Yuki's conversation with the Monitor's security consultant ran two hours and twenty minutes, and when it was over she came to Marcus's desk with her notebook open and the expression she wore when she had assessed a situation and found it simultaneously better and worse than it could have been.
She sat across from him. Yuki usually reported standing, as if she might need to move again immediately after delivering information. The sitting meant she had enough to cover that it required settling in.
"Better than I feared in some ways," she said. "Worse in others."
"Full picture," he said.
"The Monitor has implemented reasonable baseline security. End-to-end encrypted communications for editorial material — better than most organizations their size. Hardened web infrastructure against standard intrusion attempts. Phishing training with staff three times in the past two years, and their managing editor has good instinctive operational security hygiene. Their security consultant is competent and has been thorough within the scope of the threat model he was given." She paused. "The scope is the problem. He's been defending against harassment campaigns, doxxing, legal pressure tactics, and basic web intrusion — the standard newsroom threat profile from the past decade. He has not been defending against supply chain attacks on third-party dependencies, coordinated misinformation campaigns targeting the publication's credibility with external validators, or legally structured delay tactics designed to hold up publication long enough for a specific external event — the procurement decision — to occur first."
"What are the specific gaps you found?"
"Three in their technical infrastructure that a sophisticated actor could exploit to introduce modifications to published content without triggering their current monitoring. Not deletion — modification. Subtle changes in a complex data visualization that would be difficult for a general reader to detect but that would undermine specific evidentiary claims in ways that sophisticated parties would understand and could later cite." She looked at her notebook. "The highest-risk surface is the network visualization — it's rendered client-side, JavaScript served from their CDN. If that JavaScript is modified at the CDN layer, they won't see it in their own infrastructure monitoring because the modification doesn't touch their origin servers."
"What did you recommend?"
"Three options. Simplest: serve the visualization as a static image instead of an interactive component. Eliminates the CDN attack surface entirely but loses the reader utility of the interactive layers." She turned a page. "Middle: implement cryptographic integrity checking on the CDN-served JavaScript — a hash verification that alerts if the served code doesn't match the origin. Preserves interactivity, adds a monitoring layer. Most complete: move the visualization to a separate subdomain with independent infrastructure and its own CDN relationship, isolated from the main publication's attack surface."
"What did Osei choose?"
"Middle option plus elements of the third. He wants the integrity checking and the subdomain isolation, and he wants to keep the interactive format. He made the decision in about four minutes." She looked up. "He'd been thinking about this category of threat already. He just hadn't had a current enough threat model to act on."
"The twelve-page document," Marcus said. "Did he accept all of it?"
"All of it. He read the document during the meeting — all twelve pages — and asked six questions. Each one was the right question." She flipped back a page. "He asked about the parallel publication strategy: whether the alternative publication venues we listed were pre-arranged or would require real-time negotiation if the main infrastructure were compromised. He asked about the legal defense organizations: whether they had capacity to respond within hours or only within days. He asked about the congressional briefing timing and whether the ten-day minimum was hard or approximate." She paused. "He's good. He runs a small organization with limited resources and he's made consistently smart decisions about where to spend those resources. He needed the threat model to be current, not a better consultant."
"The security consultant himself," Marcus said. "How did he respond to the gaps you identified?"
"Without defensiveness, which is the best possible response. He understood immediately that the threat model had been incomplete and he asked good follow-up questions about each specific attack vector — not to dispute the finding, to understand it well enough to address it." She paused. "We're going to implement the CDN integrity checking together. He has the Monitor's infrastructure access, I have the technical approach. We've already scheduled two working sessions." Another pause. "He said something worth noting."
"What did he say?"
"He said: most of my clients don't send someone like you to a pre-publication security review. Most of my clients send me an email asking if we're okay, I tell them yes, and they feel better. He looked at me and said: the fact that they sent you means they know what we're actually dealing with. And then he asked whether there was something specific about the actors in this story that I wasn't telling him."
"What did you tell him?"
"I told him I had professional knowledge of a threat actor category that had previously used technical methods in response to similar exposures, and that the structural characteristics of the capital network described in this story were consistent with that category. I didn't name actors or operations. That would have been beyond what the NDA permits and also beyond what he needed to do his job." She looked at Marcus. "He accepted that. He's been doing this long enough to know that partial information from a reliable source is more useful than complete information from an unreliable one."
"Timeline on the subdomain migration," Marcus said.
"Fourteen days before publication, he estimated. They need twelve to implement and two to test. That's tight." She looked at her notebook. "I offered to spend two days working with their infrastructure team directly rather than advising remotely. The technical work isn't complex — it's unfamiliar for their team. If I'm alongside them rather than consulting asynchronously, the implementation is faster and the testing is more reliable."
"Do it," Marcus said. "Clear your schedule with Priya."
"Already cleared," she said. "I anticipated you'd say yes."
He looked at her. He thought about the twelve-page threat model document, the dependency audit, the shadow validation architecture, the integrity monitoring layer inside the Depth project, the supply chain attack preparation. He thought about a twenty-three-year-old who had looked at a security arrangement for an investigative newsroom and produced, in two hours of conversation and one night of writing, a twelve-page actionable threat assessment that the newsroom's own security consultant called out as exactly right.
"Yuki," he said.
She looked up from her notebook.
"The security function," he said. "The three new people beneath you — I want you thinking about the organizational architecture. Not just the hires. What the function looks like in two years, when the company is three times this size and the threat surface has scaled proportionally."
She was still for a moment in the way she was still when she was processing at speed.
"I've been thinking about it for six weeks," she said. "I have a document."
"Of course you do," he said. "Send it to me."
"It's in your inbox," she said. "I sent it four days ago. Subject line is 'Security Function Architecture — For When You're Ready.' I assumed you'd get to it when you had time and you'd ask about it when you wanted to discuss it."
He checked. It was there, timestamped four days ago. He looked at the timestamp, looked at Yuki, and thought about the specific pleasure of having hired someone who sent the document before they were asked and then waited, without impatience, for the conversation to catch up to the document they had already written.
"I'll read it tonight," he said.
"The third section is the one you'll have questions about," she said. "The rest is fairly obvious given the current threat picture. The third section is about something we haven't built yet."
"What is it?"
"Offensive capability," she said. "Not aggressive — defensive offensive. The capacity to understand our adversaries' technical infrastructure well enough to anticipate their moves before they execute them, rather than responding to moves they've already made." She looked at him steadily. "We've been reactive to this point. The shadow validation layer was reactive — we built it because we knew the attack was coming. I want to think about how to be earlier than that."
Marcus looked at her for a moment. "Read it tonight," she said again, and went back to her work.
He read it that evening. The third section was, as she had said, about something they hadn't built yet. It was also, he thought, exactly right.
He thought about the progression from reactive to anticipatory — the same progression the System had been pushing him toward in the architecture domain. Build before the need arrives. Anticipate the attack surface before the attack. See the structure before the consequences arrive.
He thought: the security function should think like the analytical function. Not about what has happened, but about what the system will do next.
He sent Yuki a message at 11 PM: *Section three is right. Let's talk Monday.*
She replied in thirty seconds: *Monday works.*