🎙️
AIPodify
Shows

Darknet Diaries

Default to Deny: Why Network Security Is Shifting to "Zero Trust" Ep. 167 ThreatLocker

Guest: Danny JenkinsDecember 23, 2025
ransomwarecybersecurity incidentszero trust securityapplication whitelistingdeny by defaultendpoint securityit operationskanti ransomwaremulti-factor authentication (mfa)managed security service provider (mssp)
Default to Deny: Why Network Security Is Shifting to "Zero Trust" ⛔ Ep. 167 ThreatLocker

Episode Summary

AI-generated · Mar 2026

AI-generated summary — may contain inaccuracies. Not a substitute for the full episode or professional advice.

Jack Rhysider opens by highlighting ThreatLocker, then introduces an anonymous IT operations head of a 1,000-employee manufacturing company across 17 sites in the UK and Europe. This guest recounts the “worst day of his life” (06:10) five years prior when his company was hit by the Kanti ransomware gang. In just fifteen minutes, the attack encrypted all 250 Windows servers and 350 endpoints (04:05, 05:09), forcing the guest to cut short his family holiday and leading to a chaotic, three-week business shutdown for a complete network rebuild. This devastating incident underscores the catastrophic impact of ransomware and the challenge of recovery.

The guest details the immense pressure of the recovery, including manually rebuilding devices after their imaging service was lost and implementing a “red, amber, green” protocol for checking machines (08:13, 09:15). Despite team conflicts, leadership made the crucial decision to take three weeks to rebuild the network properly, rather than a quicker five-day restore, prioritizing long-term security (10:55, 11:25). After finding traditional antivirus like Malwarebytes insufficient (13:33), they discovered ThreatLocker, a solution that stops everything from running unless explicitly allowed, marking a pivotal shift in their security strategy (14:36).

Hunter Clark, a cybersecurity engineer at Ark Technology Consultants, further illustrates the power of this “deny by default” philosophy with a hospital client’s incident. Even though the hospital declined multi-factor authentication due to budget and user complaints (21:03), ThreatLocker successfully blocked a threat actor who gained full domain admin rights via compromised VPN credentials bought on the dark web (22:53, 23:26). While the attacker pivoted to an unprotected, connected hospital system and deployed malware there (24:55), ThreatLocker prevented damage at Hunter’s client, significantly reducing the eventual ransom negotiation by demonstrating what data remained secure (25:57).

Danny Jenkins, CEO and co-founder of ThreatLocker, explains his company's mission to shift the security paradigm from “default allow” to “default deny” (36:56). He argues that traditional antivirus relies on detecting known threats, whereas zero-trust application control blocks all unapproved software, regardless of intent, making it highly effective against ransomware and unknown malware (38:52, 39:32). Jenkins shares that his inspiration for ThreatLocker came from a devastating 2014 ransomware recovery where the victim’s IT team dismissed application control as unviable (28:06, 29:50). He confidently states that among 70,000 companies using ThreatLocker, he has “never had a customer with a ransomware case that wasn’t ignoring obvious signs” (43:53, 44:37).

Listeners will gain a profound understanding of the real-world devastation caused by ransomware and learn how a proactive “deny by default” security posture, implemented through solutions like ThreatLocker, can prevent catastrophic outages, protect critical infrastructure, and strengthen defenses against sophisticated attackers and internal vulnerabilities.

👤 Who Should Listen

  • IT directors and CIOs in manufacturing or multi-site organizations
  • Cybersecurity professionals and engineers
  • Small to large business owners concerned about ransomware and data breaches
  • Anyone interested in the practical application of Zero Trust principles
  • Executives making budget decisions for IT security
  • Professionals involved in incident response planning and recovery

