Expert Opinions

Volt Typhoon Is Already Inside. Your Security Stack Wasn't Built to Find It.

Written by:
Brendan Sullivan, Chief Executive Officer
Brendan Sullivan, Chief Executive Officer
Published on:
July 13, 2026
Volt Typhoon Is Already Inside. Your Security Stack Wasn't Built to Find It.

Three hundred days. That's the average dwell time CISA confirmed for Volt Typhoon intrusions inside U.S. critical infrastructure networks, not according to a vendor's threat report, but according to the agency's own advisory, AA24-038A, which confirmed intrusions in water utilities, port authorities, power grid operators, and telecommunications providers. In some cases, persistence extended past five years in a single organization, with the actor present across multiple network segments while generating no alerts that any deployed security tool flagged as meaningful.

If that number stops you, it should. Because the question it raises is not whether Volt Typhoon is a serious threat. The question is why the security controls your organization has spent years and significant budget building failed to surface it.

The answer is architectural, and it's specific. Understanding it is the first step toward closing the gap.

What Volt Typhoon Is Actually Doing

Volt Typhoon (tracked by MITRE ATT&CK as G1017) is a PRC state-sponsored actor with a mission that is categorically different from most cyber threats CISOs plan against. It is not extracting data. It is not deploying ransomware for financial gain. It is pre-positioning: establishing persistent, durable access inside U.S. critical infrastructure so that, at a moment of geopolitical conflict, it can activate disruptive capabilities across energy, water, transportation, and military support systems simultaneously.

The operational model is designed to defeat the security stack that most organizations have deployed. Volt Typhoon uses Living-off-the-Land techniques almost exclusively: native OS binaries, legitimate administrative protocols, and valid credentials obtained through prior compromises of edge devices. No custom malware is deployed. No novel exploit code is dropped. Everything the actor does looks, at the tool level, like normal administrative activity.

CISA confirmed this in precise terms. The actor compromised SOHO appliances and VPN concentrators to establish footholds, then moved laterally using WMI, SMB, and RDP, the same protocols your administrators use every day. Behavioral analytics tools that establish baselines over weeks or months were unable to distinguish the activity from legitimate operations, which is why 300-day dwell times were possible without detection.

This is not a failure of your security team's vigilance. It is a failure of the underlying enforcement model most security architectures rely on.

Why the Stack Fails Against This Specific Threat

Most enterprise security architectures share a common assumption: the network perimeter is the primary defensive boundary, and controls operate on traffic that is already in motion. Firewalls inspect packets in flight. EDR analyzes process behavior after execution. SIEM correlates events after they're logged. NAC validates identity at authentication time and then grants network access.

Volt Typhoon's operational model attacks each of these controls at the exact moment they're weakest.

Firewalls and VPN concentrators are the entry point, not the barrier. CISA's advisory confirmed that the actor compromised edge devices, the devices that sit at your perimeter enforcing access, and used them as pivot points into the interior. Once the device itself is compromised, the traffic it handles is attacker-controlled traffic that looks like authorized traffic.

Antivirus and EDR produce no alerts because there's nothing for them to detect. LOTL techniques mean no malware signatures, no injected code, no dropped executables. The tools are running legitimately (wmic.exe, cmd.exe, PowerShell) in a way that is functionally indistinguishable from a system administrator running the same commands. EDR vendors are honest about this limitation when pressed. Signature-based detection is irrelevant, and behavioral baselines take weeks to establish, giving a patient attacker plenty of time to blend in.

NAC validates credentials, not sessions. If an attacker has obtained valid credentials (through a prior phishing compromise, a credential dump, or an edge device that stores them), those credentials pass NAC checks cleanly. The control was never designed to evaluate whether the entity presenting the credential is authorized to establish the specific session they're requesting, on that specific network segment, at that moment.

SIEM and behavioral analytics face a dwell-time problem that is structural, not a detection gap you can tune your way out of. A 300-day dwell time means the actor is present across multiple baseline establishment cycles. By the time your analytics have enough data to flag anomalous behavior, the attacker has had months to understand your environment, move to high-value segments, and establish redundant persistence. You're not detecting an intrusion; you're retrospectively tracing one that already succeeded.

The Enforcement Timing Problem

The common thread across all of these failures is timing. Every control in the traditional stack operates on activity that has already begun. Traffic is inspected after it enters the network. Credentials are evaluated at authentication time. Behavior is analyzed after it happens. The implicit assumption is that if something bad is occurring, we'll detect it in flight and respond.

Volt Typhoon is specifically designed to defeat that model. When the attacker looks like an administrator and uses the same tools as an administrator, detection-in-flight is not a viable primary defense. You need to stop the connection before it's possible, not after the activity is underway.

That's the problem First Packet Authentication is built to solve.

Before any TCP session is established, every connection attempt against a protected resource must carry a TAC-ID: a quantum-resilient, one-time-use identity token embedded in the initial SYN packet. Our InvisiGate and InvisiPoint enforcement points evaluate that token before the session connects. If the token is missing, expired, or unauthorized, the gateway drops the traffic silently and returns nothing. No SYN/ACK. No banner. No error message. The resource does not acknowledge that it exists.

This has a specific consequence for how Volt Typhoon operates. The actor's first step in any new network segment is reconnaissance: port scanning, service enumeration, identifying what's running and what's reachable before deciding where to move next. Against Invisinet-protected infrastructure, that reconnaissance returns nothing. Cloaked resources are invisible to unauthorized probes because they don't respond to them. The attack surface is eliminated before the attacker reaches Initial Access.

The second consequence is credential resistance. Valid credentials alone do not create network reachability. To establish a session, the requesting identity must present a valid TAC-ID that is policy-bound to their identity, device, and access level at that moment. A stolen password, a compromised VPN credential, or an edge device that stores authentication material produces nothing without the corresponding token. Volt Typhoon's primary access technique (abusing valid, stolen credentials) fails at the transport layer before a session exists.

