In mid-May 2026, the Cybersecurity and Infrastructure Security Agency — the federal organization responsible for defending United States government networks — was found to have left a public GitHub repository named “Private-CISA” open for approximately six months. Inside the repository, security researcher Guillaume Valadon of GitGuardian discovered a file titled “importantAWStokens” that contained administrative credentials to three Amazon AWS GovCloud accounts, alongside a second file titled “AWS-Workspace-Firefox-Passwords.csv” that listed plaintext usernames and passwords for dozens of internal CISA systems. The repository, tied to a contractor identified in subsequent reporting as Nightwing, had been publicly accessible since approximately November 2025. The credentials were invalidated and the repository was secured over a weekend after disclosure. Valadon, who has spent his career in credential-leak research, described it in an interview with Krebs on Security as “the worst leak that I’ve witnessed.”
The story is not, in any technical sense, complicated. A repository was set to public when it should have been private. Files containing high-value credentials were committed to it. No adversary was required to do anything but find them. By the time the leak was reported, the credentials had been sitting in the open for roughly half a year, indexed and searchable, accessible to anyone with the inclination to look. Closing the exposure was a weekend of credential rotation and access review. Answering what actually happened during the six months the repository was public is a substantially different problem, and it is the problem that defines the actual cost of the incident.
The deeper lesson sits one layer underneath. Every modern security program treats exposure and investigation as separate phases of an incident. Exposure is detected, contained, and disclosed; investigation answers the questions that disclosure raises. That model works when the exposure is short and the investigation has live evidence to draw from. It begins to break down when the exposure is long, when the access path looks indistinguishable from legitimate administrative activity, and when the evidence that an investigator needs has either been overwritten or was never recorded at the level required. The CISA repository is the maximum-stakes version of that problem, but the underlying pattern shows up in every secrets-leak incident, and increasingly in every identity-driven intrusion.
Exposure Is a Moment. Investigation Is Everything After.
The questions raised by a long-running secrets exposure are not the questions raised by an active breach. There is no foothold to trace, no lateral movement to reconstruct, no malware sample to reverse. The credentials worked because they were the real credentials. Any adversary that pulled them from the public repository could have authenticated normally, from any source IP, into any of the three GovCloud accounts and the dozens of internal systems whose passwords were in the CSV. The behavior, in the moment of access, would have been indistinguishable from a legitimate administrator on a routine task.
That is what makes the investigation problem so difficult. The defender is not searching for an anomaly. The defender is searching for a specific subset of actions, taken with specific credentials, during a specific six-month window, that turn out — only in retrospect — to have been performed by someone who should not have had those credentials in the first place. AWS CloudTrail records will show every API call made with the leaked access keys, and CloudTrail is one of the better forensic data sources in any cloud environment. But CloudTrail records that an API call occurred. It does not, in most configurations, record the content of the response — which objects were returned by a ListObjects call, which records were returned by a database query, which file was downloaded from S3. The next question, which is the one that legal counsel and any oversight body will ultimately ask, is what data those calls returned. CloudTrail does not contain that answer.
A six-month investigation window also stresses retention. Default CloudTrail retention in the management plane is 90 days. Organizations that have configured CloudTrail to log to an S3 bucket with extended retention will have the call records, but the data-plane events — S3 object access, KMS decryptions, Secrets Manager retrievals — are governed by separate configurations that, in many environments, are partial or off entirely. The same is true for the VPC Flow Logs, AWS WAF logs, and load-balancer access logs that would surround the API activity. By the time the investigation begins, parts of the picture are gone.
The “Used by an Insider” Problem
The CISA incident also illustrates the harder version of the problem, which is that even where the logs are intact, they may not be sufficient on their own. Administrative credentials issued to a federal agency contractor are expected to be used by that contractor. Authentication from a contractor’s known network range, at a normal time of day, against a system the contractor is authorized to administer, is exactly the activity the contractor was hired to perform. The leak does not change any of that. What it changes is the population of people who might be sitting behind those credentials at any given moment.
An honest investigation, faced with that ambiguity, has to do one of two things. It can presume compromise and treat every authentication during the exposure window as suspect, which produces an investigation that is operationally impossible for any environment with non-trivial scale. Or it can reconstruct what actually occurred during each session at a level of detail that makes the legitimate-or-not determination possible — which queries were run, which records were returned, which files were retrieved, which configuration changes were made. That second path is the only one that produces defensible answers, and it requires evidence that most organizations cannot produce months after the fact.
The same dynamic governs the broader category of identity-driven intrusions that has come to define the post-2024 threat landscape. SaaS-anchored compromises, OAuth token theft, helpdesk-impersonation attacks, vishing-driven session hijacking — all of them produce authenticated activity using legitimate credentials, and all of them leave the investigator searching, after the fact, for the subset of sessions that were the attacker’s. The CISA repository is a particularly stark version because the credentials were left where anyone could find them. The investigation problem it produces is the same investigation problem any organization faces after a credential-driven incident.
