, the advice was simpler:
- Validate mailbox auditing coverage
- Confirm conditional access policies
- Review MFA enforcement gaps
- Reinforce user training using the actual phishing example
Practical essentials. Nothing more.
Step 3: Future Remediation – The Phishing Lesson (with the real screenshot)

The fake email that triggered the incident?
It looked believable. That’s the point.
The key is to leverage the mistake quickly with all employees. Names are best redacted but the implied public shame (“I don’t want to be “that guy”) can be powerful. BCC was able to provide a quick example for how to craft a lesson for all users.
It used:
- A familiar vendor name
- Mild urgency
- A reasonable request
- Recognisable branding elements (colors and fonts)
Not the “Nigerian prince” variety. This is modern phishing, polished and psychologically smart.
BCC recommended redacting and turning that screenshot into a one-page internal learning slide: “This is what fooled us.”
No blame. No finger-pointing.
- Look carefully at sender domains
- Hover over links before clicking
- Be wary of unusual formatting, or urgency around payments or logins
- When in doubt, pause and ask
Employees don’t need a 45-minute cybersecurity lecture.
What actually happened hits harder.
Step 4: What PEGs Really Want to Know
After the triage dust settles, PE leadership will generally ask a couple things:
- Are we exposed elsewhere in the portfolio?
- Are we about to overspend?
PortCoShieldTM helps answer all three.
- No evidence of lateral movement
- No malicious mailbox rules left behind
- Minimal outbound fraud
- Strong containment timeline
So the conclusion wasn’t “buy more tech” or “re-write your processes”
It was:
- Tighten specific policy gaps
- Reinforce awareness
- Standardise response playbooks across PortCos
- Track trends at the PEG level
- Add the incident to the next 3rd Party Cyber Verification Call (3PCV). (A regular session between BCC and the PortCo cyber leads to share learnings).
Measured. Informed. Proportionate.
What This Looks Like in Practice
Cyber support for Private Equity isn’t about being the loudest voice in the room. It’s about being the clearest.
It’s:
- Responding quickly
- Asking the right questions
- Comparing behaviour across the portfolio
- Avoiding expensive overcorrections
- Turning incidents into learning moments
And sometimes, it’s being the uncomfortable truth teller who says:
“You don’t need another platform or process. You need to use the ones you already have properly.”
That’s not always what vendors want to say. But it’s exactly what PEGs need to hear.
Incidents will happen. Phishing isn’t going away.
The difference between chaos and control isn’t necessarily just a bigger stack of tools. It’s experience, independence, and the discipline to focus on what actually matters.
That’s what cyber support should look like in practice.
If you’ve had an incident and need a confidential, no-obligation review, get in touch and we’ll be happy to help.