An image of shield with a lock demonstrating adaptive defense.
Michael Caplan

The Stryker Wakeup Call: Building an Adaptive Defense for the Age of Destructive Attacks

/in /by

On March 11, 2026, employees at Stryker Corporation arrived at work to find their laptops, phones, and desktops wiped clean. Login screens displayed the logo of Handala, an Iranian government-linked hacker group. Stryker is a Fortune 500 medical technology company with 56,000 employees, $25 billion in annual revenue, and operations across 61 countries.

This was not ransomware. It was a deliberate wiper attack designed for pure destruction.

According to reporting from KrebsOnSecurity and Cybersecurity Dive, attackers compromised Stryker’s Microsoft Intune environment and used global administrator privileges to issue a mass remote wipe command. At 3:30 a.m. EST, about 80,000 employee devices were factory-reset before anyone could respond. Offices in 79 countries went offline. Manufacturing, electronic ordering, and shipping systems went dark. Leaders in Ireland sent staff home and resorted to WhatsApp for basic coordination. Stryker filed an 8-K with the SEC, and CISA launched a formal investigation.

No traditional malware was deployed. The attackers used Stryker’s own enterprise management tools against it — a textbook living-off-the-land attack executed at devastating scale. As one security expert noted, when an attacker gains global administrator privileges, they can execute absolute destruction in minutes that takes months to repair.

Beyond Frameworks: Building an Adaptive Defense

We operate in an industry reliant on security frameworks like NIST and CIS that reflect traditional program maturity, but not the capability to defend against the shifting tactics of modern adversaries. In an era where nation-state actors move at machine speed, organizations need a defense strategy that adapts to the current threat landscape rather than checking boxes against historical standards. At In Balance IT Solutions, we call this Adaptive Defense.

Here are five tactical areas every organization should evaluate, and how In Balance can help:

1. Intune and Endpoint Management Health Checks. The Stryker attack effectively weaponized a device management platform. In this case, threat actors exploited global administrator roles, a practice Microsoft’s own documentation explicitly warns against for daily Intune management. Best practices — and Microsoft’s recommendations — advocate for least-privilege role assignments, Privileged Identity Management (PIM) for just-in-time elevation, phishing-resistant MFA, and Multi-Admin Approval for high-impact actions like bulk device wipes. These concepts are not new, but the frequently erode as organizations, workforces, and security policies evolve.

Action: In Balance offers Intune Health Check services that audit your configuration against these practices and ensure no single credential can trigger organization-wide destruction.

2. Identity Recovery Solutions. When a wiper attack takes out your environment, the first thing you need to rebuild is identity. Without Active Directory and Entra ID, nothing else comes back online. Users cannot authenticate, applications cannot authorize, and recovery stalls at the starting line. Understanding how long the threat actor has been active in the environment and being able to recover/restore cleanly from a point in time is a crucial but overlooked aspect of identity management and backup/recovery solutions.

Action: Solutions like Rubrik Identity Recovery and Semperis Active Directory Forest Recovery restore your identity infrastructure from known-good, validated backups independent of the compromised environment.

3. Data Resilience and Accelerated Recovery. Stryker’s employees were sent back to pen and paper. Having backups is a necessary component of a recovery strategy, but business continuity is much more nuanced. When you need to rehydrate terabytes or petabytes of data across a global footprint, recovery becomes a physics problem. Organizations need tiered, contingent, and orchestrated recovery and continuity strategies and solutions that accelerate the restoration process to minimize the window between incident and operational recovery.

Action: In Balance offers workshops to illustrate and derive recovery strategies that go beyond restoring technical systems, but address business continuity and contingencies. We then help our customers test, validate and improve these strategies through pen testing, tabletop exercises, and simulations that prepare our customers for various scenarios.

4. Agentic SOC and Integrated Threat Detection. The Stryker attackers used legitimate admin tools through authorized credentials, which means traditional endpoint detection would not have flagged the initial activity. Most organizations have a SIEM, an EDR platform, and an identity provider that operate in silos. With threat actors using modern “living-off-the-land” techniques, organizations need to integrate their detection capabilities to identify threats at the source rather than waiting for alerts to propagate through a pipeline.

Action: Agentic platforms like BlinkOps offer machine speed security automation that correlates signals across your entire stack and triggers response workflows in seconds.

5. Policies, Governance, and Tabletop Exercises. The least glamorous recommendation and arguably the most important. Is your organization prepared for a scenario where every corporate device is wiped simultaneously? Do your teams know who to call if Teams and email are both down and their phones have been wiped? Have you conducted a tabletop that simulates total endpoint loss, not just ransomware encryption? Stryker was reduced to WhatsApp and personal phones for basic coordination.

Action: In Balance helps organizations build, document, and pressure-test their incident response and business continuity plans so that when the worst comes, the response is rehearsed rather than improvised.

The Threat Landscape Has Changed. Has Your Defense?

The Stryker attack is a signal, not an anomaly. Compliance frameworks tell you where you have been. Adaptive Defense prepares you for where the threat is going and can extend and activate traditional control frameworks to achieve both compliance AND cybersecurity.

If your organization is ready to evaluate its readiness across endpoint management, identity recovery, data resilience, threat detection, and incident response, In Balance IT Solutions is ready to help. Reach out to us today.

Michael Caplan is the Chief Technology Officer for In Balance IT Solutions.