Shai-Hulud 2.0: What We Learned from Helping Organizations Contain a Large-Scale Cloud Attack

Over the past week, as the dust has finally begun to settle, organizations have slowly regained control after the Shai-Hulud 2.0 campaign. At Blast Security, we had the privilege of assisting several customers during the peak of the incident – helping them contain the attack quickly, shut down active paths, and reduce their blast radius using preventive guardrails.
Now that teams are back on their feet, it’s the right moment to share several key insights we believe can help every cloud-forward organization prepare for the next wave.

Perimeter Defense Will Always Fail – Attack Path Reduction Must Be a Priority

If the Shai-Hulud attack proved anything, it’s that the perimeter is not a strategy. The attacker needs to find one hole. The defender needs to close all of them. That unfair advantage played out repeatedly this year:

• The Salesforce third-party drift incidents
• Microsoft’s EntraID actor token vulnerability
• Shai-Hulud and other CI/CD, OAuth, and identity pivot exploits

Once an attacker gets even the smallest foothold – through a compromised laptop, a vulnerable plugin, an exposed token, or an external misconfiguration – they immediately turn to the cloud’s internal pathways.

And those pathways matter more than ever.

Attackers will:

• Hunt for secrets to expand their reachable radius
• Attempt lateral movement using over-permissive identities
• Exfiltrate reconnaissance data to remote locations
• Try to pivot into CI/CD, secrets managers, or automated service identities

Your perimeter buys time.
But your internal architecture determines whether the attack succeeds.

Guardrails that protect sensitive internal assets – such as your secrets manager, your production roles, or your identity boundaries – are often the difference between a contained incident and a catastrophic breach.

For example, blocking an attempt to enumerate the secrets in your AWS Secrets Manager using SCP will eliminate the attacker’s ability to expand. Moreover, setting an Azure Conditional Access policy on your entities to deny access to Key Vaults from untrusted networks keeps your assets unreachable to stolen credentials.

Speed Matters – Containment Requires Simulation, Not Guesswork

When an attack is actively unfolding, time is the scarcest resource. Security teams must immediately neutralize the attacker and prevent re-entry through stolen secrets, compromised identities, or exposed access paths.

Organizations often know what needs to be done – “make the walls higher” – but executing that under pressure is extremely difficult:

• You need to craft the exact right guardrail, with zero mistakes
• You need to be confident it won’t break production
• You need to add the right exclusions so critical services stay online

Doing all this manually, while the clock is ticking, is almost impossible.
This is where automation and simulation become indispensable. Teams need systems that:

• Identify the next guardrail to deploy – where, how, and why
• Manage safe business-aligned exclusions at scale
• Automatically test the guardrail by simulating its impact on historical activity – giving full confidence before deployment

Containment doesn’t start with a guardrail. It starts with knowing its impact before you enforce it.

Preventive Guardrails Minimize Blast Radius – Build Them Before Crisis Hits

Preventive guardrails consistently succeed where traditional “least privilege remediation” fails. They:

• Remove excessive permissions safely
• Establish non-negotiable boundaries that attackers cannot bypass
• Reduce the number of reachable assets an attacker can pivot to
• Transform the environment into a self-protecting architecture

But here is the reality we repeatedly see:

Guardrails are always deprioritized during calm periods – and urgently needed during crises.

The time to build and review your architecture, your boundaries, and your guardrails is before anyone is inside your environment.

When properly implemented, guardrails are not merely a line of defense – they become the deep structural barriers that enforce how your cloud behaves, limit lateral movement, and make exploitation dramatically harder, even in the event of a breach.

Final Thought

Shai-Hulud 2.0 wasn’t the first major cloud-scale attack – and it won’t be the last. But every incident gives us an opportunity to learn, adapt, and strengthen the architecture that protects our organizations.

Preventive guardrails are an efficient way to block attackers from not only penetrating the organization but also from expanding within it. When placed correctly, they can not only prevent attacks but also provide visibility into any malicious activity occurring within the environment.