Your Firewall Is Playing Man-to-Man. Attackers Are Running Pick-and-Roll.

-


Thought Leadership Layered Security
May 2026  ·  8 min read

In the 2026 NBA Playoffs, the teams winning on defense aren't running pure man-to-man. They're switching schemes, mixing zone principles, and forcing offenses to solve problems they haven't practiced against. Most small businesses defend their data the way a team plays man-to-man against Steph Curry. There's a better way.

In the 2026 NBA Playoffs Conference Semifinals, the Denver Nuggets ran zone defense on nearly 30% of their halfcourt possessions against the Oklahoma City Thunder. For a team that played zone on just 3% of possessions during the regular season, that's a dramatic shift. And it worked — OKC's Jalen Williams, Chet Holmgren, and Lu Dort shot a combined 23% from three against the zone, compared to 39% in the regular season.

Why? Because the Thunder had spent the entire season perfecting their pick-and-roll attack against man-to-man defense. They could run it in their sleep. The moment Denver switched to zone, OKC had to slow down, diagnose what they were seeing, and solve a problem they hadn't practiced nearly as much. That half-second of hesitation changed the series.

Now think about your cybersecurity posture. Most small businesses are running pure man-to-man: one firewall on the perimeter, one antivirus on the endpoint, one password policy in the employee handbook. Each tool has one job. Each tool watches one threat. And attackers — who have spent years perfecting their pick-and-roll against exactly this defense — can run it in their sleep.

The pick-and-roll is the most common play in the NBA — used on roughly 25% of all offensive possessions. It works against man-to-man because it forces a decision: do you follow your man through the screen, or switch assignments? Either choice creates a gap. Attackers have spent decades running the digital equivalent against single-layer perimeter defenses — and the gaps they exploit are identical.

Man-to-man vs. zone — what each defense actually is

Man-to-Man Defense
Each defender is assigned one specific offensive player and follows them everywhere. Your best defender guards their best player. Accountability is individual. But if your man gets beaten — if he sets a screen that frees his teammate — the whole defense can collapse unless someone rotates in time.

→ Cyber equivalent: Perimeter-only security. The firewall guards the front door. Each tool has one assignment. If an attacker beats the firewall with a valid stolen credential, there's no rotation waiting behind it.

Zone Defense
Each defender guards an area of the court rather than a specific player. Coverage overlaps — if one defender is beaten, another is already covering the space behind them. No single breakdown collapses the entire defense.

→ Cyber equivalent: Layered, defense-in-depth security. MFA covers the credential layer. Behavioral monitoring covers the access layer. Network segmentation covers lateral movement. No single breach cascades through everything.

The pick-and-roll attacks your man-to-man security is giving up right now

In basketball, the pick-and-roll succeeds because it forces a decision at the moment of contact. Every choice leaves something open. The best pick-and-roll teams practice reading which gap opens and attacking it before the defense can recover. Attackers run the same play against single-layer defenses. Here are the four most common versions.

🔑

The credential pick — phishing sets the screen

The most common play in the attacker playbook. Runs against man-to-man every day.

On the court The ball handler drives toward the basket. A teammate sets a hard screen that forces the defender to fight through it or go under it. The ball handler reads which defender helps and kicks it to the open man. Pure pick-and-roll executed against a man-to-man defense that can't rotate fast enough.
Against your security A phishing email is the screen. It forces your employee to make a split-second decision. If they click, the attacker has the credential. Your firewall is still standing at the front door watching for unauthorized traffic — but the attacker walked past it with a valid login. Your man got screened out. Nobody rotated.
🔄

The credential stuffing fast break — off the turnover

Transition offense. Before your defense is set. Before anyone knows the game has restarted.

On the court The best fast break offense doesn't wait for the defense to set up. It pushes the pace immediately after a turnover — attacking before defenders can sprint back and get in position. A two-on-one fast break gives up an open layup because the defense was caught transitioning.
Against your security Credential stuffing is the fast break. An employee's password appears in a breach database — a turnover your business didn't cause. Before anyone knows, automated tools are testing that credential against your systems at thousands of attempts per second. Your man-to-man defense hasn't reset. The layup is already in the air.
🤝

The off-ball screen — the insider move nobody watches

The most underrated play in basketball. The most underrated threat in your network.

