Redesigning security through white-hat hacking
Unlocking cyber resilience for sustainable growth
Article| 2025-12-17
12 minute read
“If you think you haven’t been hit by a cyberattack yet, chances are you just haven’t noticed.”
As data and AI become core sources of competitive advantage, cybersecurity has now emerged as a central management priority. Cyberattacks are evolving at a speed and level of sophistication that exceed our imagination, and the misuse of AI continues to generate new types of threats. Under such conditions, relying on conventional, incremental approaches makes it extremely difficult to fully protect corporate assets, trust, and long-term growth.
So how should these companies redesign their security? Much like a medical health check, gaining an objective, outside-in assessment to understand where they stand today and chart a realistic path toward where they need to be tomorrow can benefit any organization. The purpose of redesigning security is not simply to shield systems from attacks, but to strengthen “cyber resilience”: the ability to maintain business continuity and recover quickly, on the assumption that intrusions will occur.
This article is based on insights gained through experience conducting white-hat hacking engagements for more than 200 Japanese companies before joining Uvance Wayfinders. These experiences inform an overview of the current state of Japanese enterprises, countermeasures for each phase of a cyberattack, approaches to effective security investment, and security governance for global operations. I hope this will provide insights that help organizations protect their future and open the door to sustainable growth.
Section 1: Closing critical security gaps
The more businesses harness data and AI, the more they face a paradox: innovation amplifies exposure to cyber risk. As system integration expands across business units and external partners, not only does the likelihood of attack grow, but the potential damage also becomes more severe. Given the new challenges of the AI era, companies must look beyond traditional protection and build organizations capable of withstanding and recovering from disruption.
What it comes down to is this: attackers routinely use AI, so defenders must also fight back with AI. Malicious AI-driven attacks such as phishing, malware creation and manipulation, and internal data harvesting, are becoming broader, more precise, and more sophisticated. Once inside, AI can instantly search millions of files and locate passwords with ease.
To counter these evolving threats, AI for security monitoring, detection, incident response, and threat hunting is becoming increasingly important. At the same time, organizations must reinforce their systems and training on the assumption that intrusions will occur.
Specifically, there are several foundational measures to take, which include implementing a CSF (Cybersecurity Framework), deploying solutions like EDR (Endpoint Detection and Response), conducting vulnerability assessments, and establishing SOC (Security Operations Center) and CSIRT (Computer Security Incident Response Team) for 24/7 monitoring. On top of these, organizations must layer AI-driven defenses through holistic redesign to keep pace with adversaries who are already automating their attacks (See Figure 1).
Source: Fujitsu
Drawing on experience as white-hat hackers (*1) across more than 200 Japanese companies, a common pattern has emerged: “Strong perimeter defense, weak post-intrusion resilience,” meaning that many organizations have invested heavily in preventing intrusions, but far fewer have prepared for what happens after an attacker gets in. While traditional security measures are in place, training and frameworks assuming breaches are insufficient. Red-Team (*2) test results speak for themselves:
- Nearly 100% physical intrusion success rate
- Around 60% phishing email open rate
- Numerous leaked accounts discovered across many organizations
- Nearly 100% detection rate of major vulnerabilities that could lead to severe incidents
- Post-intrusion, domain admin privileges obtained in one day for roughly 70% of organizations
- Only 10% of organizations detected and responded to Red-Team tests
When redesigning security, what matters most is how effectively you can “fill the major holes” in the environment. Assuming that attackers will eventually get inside, it’s essential to understand where those large vulnerabilities exist within your organization (see Figure 2).
Once these major gaps are identified and properly addressed, attackers find it much more difficult to advance. If they fail to obtain system administrator privileges, they will wander through the environment seeking application administrator privileges, and if that fails, database administrator privileges, and so on.
This forced movement creates opportunities for defenders to detect and contain the attackers. It is an effective defensive strategy.
Source: Fujitsu
Section 2: Building multi-layered defenses from the attacker’s perspective
Cyber attackers follow a clear sequence: reconnaissance, intrusion, and lateral movement. To prevent their success, it is essential to implement measures at each phase that attackers actively dislike, effectively raising the effort and cost required to continue the attack. Drawing on insights from Uvance Wayfinders consultants and white-hat hackers, here’s how to counter their tactics step by step.
