Ransomware crews no longer need nation-state budgets to destroy a $40M-ARR SaaS company. A single affiliate with a leaked credential and a Friday-evening deployment window can encrypt your production database, exfiltrate twelve months of customer data, and publish the proof on a Tor leak site before your on-call engineer even finishes dinner.

We have worked incident response on both sides of that timeline — with companies that recovered in 72 hours and with companies that never recovered at all. The difference is almost never budget. It is almost always whether the following 37 controls were in place the week before the attack.

This is not a compliance checklist. It is an operator’s checklist, built from real iSECTECH engagements with Series B through Series D SaaS companies. Every item on it has been the deciding factor between a bad week and an extinction event.

How ransomware actually reaches SaaS companies in 2026

The image of ransomware as an opportunistic phishing link is a decade out of date. Modern intrusions into mid-market SaaS follow a more disciplined pattern: an initial-access broker sells valid credentials to an affiliate; the affiliate escalates privileges through your identity provider; the affiliate exfiltrates data over weeks using legitimate protocols; and only then does the ransomware payload fire — typically on a holiday weekend, typically against your backup infrastructure first.

Every step of that chain has corresponding controls. The 37 items below are grouped by where they interrupt the chain.

Identity: the new perimeter (controls 1–9)

More than 80% of the intrusions we have investigated in the last eighteen months began with a credential rather than a vulnerability. That makes identity the single highest-leverage investment a SaaS company can make.

1. Phishing-resistant MFA for every administrator, without exceptions for “break-glass” accounts. Hardware keys or platform authenticators only — no SMS, no TOTP.
2. Conditional access that blocks legacy authentication protocols (IMAP, POP3, SMTP basic auth) at the identity provider.
3. Geofencing and impossible-travel detection for all privileged roles.
4. Just-in-time elevation for production access, with automatic expiry after four hours.
5. Dedicated admin workstations (physical or virtual) that cannot browse the internet or receive email.
6. Automated deprovisioning within one hour of termination, including contractors and service accounts.
7. Quarterly access reviews on every tier-1 system, signed off by the system owner.
8. Service account inventory with rotation, password vaulting, and a documented owner.
9. Session monitoring for all SaaS admin consoles — Okta, AWS, GitHub, Stripe, Salesforce.

Endpoint: where ransomware still fires (controls 10–17)

Every mid-market SaaS we have worked with had “EDR” on paper. Very few had it configured to actually stop ransomware. The difference lives in the details below.

10. EDR in block mode, not alert-only, with tamper protection enabled.
11. Application allow-listing on all developer and finance endpoints.
12. Disabled macros by default in Microsoft 365 tenants, enforced by policy.
13. USB mass-storage blocked or restricted to encrypted, enterprise-managed devices.
14. Local admin rights removed from all non-engineering staff, with PAM for exceptions.
15. Full-disk encryption verified by inventory, not assumed by policy.
16. Browser isolation for any session that touches unknown URLs (email links, support tickets).
17. 24/7 EDR monitoring by a human responder, not just an alert queue.

Network and cloud: break the lateral chain (controls 18–24)

The average ransomware incident involves seventeen hours of attacker dwell time before payload detonation. Most of that time is spent moving laterally. Segmentation is how you make that lateral movement loud.

18. Production network isolated from corporate network at the identity and routing layers.
19. No flat VPC/VNet architecture — each tier has its own security group boundary.
20. Outbound egress filtering on production subnets to break command-and-control channels.
21. DNS logging and blocking against known malicious domains (Cisco Umbrella, DNSFilter, or equivalent).
22. Service-to-service authentication using short-lived tokens, never long-lived API keys.
23. Secrets in a managed vault (AWS Secrets Manager, HashiCorp Vault), never in repositories or environment files.
24. Terraform and IaC reviewed for least privilege on every pull request.

Backups: the control that actually decides the outcome (controls 25–30)

If you take one section of this article seriously, make it this one. Backups are what determine whether you pay the ransom.

25. Immutable backups — object lock in S3, or equivalent on Azure / GCP — that cannot be deleted even by a root credential.
26. Offline or air-gapped copy of the last thirty days of backups, stored in a separate billing account.
27. Quarterly restore tests performed end-to-end, not just checksum validation.
28. Documented RTO and RPO per service, approved by the business, not by IT.
29. Separate credential set for backup infrastructure, stored in a separate vault, rotated quarterly.
30. Backup success alerts and failure alarms piped into an on-call rotation, not a mailbox.

Detection and response (controls 31–34)

Prevention fails. The question is how quickly you notice and how quickly you contain.

31. Centralized logging of identity, endpoint, cloud, and SaaS audit events into one SIEM or data lake.
32. Defined playbooks for ransomware, business-email compromise, and data exfiltration — reviewed semi-annually.
33. Tabletop exercise with the executive team at least once a year. No exceptions.
34. Incident retainer with an IR firm that has already signed the NDA and knows your environment.

Governance (controls 35–37)

35. Cyber insurance that understands your stack — reviewed annually, with the broker walked through your control inventory.
36. Board-level reporting of the top ten risks with ownership, status, and trend — quarterly.
37. A named accountable executive for security. Not a shared responsibility. Not a committee.

Where to start if you only have a quarter

If you are reading this with a ninety-day window and a finite team, the highest-leverage starting point is not a new tool. It is phishing-resistant MFA on every administrator (controls 1 and 2), immutable backups with a tested restore (controls 25 and 27), and a tabletop exercise with your executive team (control 33). Every other control on this list is easier to fund and faster to implement once those three are true.

If you want an outside team to run that quarter with you — measured, documented, and with evidence your board will accept — that is exactly the kind of engagement our managed security and incident readiness program was built for. Request an assessment and we will come back with a prioritized plan in five business days.