The troubling aspect is (besides the denials of course) is the absence of controls that should have sniffed this out ASAP. Apparently: - no passive network monitors showing an unknown IP/Mac/Location - no SOAR to kill off the attempts to gain a foothold/move laterally - no alerts on above or anything else in the SOC