The Compounding Effect of Long Exposure Windows
Long exposure windows are not unusual in secrets-leak incidents. GitGuardian’s annual State of Secrets Sprawl reporting has consistently documented millions of credentials committed to public repositories every year, with a median remediation time measured in weeks for known leaks and indefinitely for unknown ones. The IBM Cost of a Data Breach study has put average time-to-identify-and-contain across all breach categories at 277 days, with credential-based breaches near the top of the distribution. Mandiant’s M-Trends 2026 reports a global median dwell time of 11 days for internally-detected incidents and 25 days when external notification triggers the discovery. The CISA repository, public for roughly six months before discovery, is not an outlier. It is the upper end of a distribution that begins at a few days and stretches into years.
What changes when an exposure window is measured in months is that the investigator no longer has the luxury of working from telemetry that was captured close in time to the activity of interest. The questions an investigator asks at month six — was this specific S3 object retrieved during the window, did this Secrets Manager secret get decrypted, did this RDS database get queried — depend on data sources that, for most organizations, were not configured to retain that level of detail for that length of time. The investigator has the option of producing a hedged answer or producing no answer. Neither is acceptable for an incident at this profile.
The public-sector dimension of the CISA case raises the bar further. A federal agency operating under FISMA, FedRAMP, and the relevant inspector-general oversight obligations cannot close the incident with a probabilistic statement. Whatever answer the investigation produces will be reviewed under public scrutiny and will set a precedent for how similar incidents are handled across the federal civilian executive branch. The credibility of the agency that publishes guidance for everyone else depends on its ability to produce a definitive forensic record of what happened on its own systems during the months its credentials were in the open.
Disclosure Has Caught Up With Investigation
The pace of disclosure has changed faster than the pace of investigation. The SEC’s Item 1.05 of Form 8-K, in force since late 2023, requires public companies to disclose material cybersecurity incidents within four business days of materiality determination. The European Union’s NIS2 directive moved to active enforcement on March 31, 2026. The Cyber Incident Reporting for Critical Infrastructure Act final rule, targeted for release this May, will impose federal incident-reporting requirements on a broad swath of US critical infrastructure operators. In each case, the disclosure clock starts before the forensic record is complete.
The recent run of major incidents has illustrated, with regularity, what happens when those two timelines diverge. The Instructure Canvas breach earlier this month produced an initial disclosure that emphasized the safety of core learning data, followed by a public revision after the ShinyHunters extortion crew claimed 3.65 terabytes covering approximately 275 million records. The Grafana Labs GitHub token incident disclosed days ago produced an initial assurance that no customer data was accessed, followed by ongoing investigation into the actual scope of the attacker’s access. Every one of these revisions is the visible artifact of an investigation that could not produce a complete answer in the window the disclosure required. The same dynamic, applied to a federal agency, has higher stakes. The CISA case will be measured not only on the speed of containment but on the substance of the forensic record published afterward.
Building for the Investigation, Not the Alert
Most security architectures are built around the moment an alert fires. Telemetry sources, retention windows, and analyst workflows are tuned for the question “is something happening right now?” That is the wrong question for the CISA category of incident. The exposure window passed months ago. The alert never fired because, from every system’s point of view, nothing anomalous happened. The relevant question is “what occurred during this specific window, with these specific credentials, against these specific systems, and what data left as a result?” An architecture tuned for live detection cannot answer it.
Three capabilities separate an environment that can answer that question from one that cannot. The first is evidence captured at the time the activity occurred rather than reconstructed weeks later from partial records. Investigations that depend on collecting fresh telemetry after a disclosure are investigations that begin by accepting an evidence gap. The second is evidence at the level of objects retrieved, records returned, queries executed, and files transferred, not just at the level of connections, authentications, and metadata. The questions legal counsel will ask are content-level questions. The third is retention measured in months, not days, so that the evidence is still available when the investigation finally begins. The CISA window was six months. The next one of these will be longer.
The good news is that the components of an investigable architecture already exist in most enterprise environments. Network sensors, payload-aware reconstruction, structured session storage, and queryable forensic archives are all available either as in-house builds or commercial categories. What separates organizations that can produce defensible answers from organizations that cannot is whether those components were assembled, configured, and retained with the long-window investigation in mind. Few were. The CISA case is an opportunity for the rest of the industry to revisit that assumption while the cost of the lesson is still being paid by someone else.
A useful framing for executive conversations on the topic is to separate the security program’s two distinct outputs. The first output is operational: prevent and contain intrusions in real time. The second output is evidentiary: produce a forensic record that holds up under public, regulatory, and legal scrutiny when an incident does occur. Most organizations have invested heavily in the first and very little in the second. The disclosure environment of 2026 is no longer forgiving of that asymmetry.
The agency at the center of this story will spend the coming months answering the same question its own public guidance has, for years, told the rest of the country to be ready to answer. What was actually accessed. The defenders who learn from watching that answer take shape — rather than wait until it is their turn to give it — will be the ones whose disclosures, attestations, and public statements still hold up the morning after.
