Cyberwarfare Is Not What CISOs Think: How to Protect Your Crown Jewels

Episode 7 of Full Metal Packet features Matan Eli Matalon, co-founder and CPO of a stealth-stage cybersecurity startup and former CISO at OP Innovate, where he personally led reverse engineering analysis of the Handala Group's malware. 

In this episode, hosts Yegor Sak and Alex Paguis talk with Matan about how nation-state cyberattacks actually work, what most security leaders get wrong about cyberwarfare, and how to think about protecting what matters when everything feels equally urgent.

Fair warning: the interview was interrupted mid-recording when missile sirens went off in Tel Aviv. Matan stepped away to take shelter and came back. It was a day when the lines between digital conflict and real-world conflict were very visibly blurred.

TL;DR

• Nation-state hacking groups like Handala are less sophisticated than most people assume. They win through volume and patience, not technical complexity.
• AI is accelerating that dynamic by making attacks cheaper to run at scale.
• For defenders, the answer is to identify what would genuinely break the business, map how an attacker would realistically reach it, and close those paths first.
• Everything else is secondary.

Cyberwarfare Isn't What You Think It Is

Yegor opens by framing what's actually happening in the Iran-Israel conflict from a cyber perspective: while the missile strikes make headlines, groups like Handala are running parallel operations, such as wiping systems at medical tech companies, leaking emails from government officials, and doing it all without ever asking for ransom. The goal is disruption, pressure, and propaganda.

Matan's first point cuts against a common assumption. Most people imagine nation-state cyberattacks as technically sophisticated operations, with elite hackers targeting critical infrastructure with custom-built exploits. What he actually saw when responding to Handala incidents was far more mundane.

"I saw nothing special, honestly. Basic infiltration techniques, basic credential abuse, and basic taking advantage of weak links."

What made Handala effective was scale and patience, not technique. They would infiltrate organizations, live quietly inside their networks for months, and then surface to dump terabytes of data onto Telegram. The damage was reputational and psychological. Achieving that didn't require anything exotic. It required finding companies that hadn't implemented MFA.

AI, Matan argues, hasn't shifted this dynamic as much as people fear. What it's done is remove friction. Writing a phishing message used to take time and some level of expertise. Now it takes seconds. The same attack that required a small team can be executed by one person against a thousand targets simultaneously. The cost of trying is almost zero, and because of that, the volume has gone up dramatically.

Stop Protecting Everything. Start Protecting What Matters.

Matan's crown jewels framework is one of the clearest articulations of this idea we've heard on the show.

The problem most organizations have isn't too many vulnerabilities. It's treating all of them as equally urgent. When attack surfaces are growing faster than security budgets, when every new SaaS tool is another access point, and when MCP servers are talking to private APIs that are talking to databases, trying to protect everything equally is a way to exhaust your team while missing the things that actually matter.

His approach: start by defining failure. What does it actually look like when your organization is broken? Not embarrassed or inconvenienced, but genuinely broken. From there, map the realistic paths an attacker would take to cause that outcome. Then validate whether those paths are actually reachable and close them.

Yegor pushes back on how difficult that mapping exercise has become. Modern infrastructure isn't a single database in a rack. It's dozens of SaaS tools with different access levels, some of which can talk to others and all of which a compromised employee account could potentially touch. Matan agrees it's harder, but holds the line on the principle. Whatever an organization genuinely cannot afford to lose doesn't change just because the infrastructure around it gets more complicated. That's the anchor you start from.

The Incident That Revealed How Lucky Organizations Get

There's an incident from Matan's time at OP Innovate that illustrates how wide the gap can be between a breach and a catastrophe.

A client had been hit by an Iranian hacking group. Matan's team was brought in after the fact. They traced the intrusion to a file server, and found the logging failures and configuration issues that had enabled access. Then they found something that stopped them cold: that file server had open pathways to the most sensitive segments of the network. The attackers had been standing at the edge of something far worse.

They didn't go further. They had what they came for, which was enough data to post on Telegram and enough for the propaganda to land. So they left. The client got lucky, not because their defenses were strong, but because the attackers had no reason to keep digging.

"That feeling of telling them, okay guys, you got lucky. That could have been much worse."

The broader point is about the mismatch between how defenders measure severity and how attackers make decisions. A vulnerability that looks medium on a scanner can be one step from catastrophic if the path forward is clear. A critical-severity finding can be largely irrelevant if it leads nowhere. The severity score matters less than where the path goes.

The New Attack Vector Nobody's Talking About Yet

Alex surfaces a threat Matan hadn't heard of yet: slop squatting. When AI models write code, they hallucinate package names at a significant rate that don't exist in any repository. Attackers are starting to catalogue those hallucinated names and publish real packages under them, loaded with malware. An agent-generated codebase imports a package that looks plausible, but nobody catches it so the malware runs.

The attack surface is changing shape in ways that don't map neatly to existing defenses. Tools that expand what a single developer can do also expand what a single attacker can do, and the blur between human-written and AI-generated code creates blind spots the old categories of vulnerability management weren't built to catch.

The Case For "Yes, But"

A quieter thread running through the whole conversation is what it actually means to be a good CISO right now.

Matan is sympathetic to the instinct to say no to everything. CISOs carry accountability when things go wrong and rarely get credit when things go right. The defensive position makes sense as a response to an uneven situation.

But if a company's competitors are moving faster because they're integrating tools the security team is blocking, eventually there's nothing left to protect.

His mentor's framing stuck with him: don't say no, say yes but. Enable the business to do what it needs to do while building the guardrails to do it right. The hard no gets reserved for cases where verification is genuinely impossible, such as with an unknown vendor with excessive permissions and no auditable security posture. If you can't understand what you're agreeing to, you can't stand behind it.

Where To Start

At 28, Matan has spent a decade in an industry he nearly wrote himself out of in high school, convinced he wasn't technical enough to belong. What drew him to the defensive side was the people-facing nature of the work, understanding organizations, communicating across functions, and helping people protect what they've built.

His closing advice: stop treating every exposure as equally important. Figure out what would actually break the business if it were hit. Trace the paths an attacker would need to take to get there. Confirm whether those paths are real, and close them. If that picture is clear, the organization is in better shape than most of the market.

Matan Eli Matalon is co-founder and CPO at a stealth-stage cybersecurity startup. He previously served as CISO at OP Innovate, where he led incident response and reverse engineering analysis against the Handala Group and other threat actors. He is based in Tel Aviv.

Listen to the full episode on Apple Podcasts | Spotify | YouTube