Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity

I recently had, what I thought, was a unique brainwave. (Spoiler alert: it wasn’t, but please read on!)

As a marketing leader at ESET UK, part of my role is to communicate how our powerful and comprehensive solutions can be implemented to protect organisations, in a way that helps clarify the case for upgrading to higher levels of cybersecurity. And that need for clarity is now more urgent than ever.

Cybersecurity leaders and agencies, including the UK’s National Cyber Security Centre (NCSC), are often quoted as saying that cyberattacks are not “a matter of if, but when.” So perhaps it’s not too much of a stretch to describe every organisation as existing in a “pre-breach state”, or a condition where threats may already be present but stay under the radar.

Which brings to mind Schrödinger’s cat, the famous thought experiment where a cat in a sealed box is simultaneously alive and dead – until you look inside. This might be challenging the analogy a bit, but in cybersecurity terms, your organisation lives in a similar state: it’s both breached and not breached – until you look. Without visibility, you simply don’t know. And by the time you do, the damage may already be done.

Accepting this reality demands a shift in mindset and a shift in strategy. Indeed, for organisations without the requisite tools for internal threat hunting and monitoring of malicious behaviour, one could further argue that this, actually, represents a duality of state encountered in quantum theory and, therefore, these organisations are in a kind of “quantum breach state”.

It came as no surprise when I found that my brainwave was shared amongst at least a few others, who had used this analogy to explain the new reality and encourage organisations to revisit their cybersecurity strategy accordingly. A bit disappointing from an egotistical perspective, but also not too much because it’s clearly a train of thought that resonated with at least those few, too.

But now I’m going to pick holes in the analogy a little whilst hoping to underscore the key message.

Random and not-so-random

The original thought experiment – first described by Austrian physicist Erwin Schrödinger 90 years ago, almost to the day – relied on the random chance of the radioactive decay of an element emitting a particle that hit a detector, which triggered the release of poison into the box, thereby snuffing out the cat. This is a random chance determined by quantum decay, whereas the timing of the “detonation” of malware by criminals within an organisation is, more often than not, planned.

The loose grouping of English-speaking criminals known as Scattered Spider, who were behind the Marks and Spencer (M&S) breach in the UK, were thought to have been moving through the company’s systems undetected, for weeks. This same group is thought to be behind the, oft-referenced, Jaguar Land Rover (JLR) breach, which is estimated to have cost over £2 billion to the UK economy and is officially the costliest in UK history.

It is fair to assume that the same tactics may have been employed, although details of how long the attackers were present in JLR’s systems are sketchy. In the case of M&S, the perpetrators spent a long (dwell) time ‘living off the land’, unleashing the chaos at the start of the Easter holiday weekend. The JLR attack, meanwhile, was triggered on the 31^st of August 2025, on the eve of the UK car industry’s equivalent of Christmas and Thanksgiving rolled into one: the new car registration day (“new plate day”) on the 1^st of September.

Random? I don’t think so.

Therefore, the quantum breach analogy doesn’t quite hold. If I were to venture a guess, the date was carefully planned for maximum disruption – and it worked spectacularly well for the attackers (and spectacularly badly for JLR, of course).

At this point, it’s worth reminding ourselves of a few statistics. According to IBM’s Cost of a Data Breach Report 2025, the global mean time to identify and contain a breach (i.e., the entire breach lifecycle) is 241 days, while the mean time to identify a breach is 181 days – we’re talking about big numbers here either way. The uncomfortable reality is that many organisations are breached long before they realise it. And the longer the dwell time, the more damaging the eventual “detonation” of the attack is likely to be.

Solutions: Locks and/or SOCs

If, by now, you have accepted my “theory” that your organisation is in a pre-breach state, you might now think about solutions. One such solution is, usually, procuring/upgrading your security (i.e., buy a bigger lock) or go the whole hog and upgrade to EDR or XDR tools and then go threat-hunting. The latter would equate to “opening the box” and observing, of course.

Opting for the former (bigger locks) doesn’t necessarily help when you consider the insider threat and social engineering and other attack strategies employed by cybercrime groups like Scattered Spider, which were behind both JLR and Marks & Spencer breaches. No matter the size of the lock, stealing the keys (or having them, effectively, given away by clicking on a malicious link or being tricked into giving away or resetting a password) makes them obsolete in this instance.

So, what about SOCs?

For this to work, of course, firstly you’ll need to create a SOC of some sort and then staff it with security analysts. Very expensive and time-consuming – this can take months to set up and cost hundreds of thousands of pounds/dollars/euros. And that’s even if you can recruit enough people due to the much reported, cybersecurity skills shortage. So, let’s ‘go commando’ then; i.e., do it ourselves.

This option needs to be considered with caution – the skill required to operate these powerful tools is not to be underestimated and when they are activated, many (most/all) organisations will find the sheer volume of telemetry, alerts and alarms so overwhelming that they end up disabling many of them just to dampen the noise. So, whilst the “quantum state” of the breach is now resolved – i.e., you’re now observing your systems – it may create a worse situation and lead to a false sense of security. You now think you’re ok when you’re potentially not, because you may not have the requisite skills to properly analyse what’s being observed.

Add to the mix that, here at ESET, we’ve seen an increasing number of cyber insurance policies, shared by clients, that insist on EDR solutions being in place to even qualify for cover, which can leave security professionals with a real conundrum. Forced into using tools that require highly skilled operators, without the ability to use them correctly for the policy to remain applicable in the event of the (inevitable) breach. Stress is probably one of the words most used in cybersecurity teams the world over, when describing their day-to-day – and it’s hardly surprising.

But there is a third way. Turning for help to the vendors that create the tools and offer services to threat hunt, monitor and remediate these threats is increasingly the direction of travel for organisations of all sizes. Managed detection and response (MDR) services resolve this dilemma: experts managing the tools, round the clock monitoring, proactive threat hunting, rapid detection and remediation, amongst others – this all de-stresses the situation, resolves the “quantum breach state” and defuses the cyber-bomb, and ultimately goes a long way to help meet insurance and compliance requirements and most importantly, mitigates the damage created by longer-dwelling APT and cybercrime groups.

The reality check

• You really don’t know you’ve been breached until you observe the reality within your systems. Do you know you haven’t been?
• Unless you have the requisite skills to threat hunt and remediate, the tools you try and use yourself can be counter-productive and create more noise behind which the attackers could hide. Do you have the skills?
• Even if you have the in-house skills to deploy EDR/XDR solutions, the mean time to detect and respond (MTTD & MTTR) are going to be hundreds of times longer than a third-party vendor can achieve (i.e., ESET ‘s MTTD < 1 minute; MTTR < 6 minutes). Do you know what your own MTTD and MTTR times are?
• It’s incredibly expensive to build the necessary SOC and provide 24/7/365 monitoring – for most companies this is prohibitive. Do you have the time (and money) to build and staff a SOC?
• MDR services, via MSPs and MSSPs, can be activated for ANY size of organisation – from one seat/employee up.

References:

• “Schrödinger’s Cat in Cybersecurity: The Paradox of Uncertainty” – compares vulnerabilities to the cat’s fate, stressing proactive monitoring. [linkedin.com]
• “Schrödinger’s Breach” – highlights dwell time and the illusion of security until proven otherwise. [advantage.nz]
• Cyber Strategy Institute – uses the analogy to explain trust and risk as quantum-like dual states. [cyberstrat...titute.com]