The 2025 incident was a wake-up call rather than a disaster. An attacker had compromised a third-party freight broker's VPN credential, pivoted into Meridian's customs-clearance application via an unrotated service account, and spent 19 days enumerating file shares before being caught by an alert SOC analyst at a managed provider. Forensics found 6.2 TB staged for exfiltration and three domain controllers with active beacons.
The post-mortem produced a humbling assessment. Meridian's environment had accumulated 16 years of acquisitions: 22 Active Directory forests, four different EDR products of varying vintage, flat L2 networks bridging IT and OT in 31 facilities, and 4,300 service accounts -- 38% of which had not been rotated in over five years. The board demanded a plan, a budget, and monthly progress against an externally benchmarked maturity model.
TekNinjas led a 14-month program organized around the five CISA Zero Trust pillars: Identity, Devices, Networks, Applications & Workloads, and Data. Each pillar had a named TekNinjas lead, a Meridian counterpart, and a fixed set of measurable maturity targets reviewed monthly with the CISO and audit committee.
Consolidated 22 AD forests into a single Entra ID tenant with two on-prem AD forests retained for legacy OT. Migrated 11,400 users to phishing-resistant FIDO2 authentication. Stood up CyberArk Privileged Cloud for human privileged access and HashiCorp Vault for workload secrets, retiring 4,170 stale service accounts.
Replaced the legacy MPLS hub-and-spoke with Zscaler Internet Access and Zscaler Private Access. Used Claroty xDome to inventory 31,800 OT assets (scanners, conveyor PLCs, scale interfaces) and built micro-segmentation policies enforced via Cisco TrustSec at every facility's distribution layer. All east-west traffic between IT and OT zones now traverses an inspected broker.
Standardized on CrowdStrike Falcon across 22,000 endpoints (replacing four legacy EDRs) with TekNinjas's 24x7 managed SOC providing tiered triage and incident response. Detection logic was authored as Sigma rules in Git, peer-reviewed, and deployed via a CI pipeline with automated regression testing against an Atomic Red Team library. Mean time to detect critical alerts improved from 4.2 hours to 9 minutes.
The board commissioned an independent assessment from a Big Four firm at month 12 to validate progress.
CISA ZTMM maturity (from 1.4)
mean time to detect (from 4.2h)
cyber insurance premium reduction
“TekNinjas treated security as an enabler, not a tax. We came out of the engagement with materially less risk and -- to our surprise -- a faster onboarding experience for new acquisitions.”
Our experts can help you turn complex problems into measurable outcomes.