Do attackers collaborate more than we do?

This week we’re focused on…

Collaboration. And whether attackers are better at it than we are. 

Ransomware groups share infrastructure. Initial access brokers trade credentials like commodities, and criminal forums operate with customer support desks and affiliate models – like real, legitimate enterprises. 

But the people who defend organisations (yes, we’re talking to you) are often regional. People work in silos, and guard information from others. 

When we spoke to Stefan Baldus (CISO at Hugo Boss) on-site at Black Hat MEA 2025, he said: 

“I think the bad guys do this [connect and share information] on a day-to-day basis. And we as the good guys guarding our companies, we talk too little with each other – and maybe also only on regional levels.”

Two halls; thousands of conversations 

For Baldus, the scale of Black Hat MEA is part of the solution. 

“The energy is just awesome. I mean there are two halls packed full of people – younger, older, everybody is talking to each other.”

That communication between everyone in the industry, at a vibrant in-person event, is incredibly important. Because cybersecurity doesn’t stand still – “The threat landscape changes every minute or every week and month.”

The cadence of risk is continuous. And while most enterprises are structured around regional compliance frameworks and internal reporting lines, threat actors are structured around speed and shared advantage.

This asymmetry creates risk. Which is exactly why we nurture Black Hat MEA as a platform for knowledge-sharing and connection – to help the cybersecurity industry collaborate just as effectively as threat actors do. 

International exchange isn’t optional anymore

For Baldus, that global mix at Black Hat MEA is the real differentiator.

“Those international events which bring together North America, Europe, Middle East, Africa – this is a great exchange that will help the overall cybersecurity community to be more resilient in the end.”

Because resilience comes from conversation; from understanding how a peer in another market handled an incident, or from seeing how regulatory pressure differs across jurisdictions. 

To have those conversations, you need trust. 

And to build trust, you need to meet people face-to-face; to be your real human self, and connect with them in a genuine way. 

From outsider to insider

There’s another layer to this. Cyber leadership can be isolating. CISOs carry regulatory accountability, board scrutiny, reputational risk – and often personal liability. It is, to put it lightly, a high-pressure job. 

The first time they come to the event, even seasoned leaders don’t feel like insiders straight away. 

“My first time at Black Hat I didn’t know anybody,” Baldus said. “And now here I’m also part of this cyber community – it feels really great.”

That change, from walking into a room alone to being part of a global network, is as strategic as it is social. Because the threats facing global enterprises are transnational and coordinated, and evolving – so your network needs to be just as dynamic. 

Step up, or fall behind

Cybersecurity is both a technical and a social discipline. If attackers share playbooks across borders, defenders have to do the same.

The threats will evolve and tactics will keep shifting. Defenders need to collaborate at the same speed as the adversaries they’re up against. 

And that’s where we come in.