1. Reconnaissance: Narrow entry points and remove footholds
Before attempting intrusion, attackers scour publicly available information to identify entry points such as websites, exposed servers, VPN or cloud login screens. The fewer entry points, the higher the chance they give up.
Even if credentials are stolen, multi-factor authentication can substantially reduce unauthorized access. Traditional perimeter defenses, which many Japanese companies have emphasized, are effective to some extent during the reconnaissance phase because they clearly separate internal and external networks.
However, even the strongest walls contain small cracks and weaknesses. Attackers continuously search for new paths, and if defenses are weak once the perimeter is breached, the organization becomes highly vulnerable.
2. Intrusion: Identify and block all possible paths
Attackers typically use three main routes when attempting to infiltrate a system: (1) intrusion via externally exposed servers, (2) malware infection of employee devices through sophisticated phishing emails, and (3) physical entry into offices to gain system access.
To prevent server-based intrusion, minimize exposed points and enforce strict security settings. For malware defense, strengthening the resilience of endpoints such as employee PCs and mobile devices is essential, along with enforcing communication controls such as proxy-based access and VPN authentication. Even in cases of infection, quick detection and isolation of abnormal traffic can significantly limit attacker activity.
Physical intrusion is surprisingly easy. In multi-tenant office buildings, completely controlling outsider access is virtually impossible. Once inside, attackers may connect to internal Wi-Fi, install rogue devices, or insert malicious USB drives into employee computers. Endpoints are prime targets. Attackers are highly familiar with the behavior and blind spots of common EDR products, and they develop sophisticated malware specifically designed to evade detection.
3. Lateral movement: Restrict internal freedom and block deeper access
Once attackers gain access to internal systems, they do not immediately reach the company’s most critical information or systems. Instead, they move throughout the network in search of higher privileges and valuable information that enables deeper infiltration.
One effective defense at this stage is network segmentation, which divides the environment into smaller, isolated sections.
For example, financial institutions are required to strictly separate core banking systems from employee networks, applying strong access control to prevent movement between them. In many other industries, however, executives and general employees operate on the same large network. Without sufficient segmentation, attackers can freely reach critical systems and sensitive information once inside.
NDR (Network Detection and Response) can also be highly effective because it detects unusual communication or behavioral patterns within internal networks. However, compared to the adoption of EDR, NDR usage remains low among Japanese companies, which in turn grants attackers greater freedom of movement after intrusion.
Even companies that adopt a Zero Trust approach, which assumes the inevitability of an unauthorized breach and therefore requests user verification, cannot assume they are fully protected. Zero Trust makes lateral movement more difficult because systems connect through separate internet paths. However, if attackers succeed in stealing authentication credentials, they can still attempt access from the outside. In this sense, Zero Trust has clear strengths and weaknesses, and a fair assessment is that it is better than traditional models but still imperfect.
4. Final stage: Minimizing impact when attackers reach their objective
Many attackers demand ransom by threatening to leak information or shut down systems, and some even publicize their actions to damage corporate reputation. At this point, financial loss, erosion of trust, and brand damage are almost inevitable.
Completely preventing intrusion is no longer realistic. The essential question is how to minimize damage and restore operations quickly under the assumption that breaches will occur.
Among Japanese companies, administrator privileges are often granted too easily, and management structures are insufficient. To reduce the risk of escalation, organizations should avoid unnecessary administrator accounts, ensure strong and unpredictable passwords, enforce multi-factor authentication, and verify that external vendors entrusted with system management maintain strict security controls. Doing the basics properly is the starting point.
To slow attackers down, building multi-layered defenses at every stage is crucial. If reconnaissance and intrusion require significant effort, attackers are more likely to give up. Multiple layers of defense weaken attacker motivation, and this in itself becomes a powerful form of protection.
Section 3: Sharpening your judgment for cyber resilience investments
Cybersecurity investment is not merely a cost. It should be regarded as a strategic investment that enhances corporate value and strengthens the long-term competitiveness of the business. At the core of such investment is the strengthening of cyber resilience: the ability to maintain business continuity even when a cyberattack or incident occurs, minimize damage, and restore normal operations quickly.
