John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Enterprise security stacks have gotten considerably more sophisticated over the last decade. Endpoint detection. Behavioral analytics. Zero trust architecture. Cloud-native tooling. The layers are deeper than they were five years ago.
Most of it starts at the operating system. Below that – in firmware, in the boot process, in hardware supply chain integrity – coverage is a lot thinner.
What Eclypsium’s $25M Round Actually Signals
Investors don’t put $25 million into a problem category unless enterprise buyers are starting to pay for solutions. Eclypsium’s platform focuses on firmware and device supply chain security: can you verify that a server’s firmware hasn’t been tampered with? Can you detect if a device was compromised before it arrived? Can you monitor for anomalous firmware behavior across a fleet?
These questions sound abstract until you encounter the threat actors who’ve already answered the attacker version of them. Nation-state groups have demonstrated persistent access through compromised network device firmware. Attackers have gone after management interfaces rather than the OS above them. Supply chain operations have embedded malicious code before devices shipped.
The funding reflects organizations finally starting to ask those questions themselves.
Why Firmware Persistence Is Different
Standard incident response – reimaging a drive, reinstalling the OS, reverting a cloud instance – doesn’t touch firmware. A sophisticated attacker who achieves firmware persistence can survive most conventional response actions. The only reliable remediation is verifying and reflashing the firmware, which most organizations don’t have tooling or process for.
The Trivy scanner compromise this week adds relevant context. If the security tools running in your build pipeline can be compromised, so can the firmware on the devices running your infrastructure. The logic scales downward.
IoT Still at the Bottom
SANS ISC researchers documented ongoing telnet brute-force scanning by a campaign called “Iranbot,” targeting IoT and embedded devices. Telnet. Default credentials. Devices that haven’t been updated since someone plugged them in and forgot about them.
This is the low end of the firmware problem. It’s not sophisticated. It doesn’t need to be. Those compromised devices become botnet nodes, scanning engines, and attack infrastructure. The 3 million IoT devices in this week’s DDoS botnet takedown came from somewhere.
What Security Leaders Should Actually Do
You don’t need to immediately overhaul procurement and add firmware scanning to every device. Start by making the question visible: where are we trusting devices we’ve never verified? Work from the most exposed and most critical systems. Factor firmware and hardware integrity into procurement criteria now, before a regulatory requirement forces it on a deadline.
The security stack starts below the OS. Worth knowing what’s down there.