Skip to main content
Whitepapers & Guides

Scattered Spider: Arrests, Tradecraft, and the Compliance Response

A review of the Scattered Spider arrests and the identity-driven tradecraft behind them - help-desk social engineering, SIM swapping, and MFA fatigue - plus the controls needed to defend against it.

Threat Report

Scattered Spider (also tracked as UNC3944 and Octo Tempest) has become one of the most disruptive intrusion sets targeting Western enterprises. The recent arrests pulled back the curtain on how the group operates: not with novel malware, but with fluent English-language social engineering aimed squarely at help desks and identity providers.

This report breaks down the techniques behind the headlines and translates them into a defensive checklist. The through-line is identity: nearly every step in the Scattered Spider playbook abuses trust in your authentication and account-recovery workflows rather than a software vulnerability.

We map each technique to the compliance and identity controls that actually blunt it, so you can prioritize the changes that reduce real-world risk instead of chasing headlines.

What's inside

  • A timeline of the arrests and what they revealed about the group structure
  • The core tradecraft: help-desk social engineering, SIM swapping, MFA fatigue, and identity-driven lateral movement
  • Why traditional MFA is not enough - and where phishing-resistant authentication changes the math
  • Help-desk and account-recovery hardening steps that break the intrusion chain
  • A control mapping you can bring to your next compliance or risk review
Who it's for: CISOs, identity and IAM teams, help-desk managers, and compliance leads.

Download the Threat Report

PDF - free access

Free instant access - enter your details to download

No spam. We respect your privacy.

Put the Guides Into Practice

Our whitepapers give you the framework. Our team gives you the implementation. Schedule a consultation to discuss your specific environment.