This section outlines practical approaches that improve the judgment and execution needed to maximize the impact of cyber resilience investment.
Don’t aim for perfection, protect what matters most
Security and usability are often at odds, making it difficult to achieve both. No matter how much you invest, achieving perfect security is practically impossible.
This is why it becomes essential to distinguish between areas that require the strongest protection and those where some level of risk must be tolerated. For financial institutions, this means safeguarding customer account information and payment systems. By contrast, for ordinary employee devices such as PCs, it is extremely difficult to reduce the risk of malware infection to zero, no matter how many measures are implemented.
In other words, attempting to secure everything equally is unrealistic and inefficient. Rather than spreading for example ten billion yen thinly across the entire environment with limited effect, strategically investing three billion yen in protecting the mission-critical information and systems that support the core of the business yields far greater impact.
This illustrates a key truth: effective security investment is not about the size of the budget, but about clearly identifying the highest-risk areas and allocating resources where they matter most.
For less critical areas, applying measures proportionate to risk, and accepting some residual risk, may be necessary. For example, updating outdated factory servers is important, but addressing systems tied directly to business continuity will deliver far greater impact. Think of it like an exam: spending time on low-value questions won’t earn you a high score, but prioritizing high-value questions will.
Identifying risks, determining their priority accurately, and concentrating funding and talent on high-risk areas is the essence of wise cyber resilience investment.
Leverage Red-Team testing for real-world validation
Red-Team testing is an extremely effective method for distinguishing the relative importance of risks and objectively assessing the current state of an organization’s security. Companies confident in their defenses often find major gaps almost immediately during such tests.
Red-Team tests conducted by Uvance Wayfinders’ white-hat hackers simulate the methods used by real attackers and objectively evaluate how well existing defenses withstand actual threats (Figure 3).
Source: Fujitsu
The most important point when conducting these exercises is to perform them as black-box tests, in the production environment, without restrictions. Only by testing under the same conditions as real attackers can organizations achieve an accurate risk assessment. White-box testing is limited because it examines only predefined attack scenarios, does not reflect the realities of the organization, and leaves imposed restrictions as residual risk.
Through these exercises, companies can uncover weaknesses that internal teams often fail to notice such as technical gaps, organizational blind spots and delays in response. The results clarify areas requiring improvement, where concentrated investment is needed, and what specific measures and implementations should be prioritized.
Furthermore, the insights gained through Red Team testing are directly applied to strengthen countermeasure implementation. Fujitsu not only incorporates attacker-perspective evaluation criteria into the deployment of its security products and services, but also verifies risks through these Red Team exercises and provides end-to-end support using its own resources, from validation through to full implementation (see Figure 4).
Source: Fujitsu
Companies that experience real incidents tend to significantly strengthen their security posture afterward. Why? Because they have paid a heavy price in the form of lost business opportunities, diminished market trust, and serious damage to their brand reputation. Rather than incurring such a cost, it is far more proactive and sensible to simulate attacks through exercises, identify where the major gaps are, and understand the potential business impact before an actual incident occurs.
Once the major gaps identified through the exercises are eliminated, investments in detection and incident response can finally function as intended. Only after these critical vulnerabilities are addressed can organizations meaningfully improve their ability to detect suspicious activity and train employees to respond effectively. Conversely, if these gaps remain, cyberattacks can succeed immediately, rendering detection and response efforts virtually useless.
Detection capabilities require clear policies that specify which logs to retain, for how long, and how they are centrally managed. Response capabilities demand strategies for handling the growing volume of alerts, including the effective use of AI to prioritize and process them. By applying white-hat hacker insights and strengthening these capabilities step by step based on the findings of the exercises, organizations can follow a reliable and practical path toward improved cyber resilience.
Section 4: The core of security in global business
There is a clear and significant difference between Japan and the United States in corporate cybersecurity awareness. In the United States, Red-Team testing is already common practice, while in Japan, only a small fraction of companies have ever conducted such comprehensive exercises. Although Japanese organizations routinely perform vulnerability assessments and penetration tests at the system level, few have evaluated their entire organization, including people and processes, from the attacker’s perspective. Attackers pursue objectives rather than individual vulnerabilities. To counter them, organizations must adopt the same objective-oriented approach, and Red-Team testing is essential for this reason. In this respect, the United States is several years ahead of Japan.
