Adriel T. Desautels, Founder & CEO of Netragard, Red Team pioneer with 20+ years.gettyDuring World War II, France discovered the difference between defending against the last war and defending against the next one. The Maginot Line was the best-in-class defense of its era, roughly 280 miles of fortifications, gun emplacements and underground tunnels along the French border with Germany. The right experts had been consulted. The right doctrine had been applied. The defense looked impressive. The Wehrmacht walked around it. German armored divisions advanced through the Ardennes Forest, terrain that French military planners had deemed impassable to tanks. The main attack avoided the Maginot Line entirely. Within six weeks, France had signed an armistice. The line had not failed in any of its parts. Its individual fortifications performed as designed. It failed because the attacker behaved differently than expected.​Almost all enterprise cybersecurity spending makes the same mistake today.Cybersecurity Is Repeating The Maginot Line Mistake​A typical enterprise security stack looks impressive in the same way the Maginot Line did. It usually includes:• Endpoint detection and response• Security information and event management• Web application firewalls• Cloud security posture management• Identity and access management• Several other category-leading products purchased on the recommendation of analysts, peers and salespeopleEach one passes its individual evaluation. Each one is deployed.​They were all chosen against an assumed adversary, not a specific one. They're defenses built from generic best practices and what vendors have marketed as the right thing to buy. The result is defense that will protect you from auditors. Against a real attacker, it fails for the same reason France's defenses failed. The attacker does something the defense wasn't designed to anticipate.​How Most Breaches Actually HappenIndustry breach reports from IBM, Verizon and Mandiant are remarkably consistent. The categories that produce most successful intrusions are:​• Stolen and compromised credentials• Phishing and social engineering• Vulnerable and unpatched applications• Misconfigurations• Supply chain compromise​Most environments are entered through a credential, not through an exploit. The Change Healthcare ransomware incident in 2024, which produced nearly $3 billion in disclosed costs and exposed records belonging to roughly 190 million individuals, began with stolen Citrix credentials and a portal that didn't require multifactor authentication.​Notice what's not on the list. Novel zero-day vulnerabilities discovered in your specific software. Custom malware designed for your environment. Direct technical assault on your perimeter. Those happen, but they're a small share. The overwhelming majority of intrusions come from categories that generic best-practice spending doesn't typically address, let alone take into consideration.Where Cybersecurity Spending Breaks DownFour patterns recur across organizations that spend heavily and still get breached:1. Too Many Tools Without Enough Coverage Of The Seams: Attackers don't operate inside product categories; they move through the gaps between them.2. Detection Without Containment: Alerts are produced, but action isn't.3. Controls Never Validated Against A Realistic Adversary: Products are purchased, deployed and only tested against industry standards as opposed to realistic threat.4. Vulnerability Assessments Marketed As Penetration Testing: These produce an inventory of vulnerabilities but not the contextualized threat intelligence required to build effective defenses.What Actually Stops Cybersecurity AttacksThe pattern across organizations that handle real attacks well is that specific intelligence about the threats they actually face informs their defensive decisions.​Contextualized threat intelligence is the term for this. It's the difference between knowing ransomware exists and knowing which ransomware affiliates target organizations in your industry, what initial access they use and where your environment intersects with their preferred tactics, techniques and procedures (TTPs). It's the difference between knowing your network has vulnerabilities and knowing which specific vulnerabilities in your specific environment give an attacker a path to the assets that matter to them and your business.The French built their fortifications on generic intelligence, the kind that had been accurate in 1916 and was wrong in 1940. Contextualized intelligence produces a threat-informed defense that's built against the actual current paths an attacker can take through your specific infrastructure to cause damage and reach their objectives.Where Companies Should Be Focusing In The Age Of AI Cyberattacks​AI-assisted offensive tooling has accelerated the fundamentals. The right starting point is preparing your organization to extract real value from realistic threat penetration testing.Preparation is organizational. Before testing begins, executives, security leadership, application owners, infrastructure leads, legal and incident response must align on scope and rules of engagement. Review your authorization, change management and credential life cycle policies so the test stresses the real environment, not the documented one.When the report arrives, response can't sit inside the security team alone. The executive sponsor owns risk decisions, engineering owns fixes, legal owns regulatory implications and incident response owns detection improvements. A structured plan with named owners and validation criteria turns the report into a tool for establishing functional threat informed defenses.While breach prevention is an impossible goal, damage prevention is entirely attainable when the right people leverage contextualized threat intelligence.Questions Your Leaders Should Be AskingThree questions separate informed defense from generic spending:• When was the last time someone tried to attack our environment using realistic techniques, and what did they find?• If our most valuable assets were the target of a determined attacker, what path would they take, and where would the chain break?• Are our defenses built around real intelligence about how specific threats will align with opportunities in our organization or around generic recommendations, industry best practices and compliance penetration testing reports?The Maginot Line failed because it answered the wrong question with great precision. The threat that arrived behaved differently. Most enterprise security stacks have the same architecture. Spending more on the same generic categories doesn't change the outcome. Spending on intelligence-informed defense does.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?