Lateral movement faces the same barrier at every hop. SMB, RDP, WMI pivoting, each of these techniques depends on the target service being reachable from the attacker's current position. With FPA deployed, every attempted hop requires an independently validated TAC-ID. An attacker with a foothold in one segment cannot reach a protected segment on a different subnet without FPA authorization for that specific session path. There is no re-use of prior credentials, no inherited trust from earlier authentication events. Each connection is evaluated from zero.

Persistence faces the same barrier. TAC-IDs are ephemeral and one-time-use: a token issued for one session cannot be replayed to re-establish access later. An attacker who achieves a foothold today cannot use that same session token or captured credential material to reconnect tomorrow. Every reconnection is a new authorization event, not an inherited one, which is precisely the property that defeats the multi-year persistence Volt Typhoon depends on.

The OT Problem No One in ZTNA Wants to Talk About

Volt Typhoon's targeting is not limited to IT environments. CISA confirmed intrusions specifically in OT infrastructure (SCADA systems, ICS environments, water and energy automation) where the operational consequences of a disruption are not a data breach; they are a public safety event.

This creates a specific problem for most ZTNA architectures that CISOs evaluating their OT exposure need to understand clearly. Cloud-brokered ZTNA solutions operate through a cloud intermediary: traffic is routed through a central proxy for inspection and policy enforcement. In an IT environment with reliable connectivity, that architecture works. In an OT environment (an air-gapped facility, a remote utility substation, a military tactical edge deployment where connectivity is intermittent or deliberately severed), a cloud-dependent enforcement model fails operationally the moment the control plane loses connectivity.

Invisinet's control plane is distributed and publish-subscribe. Every enforcement node (InvisiGate, InvisiPoint) operates independently. Policy synchronization is decentralized, and enforcement continues during controller isolation. When the WAN link goes down, or when an OT facility operates in a deliberately air-gapped posture, FPA enforcement continues without interruption. There is no cloud broker to fail, no centralized controller whose availability determines whether your segmentation policy holds.

For CISOs responsible for critical infrastructure OT, this is not a performance consideration. It is a survivability one. An adversary capable of severing network connectivity as a precursor to an attack (exactly the kind of operation Volt Typhoon is positioned to execute) needs enforcement that continues to function after that disruption.

FIPS 140-3 validation (Certificate #5273, Active, May 2026) satisfies the cryptographic requirements for FedRAMP, CMMC Level 2 and 3, and DoD ATO reviews. That validation is not a checkbox. It is the documented basis for including FPA in a regulatory-compliant Zero Trust architecture without requiring a separate cryptographic assessment.

What the Regulatory Landscape Is Telling You

CISA, NIST, and DoD have all arrived at the same architectural conclusion, and the directives they've issued reflect it.

NIST SP 800-207 mandates explicit verification at every resource access, least-privilege access enforcement, and microsegmentation, not perimeter-based network trust. FPA enforces all three at the transport layer, before sessions exist, with no changes to underlying network infrastructure.

CISA's AA24-038A advisory is specific: eliminate implicit trust of edge devices, reduce lateral movement paths, and treat valid credentials as insufficient for resource access without additional session-level verification. That is a precise description of what FPA enforces.

CISA BOD 23-02 and NSM-22 mandate Zero Trust adoption for critical infrastructure at the federal level. Both directives require transport-layer enforcement that extends to OT environments, a requirement that rules out cloud-brokered ZTNA architectures for a substantial portion of covered infrastructure.

The DoD Zero Trust Reference Architecture v2.0 maps the Network & Environment pillar (cloaking, microsegmentation, lateral movement restriction) to the Software Defined Perimeter pattern. FPA is a direct implementation of that pattern, enforcing conditional authorization at the TCP transport layer before session establishment.

These frameworks are not aspirational. They are the standards against which your architecture will be assessed, and the gaps Volt Typhoon exploits are the exact gaps they're designed to close.

Where to Start

CISOs assessing their Volt Typhoon exposure should focus on three questions before anything else. First: at what point in a network interaction does your current Zero Trust architecture apply enforcement, and does that enforcement occur before or after a TCP session is established? Second: does your enforcement model continue to function when your cloud-dependent control plane loses connectivity? Third: if valid credentials are stolen, can an adversary still establish a session to a protected resource, or does reaching one require something the credential alone cannot provide?

If the honest answer to the first question is "after connection establishment," you have reconnaissance and initial access exposure that your current architecture does not close. If the answer to the second is "no," your OT and edge environments have an operational survivability gap that Volt Typhoon is specifically designed to exploit. If the answer to the third is "yes," you have the exact gap Volt Typhoon's primary access technique is built to exploit.

The practical path forward is a phased deployment of FPA in the segments your threat model identifies as highest-value targets: the OT environments, the network segments adjacent to IT/OT convergence points, the internal segments where lateral movement from a compromised edge device would create the most damage. InvisiGate and InvisiPoint deploy as transport-layer overlays with no changes to existing network infrastructure. SIEM integration through the Invisinet Messaging Framework is available from day one, so enforcement visibility feeds into whatever downstream analytics platform you already run.

The actor is patient. They've demonstrated that clearly. The right response is not to build a faster detection capability: it's to build an architecture where detection is required for less because the connection never happened in the first place.

Brendan Sullivan is the CEO of Invisinet Technologies.  To learn more about how Invisinet's FIPS 140-3 validated (Certificate #5273) First Packet Authentication™ and Software Defined Perimeter platform can protect critical infrastructure, visit invisinet.com or request a demo.

Table of contents
sign up for newsletter
Receive updates on Invisinet’s solutions and security insights.