🔑 Key Takeaways

  1. 1.Ransomware attacks can be devastating, exemplified by a manufacturing company’s entire network of 250 servers and 350 endpoints being encrypted in 15 minutes by the Kanti gang, leading to a three-week business shutdown (04:05, 05:09, 10:23, 11:25).
  2. 2.Traditional antivirus and EDR solutions may not be sufficient to stop sophisticated ransomware, as one company found Malwarebytes enterprise platform “wasn’t really doing the job that we’d hoped” (13:33).
  3. 3.The “deny by default” or “Zero Trust” security model, implemented by ThreatLocker, blocks all applications from running unless explicitly approved, acting like a firewall for applications rather than a router (15:02, 36:56).
  4. 4.Zero Trust is not about saying “no” but granting the least privilege necessary for job functions, contrasting with “detection and response” models that only block detected anomalies (35:54).
  5. 5.Layered security (defense in depth) is crucial; ThreatLocker successfully stopped a ransomware attack at a hospital even after a threat actor gained full domain admin access via compromised VPN credentials because MFA was not implemented (21:03, 22:53, 23:26).
  6. 6.The effectiveness of ThreatLocker is supported by Danny Jenkins' claim that among 70,000 companies using the product, there has never been a ransomware case where policies were correctly followed, emphasizing its preventative power (43:53, 44:37).
  7. 7.Implementing “deny by default” can significantly reduce IT management overhead, as seen in a school where malware went from daily occurrences to never, reducing IT time from full-time to “a couple of hours a month” (32:16, 33:19).

💡 Key Concepts Explained

Zero Trust

A security model that verifies everything by default, granting the least amount of privileges necessary for users and applications to perform their job functions, rather than implicitly trusting entities within the network perimeter (35:24, 35:54). This episode presents it as a paradigm shift from traditional “castle-and-moat” security, offering superior protection against internal threats and sophisticated attacks by making trust explicit and continually validated.

Deny by Default

An approach within Zero Trust where all applications and actions are blocked unless explicitly allowed by an authorized administrator (15:02, 36:56). Danny Jenkins highlights its importance as a fundamental change in security philosophy, making it effective against unknown malware and ransomware by preventing unauthorized execution rather than just detecting known threats, effectively turning application execution into a firewall-like function.

⚡ Actionable Takeaways

  • Evaluate your current security posture to determine if it operates on a “default allow” or “default deny” principle for applications, aiming to shift towards deny-by-default for stronger protection (15:02, 36:56).
  • Implement multi-factor authentication (MFA) on all internet-facing portals and computers, especially VPNs, to prevent initial access even if credentials are compromised (21:03, 23:26, 41:36).
  • Establish clear protocols and playbooks for ransomware incidents, including immediate network shutdown, communication plans, and a structured recovery process like the “red, amber, green” system (03:36, 04:05, 08:13).
  • Consider application control or whitelisting solutions like ThreatLocker to block unapproved software, even if it’s new or unknown malware, thereby preventing its execution (13:33, 14:36, 39:32).
  • Communicate the severity of cyber threats, like ransomware, to users and leadership to gain buy-in for stricter security measures, emphasizing potential business outages (17:41, 18:03).
  • Implement IP restrictions on critical services like Microsoft Office tenants to ensure access only from known, trusted network locations (41:36).
  • Prioritize layered security, understanding that people will make mistakes and detection systems can fail, making strong controls the last line of defense (39:53, 41:00).

