Inside the Capital One Breach: The 1% Security Gap Nobody Fixed

Ross Young was inside Capital One during the 2019 breach. He explains what the headlines missed and why most security budgets go to waste.

Full Metal Packet Episode 11: Ross Young

The attacker who breached Capital One in 2019 didn't break through the bank's defenses. They waited for a place where the defenses didn't exist yet.

Ross Young was inside Capital One when it happened, and on this episode of Full Metal Packet, he walks through what the headlines missed.

Ross started his career on the offensive side at three-letter agencies, served as an enterprise CISO, and wrote Cybersecurity's Dirty Secret: Why Most Budgets Go to Waste. He now runs Clear Capabilities, building AI agents to automate security work. 

Hosts Yegor Sak and Alex Paguis got him talking about the breach, the budget math nobody wants to say out loud, and what happens when your newest employees are AI agents.

TL;DR

  • The Capital One attacker reached the EC2 metadata service through a misconfigured WAF, then exfiltrated data via a brand new AWS region where DLP tooling didn't exist yet.
  • Most security migrations stall at 98 or 99 percent complete, and that last one percent is where breaches happen.
  • A CFO who declines a $2M per year security program can come out ahead financially even after a $4M breach.
  • Ross scores every tool by coverage times feature utilization. A $3M tool at 40 percent effective protection is a murder board candidate.
  • A lot of DLP is security theater. Ross once walked sensitive data past one by renaming files as DLLs.
  • Hardware keys plus VPN-gated services stop most identity attacks. Software passkeys in browser extensions are the next soft target.
  • Before any AI agent goes live, you need three things: a kill process, a full audit trail, and a rollback plan.

The Attacker Waited for a Region With No Defenses

The attacker was a former AWS employee with deep knowledge of how the platform works under the hood, including a detail most defenders never think about: when AWS opens a new region, it launches with only a small set of core services and adds the rest over time. The security tooling Capital One relied on, including its data loss prevention capabilities, simply didn't exist in a brand new region yet.

So the attacker waited for one to open. From there, they exploited a misconfigured web application firewall to perform a server-side request forgery attack against the EC2 metadata service, stole session credentials, and pulled data from S3 buckets through a blind spot that no dashboard was watching.

Data the bank believed was encrypted turned out not to be in practice, and the metadata service itself was weak enough that AWS shipped a hardened second version, IMDSv2, shortly after.

The response was fast: a team stacked with former FBI and intelligence people built an evidence package for law enforcement in under a day and shut the operation down within a week. Detection was the problem, and it leads into Ross's bigger argument.

The Last 1% Is Where Breaches Live

The misconfigured WAF wasn't carelessness. Capital One had been migrating from an open source ModSecurity WAF to a newer Barracuda deployment, and not everything got ported over. A scanner wouldn't have flagged it either, since both forward and reverse proxy are valid configurations depending on what you're trying to do.

Ross's broader point is that this pattern repeats everywhere. Organizations track a migration to 98 or 99 percent compliant, the remainder lands on a risk register, and everyone moves on.

"Those little gaps are what's called the chinks in the armor," he says, and AI-driven attack surface discovery is making them easier to find. His challenge to security leaders: how do you get to 100 percent, and how do you know you're there?

The same applies to protections you believe are working. Developers complain that a WAF breaks site functionality, an engineer quietly disables some rules, and the CISO never hears about it.

"We've actually made it a Swiss cheese firewall," he says. The org chart believes the OWASP Top 10 is covered, the firewall config says otherwise, and the only people who knew left the company three years ago.

The CFO Who Said No, and Was Right

The most uncomfortable argument in the episode is a budget story. A CISO asks the CFO for $2 million a year to build an AI security program. The CFO asks what a breach would cost. The CISO, working from industry averages, says around $4 million. The CFO declines the funding. Four years later, the breach happens.

The company paid $4 million for the breach and saved $8 million in program costs. From the CFO's chair, declining the budget was the financially correct call.

Yegor and Alex push back on the math. Breach estimates rarely capture lost customer trust or brand damage, and in some industries, the downside isn't measured in dollars at all.

But Ross's underlying point stands: the CISO's risk tolerance is not the CFO's, and the people higher in the org chart make the call. Security leaders who can't frame spending in those terms will keep losing the argument.

Put Your Tools in Front of a Murder Board

So where does the money actually go to waste? Ross's answer is a process he calls a murder board, built on two numbers for every tool in your stack.

The first is coverage: what percentage of your environment the tool is actually deployed on. The second is utilization: what percentage of the important features are turned on. Multiply them and you get an effective protection score. A tool on 90 percent of endpoints with 80 percent of key features enabled scores 72 percent.

Run that across the 50 to 80 tools a typical large company owns and the conversation changes fast. A $3 million line item delivering 40 percent protection either gets fixed or gets cut.

He pairs this with a harder question: over the last 12 months, what did this tool detect that nothing else would have caught? On that test, entire categories start to look shaky. DLP comes in for particular criticism. Ross tells a story from his offensive days about a target whose DLP whitelisted DLL files to avoid breaking Windows. Renaming payment card data with a .dll extension sent it sailing through, auto-approved.

Hardware Keys, Deepfake Accomplices, and the RCMP

Ross's strongest identity recommendation is also one of the cheapest: hardware security keys for every employee, combined with firewall rules that keep internal services behind the VPN. Even an attacker who phishes credentials and steals session keys hits a wall.

He's skeptical of software passkeys living in browser password managers, which can be exported and replayed from a compromised machine. Yegor adds that storing TOTP codes alongside passwords in the same manager quietly defeats the point of a second factor.

The social engineering discussion gets personal when Alex shares his recent brush with a convincing phishing operation impersonating the RCMP, complete with phone calls and a follow-up email that fell apart only on close inspection.

Ross describes the newer variant: deepfake Zoom calls where three executives pressure a target at once, because nobody expects an attacker to fake an entire meeting. His answer is process, not better detection. Out of band verification for any banking change, approvals that live in systems of record, and no exceptions for anyone claiming to be the CEO.

Your Next Insider Threat Doesn't Have Hands

The episode closes on AI agents, which Ross frames as a new class of operator that can't touch a hardware key and can be phished through prompt injection. His prescription goes back to fundamentals: every agent needs a documented business justification, minimum necessary access, and named approvers, exactly like any application would.

Then he adds 3 requirements most teams skip:

  1. A kill process to stop an agent gone bad
  2. An audit trail of every action it takes
  3. A rollback process to undo what it did. 

Yegor raises the scope creep problem: agent permissions escalate in days rather than the months a human takes to earn trust. Without those controls in place first, an over-provisioned agent with broad CRM and email access is one bad prompt away from publishing your customer database.

Ross's parting advice for CISOs is to run a realistic security evaluation, and a SOC 2 report doesn't count. Map your material threats, measure your real coverage and utilization against them, and find out what your tools are actually protecting before someone else does.


Ross Young is the co-founder and CEO of Clear Capabilities, a former CISO, and the author of Cybersecurity's Dirty Secret: Why Most Budgets Go to Waste.

Full Metal Packet is hosted by Control D co-founders Yegor Sak and Alex Paguis. Watch the full episode on YouTube, or listen on Apple Podcasts, Spotify, or wherever you get your podcasts.