At MSP GLOBAL 2025, one of the most memorable sessions didn’t come wrapped in a slick slide deck or a neatly packaged framework. It came as a story—unfiltered, occasionally uncomfortable, and grounded in hard experience.
Jesse Tuttle—known to many as “Hackah Jack”—shared the stage with his daughter Reese, and together they offered something the MSP world doesn’t hear often enough: what cybersecurity actually looks like from the attacker’s side.
Jesse’s background alone would have filled the room. A well-known—and, depending on who you ask, notorious—figure, he’s been on both sides of the law, moving from world-class cybercriminal to working with federal authorities and now helping organizations understand how attackers really think.
Reese brings a different kind of credibility—a next-generation threat researcher shaped by growing up inside that world, translating instinct into insight.
What followed wasn’t a technical walkthrough or a product pitch. It was a reality check, which was pre-figured in the pre-event interview he was kind enough to give us.
Five practical lessons for MSPs
Compliance is where security starts—not where it ends
There’s a persistent myth that once compliance is “done,” security is in a good place. Jesse tore that apart quickly. Compliance, he argued, is just the baseline—the point where you begin, not where you stop.
Frameworks like CIS or NIST are valuable, but only in the way scaffolding is valuable. They give you structure, a shape to build around. They don’t make the building secure on their own. And yet, it’s still common to see compliance treated as a deliverable—a moment in time rather than an ongoing discipline.
The problem is that attackers don’t operate against frameworks. They operate in the real world. They look at how systems are actually configured, how people actually behave, and where the small gaps have been left behind after the audit is complete.
For MSPs, the real opportunity lies in what happens after the boxes are ticked—taking that baseline and shaping it into something that reflects the client’s actual risk profile, not just a generic standard.
The attacker mindset starts with curiosity
What makes Jesse’s story particularly valuable for MSPs is that it doesn’t begin with criminal intent. It begins with curiosity. A simple question about why software behaved differently led to reverse engineering, which in turn revealed a vulnerability, which eventually opened the door to something much bigger.
That progression matters because it highlights a gap in how many MSP teams are trained. Most are taught to follow processes, maintain systems, and resolve issues efficiently. All necessary. But attackers don’t think in processes. They think in possibilities.
They ask different questions. What happens if this fails? What wasn’t considered? Where is the edge case?
That mindset is where breaches are born.
The takeaway isn’t that every MSP needs to become an offensive security specialist, but that curiosity needs to be encouraged, not suppressed. The teams that actively look for weaknesses—that challenge assumptions and test boundaries—are far better positioned to defend against someone who is doing exactly that from the outside.
Opportunity, not importance, drives attacks
One of the more surprising threads running through Jesse’s story is the practicality of his decision-making. Targets weren’t always chosen because they were high-value. They were chosen because they were accessible, useful, or simply easier to exploit than other options.
That runs counter to a belief that still lingers among many MSP clients—that being small or relatively unknown offers some level of protection. It doesn’t. Attackers are not filtering targets by revenue or headcount. They’re looking for openings.
If a system is exposed, if a configuration is weak, if credentials are available, that’s enough.
For MSPs, this shifts the conversation. Security isn’t about making a client “important enough” to defend. It’s about understanding how exposed they are and reducing that exposure wherever possible. Because from an attacker’s perspective, convenience often outweighs value.
Layered security only works if you accept that something will fail
Reese brought useful insight to the discussion with a simple analogy: security as a layered defense system. The perimeter tries to stop threats early, users act as another line of defense, and endpoint protection is there to catch what inevitably slips through.
Something will always slip through.
That’s the part that’s often acknowledged but not fully accepted in practice. Too many environments are still designed as if one or two controls will be enough, as if the right combination of tools can eliminate risk entirely. In reality, every layer has weaknesses. People make mistakes. Filters miss things. Attackers adapt.
Layered security isn’t about building something perfect. It’s about building something resilient.
For MSPs, that means designing environments where failure is expected and accounted for. Where each control supports the others, and where the absence of any one layer doesn’t immediately lead to compromise. It also means recognizing that users are not just part of the solution, but part of the attack surface—something that needs to be managed with as much care as any piece of technology.
You’re already dealing with compromised data—act like it
Perhaps the most sobering moment came during the Q&A, when the conversation turned to data exposure. Jesse’s view was blunt: if you exist, your data is already out there in some form.
That may sound extreme, but it reflects the reality of years of breaches, leaks, and aggregation. Credentials circulate. Personal data is traded. Access is bought and sold.
Once you accept that, the focus shifts.
Security can’t just be about keeping everything out, because some of it is already in circulation. Instead, it becomes about visibility and response—understanding what’s happening inside an environment, identifying unusual behavior quickly, and limiting the impact when something goes wrong.
For MSPs, this is where maturity shows. Not in claiming that breaches won’t happen, but in being prepared for when they do.
Why this matters for MSPs
It’s easy for the MSP world to become comfortable. Familiar tools, familiar frameworks, familiar conversations. Necessary, but not always sufficient.
What Jesse and Reese brought to the stage was a different perspective—one that cuts through that comfort. Attackers don’t think in terms of best practice or compliance frameworks. They think in terms of gaps, opportunities, and outcomes.
And unless that perspective is part of how you approach security, something is missing.
Join the conversation in 2026
If this session made anything clear, it’s that the MSP industry benefits from more honesty and less polish when it comes to cybersecurity. The conversations that move things forward are the ones that challenge assumptions, not reinforce them.
MSP GLOBAL returns in October 2026, bringing together the people willing to have those conversations—and to share what’s actually happening on the front lines.
If you want to stay ahead of the curve, rather than reacting to it, this is where you need to be.
Sign up for the newsletter to get your free registration code.