⏱ Timeline Breakdown

00:46An anonymous guest introduces himself as a group head of IT operations for a 1,000-employee manufacturing company across 17 sites.
02:18The guest recounts receiving a phone call about a ransomware attack (later identified as Kanti) while on holiday five years ago.
04:05The guest describes the immediate chaos, including the decision to turn everything off, and the rapid spread of the ransomware.
05:09Within 15 minutes, the ransomware encrypted all 250 Windows servers and 350 endpoints, bringing the business to a halt.
07:22The guest explains the challenge of restoring from backup when the threat actor might still be present in the environment.
08:13Details of the recovery process, including rebuilding machines with a “red, amber, green” protocol and losing the imaging service.
10:55The guest talks about leadership deciding to take three weeks to rebuild the network properly, rather than a quick five-day restore.
12:29The deliberate, phased return of services, like shutting off Wi-Fi until the very end of the three-week recovery, is explained.
13:33After the incident, the company tried Malwarebytes but found it insufficient, leading them to search for application control solutions.
14:36The guest describes discovering ThreatLocker and its “amazing” ability to stop everything from running unless explicitly allowed.
15:02Jack explains the “deny by default” concept using the analogy of a firewall (deny by default) versus a router (permit by default).
17:41The guest addresses user complaints about ThreatLocker, using the past ransomware incident to justify strict controls.
18:43The guest confirms no major security incidents since implementing ThreatLocker.
19:50Hunter Clark, a cybersecurity engineer, introduces himself and his focus on endpoint security and zero-trust principles.
20:46Hunter describes implementing ThreatLocker at a hospital client, which initially declined multi-factor authentication (MFA).
21:50An incident occurred where an EDR/MDR solution detected an intruder, and ThreatLocker successfully blocked tools like AnyDesk and rclone.
22:53The attacker gained initial access via compromised domain admin credentials bought on the dark web, remoting in through the VPN.
24:55The threat actor pivoted through an internal VPN connection to an unprotected connected hospital system and deployed malware there.
25:57The hospital ended up paying the ransom, but ThreatLocker’s logs helped negotiate a lower amount by showing what was not compromised.
26:47Danny Jenkins, CEO and co-founder of ThreatLocker, introduces himself and his mission to educate the world on “deny by default.”
27:14Danny recounts his experience with a devastating ransomware recovery in Australia in 2014, which inspired ThreatLocker.
29:50Danny decided to build ThreatLocker to make application control viable, aiming for 90% market adoption of zero-trust.
32:16Danny shares the first external network ThreatLocker was installed on: his kids’ school, which went from daily malware to none.
33:30Danny addresses the perception that “deny all apps by default” is a radical idea, explaining it’s less radical after an attack.
35:24Jack explains the shift from “castle-and-moat” security to the modern “zero-trust” model of verifying everything.
36:56Danny reiterates ThreatLocker’s mission to change the world’s security thinking from “default allow” to “default deny.”
37:40Danny explains why “deny by default” is critical, referencing historical viruses and the current threat landscape.
39:53Danny outlines three methods to stop security attacks: people, detection, and controls, emphasizing the importance of controls.
43:43Danny provides statistics on ThreatLocker’s effectiveness, stating that among 70,000 companies, none following policies have been successfully hit by ransomware.
45:32Danny discusses ThreatLocker’s hiring philosophy, emphasizing the challenging but rewarding nature of supporting critical systems.

Best of this topic

Best ransomware episodes →Best cybersecurity incidents episodes →Best zero trust security episodes →Best application whitelisting episodes →Best deny by default episodes →

💬 Notable Quotes

“I say that to everybody I talk to about it, which I don’t actually like talking about it, ‘cause taking myself back to that day, that sinking feeling in your stomach, it is absolutely the worst, stressful — the most stressful situation I’ve been through in my career, hands down.”
“The problem with that is you don’t know whether they’re in the backups. You don’t know whether they were already in the — in your environment and they were just waiting for the right time to push the button, which we already believe they were.”
“What ThreatLocker does is it says, okay, let’s start by blocking every app from opening and running, but if you the user wants to open something, just ask and we’ll let you open it. We just want to block apps that you didn’t try to open or apps that you don’t actually need.”
“My mission is to make sure people understand why this is so important and then also educate them how it can be done.”

More from this guest

Danny Jenkins

All appearances →Best episodes →

Listen to Full Episode

▶ YouTube

📬 Get weekly summaries like this one

No spam. Unsubscribe anytime. By subscribing you agree to our Privacy Policy.

Continue Exploring

🎙️

More from Darknet Diaries

All episodes →

🏷️

More ransomware episodes

Browse topic →

Best cybersecurity incidents episodes

Ranked list →

🗂️

Browse all topics

Topic directory →

← All episodes of Darknet Diaries