On the court While everyone watches the ball handler, a player on the weak side sets a screen for a teammate cutting to the basket. The defense is ball-watching. The actual scoring opportunity is happening somewhere nobody is looking. The best teams exploit this constantly.
Against your security The insider threat. While security tools watch the perimeter for external attackers, an employee account is quietly downloading client files or staging data for exfiltration. Your firewall is ball-watching. The threat is happening off the ball — inside the network, using legitimate access, invisible to a defense that only watches the front door.
🎯

The ISO mismatch — finding the weakest defender

Attack your worst matchup repeatedly until it breaks.

On the court Isolation plays target a specific defender — whoever the scouting report identified as the weakest link. Run the same play at them repeatedly until they're in foul trouble. Man-to-man can't hide the mismatch because every player is visible and accountable for one assignment.
Against your security Attackers scan for your weakest entry point and drive at it until it breaks. An unpatched system. An admin account without MFA. An exposed API key. They don't attack your strongest controls — they find the mismatch and exploit it. Every exposed asset is visible to a patient attacker with a scanner.
In the 2026 playoffs, teams running pure man-to-man against elite pick-and-roll offenses are losing. Every playoff defense that hasn't adapted — that hasn't layered zone principles, switching schemes, and rotations — is giving up buckets it doesn't have answers for. The same is true for every SMB running single-layer perimeter security against a modern threat landscape.

What switching to zone actually looks like for your business

In basketball, switching from man-to-man to zone doesn't mean abandoning individual accountability. The best defenses run both — reading what the offense is running and adapting coverage. Denver didn't play zone on every possession. They played it when they needed to disrupt OKC's rhythm and take away the plays the Thunder had practiced most.

The cybersecurity equivalent isn't replacing your firewall. It's building overlapping coverage so that no single attack play has a clean path to the basket.

30% of Nuggets halfcourt possessions in zone vs OKC — up from 3% in the regular season Second Spectrum / The F5, 2025 playoffs
23% OKC three-point shooting vs zone — versus 39% vs man-to-man NBA tracking data, 2025 playoffs
82% of 2025 intrusions were malware-free — man-to-man tools like antivirus missed them entirely CrowdStrike 2026 Global Threat Report

Here's what layered zone defense looks like in your business:

  • Perimeter pressure (man-to-man): Your firewall and email filtering. Still necessary. Still the first line. But not sufficient alone against an offense that can find gaps.
  • MFA as the help-side rotation: Even when your man gets beaten by a stolen credential, MFA is the zone defender already in position. The layup isn't open because there's always someone in the paint.
  • Behavioral monitoring as weak-side awareness: Zone defense requires every player to see the whole court. User behavior monitoring watches the weak side where man-to-man defenses are ball-watching.
  • Network segmentation as zone structure: A breakdown in one zone doesn't collapse the whole defense because other zones cover adjacent space. Segmented networks mean lateral movement is blocked even after initial access.
  • Continuous visibility as the coaching adjustment: Denver switched to zone mid-game because their staff saw what OKC was running and adapted. Continuous scanning gives your team the same real-time intelligence — knowing which matchup is losing before the attacker has scored 20 off it.
Platforms like Veriti Spottr give SMBs the equivalent of Denver's zone scheme — an outside-in view of your attack surface that identifies mismatches before an attacker exploits them, continuous monitoring that flags behavioral anomalies the way a zone defender reads off-ball cuts, and a CyberScore that shows whether your layered defense is actually working. You can't run zone if you don't know where the gaps are. That visibility is where the scheme starts.

The best coaches run both

No NBA championship team has won playing exclusively man-to-man or exclusively zone. The best defensive coaches — Gregg Popovich, Erik Spoelstra, Mark Daigneault — run both. They teach players to switch between schemes on the fly, read what the offense is running, and apply the right defense for each possession.

The Thunder's pick-and-roll offense is unstoppable against pure man-to-man. Against a team that can switch to zone, double in the paint, and take away the roll man — it becomes manageable. Not because the offense changed. Because the defense learned to meet it with something it hadn't practiced against.

Your attackers are running the same pick-and-roll they've been running for years. They practice it constantly. They can do it in their sleep against a single-layer perimeter defense. The question is whether your defense is still running the scheme they've already solved — or whether you've added enough layers that every possession forces them to think.

Pick-and-roll beats man-to-man. It always has. The answer isn't better man-to-man. It's knowing when to switch to zone.

See where your defense has gaps — before the attacker runs the play. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more