The United States benefits from an economy driven by the IT sector and supported by a large pool of professionals with advanced technical expertise. Many companies maintain in-house IT and digital teams as a matter of course, which has helped cultivate a culture in which security is treated as an internal and fundamental responsibility.
By contrast, most Japanese companies outsource IT operations, including security, to external vendors. As a result, many organizations tend to view security not as their own responsibility but as something entrusted to others.
A symbolic example highlights this difference. At the onset of the COVID-19 pandemic, I experienced launching a hacking-simulation service tailored for remote-work environments. Demand in the United States was extremely strong, while interest in Japan was almost nonexistent. One likely reason is that external vendors responsible for building remote-work systems were reluctant to support or encourage such testing.
Security is the heartbeat of an enterprise. When that heartbeat is controlled externally, an organization loses agility and struggles to internalize security as its own responsibility. Security is not an IT or digital agenda. It must be positioned at the highest level of the management agenda, with a fundamental understanding of threats shared across the entire organization.
Strengthening cyber resilience across global operations
For global companies, cybersecurity challenges are complex and wide-ranging. Many organizations aim to standardize systems across regions under a Fit to Standard approach, yet they also must adapt governance to local laws, regulations, cultural practices, and operational norms. These conflicting demands often create challenges that feel almost contradictory.
Finding the right way to raise cyber resilience across global sites has no single answer. The optimal path varies depending on the company’s business model and organizational structure.
Consider the difference between acquiring an overseas company and starting a new factory or subsidiary from scratch. In the latter case, Japanese standards and rules can generally be applied more smoothly as long as local regulations are met. In the former case, companies must evaluate existing systems, cultural practices, employee IT literacy, and the feasibility of integration. Patterns of IT use and geopolitical risks also vary significantly by country and region, which makes uniform measures unrealistic.
Even so, there is a shared starting point. Organizations need to reinforce the fundamentals: identify and share major risks, apply least-privilege access, and maintain strict access controls. They also need to clarify what is essential for business continuity and determine whether system unification is appropriate.
Once these foundations are secure, organizations can move on to developing talent, strengthening response capabilities, and improving detection. In practical terms, the most effective sequence is to conduct Red-Team testing to eliminate major gaps first and then build multi-layered defenses. This is what enables a meaningful uplift in cyber resilience across global operations.
Section 5: Conclusion
Cyber threats intensify every day. A perfect security posture is no longer possible. Acknowledging this reality and taking decisive action to uncover hidden risks is the first step towards sustainable growth and enhanced enterprise value.
Organizations that shift from a passive to proactive stance, understand attacker behavior, and redesign security ahead of emerging threats are well positioned to withstand diverse threats. Security investment is not a cost. It is a strategic lever for business continuity and competitive strength.
Identifying risks through Red-Team testing, building multi-layered defenses, and enhancing resilience under the assumption of breach together form a robust foundation for establishing market leadership and creating new business opportunities.
Uvance Wayfinders supports security redesign with real-world experience as white-hat hackers. Our approach is grounded in practical, lived expertise and continuous improvement, enabling organizations to transform risk into competitive strength.
Together, we will work alongside you to achieve true cyber resilience and build a future of stronger and more enduring enterprise value.
- (*1)White-hat hacker: A security specialist who applies ethical hacking techniques to identify and disclose system weaknesses under the authorized consent of the system’s owner.
- (*2)Red team: A group of security experts that conducts realistic attack simulations to evaluate an organization’s defenses against an actual attack.
Takeshi Sato
Lead of Security Consulting, Uvance Wayfinders
Takeshi Sato has extensive experience in cybersecurity, specializing in attack simulation and countermeasure planning to help organizations visualize security risks and optimize their strategies. After positions involving vulnerability assessment and SOC analysis at a major telecommunications company, he led Red-Team testing operations and a white-hat hacker team at a global security vendor. In 2025, he joined Fujitsu to leverage his practical expertise in cybersecurity under Uvance Wayfinders and drive the advancement of next-generation security consulting.
Contact us