Mick Baccio and Scott Roberts examine whether public breach signals can predict how a company’s stock will react before formal disclosure, using data from EDGAR filings, executive posts, and social media. Their analysis of U.S. cyber breach cases, including casino operators hit by ransomware, leads to mixed results and the skeptical conclusion they call “quantitized nihilism.” #LABScon25 #MickBaccio #ScottRoberts #EDGAR
Keypoints
- The talk investigates whether public indicators of a cyber breach can help anticipate stock market movement before official disclosure.
- The speakers use sources such as EDGAR filings, executive blog posts, and social media chatter to identify early signs of incident activity.
- Their trading concept is the “15/30” hypothesis: short the stock after a breach becomes visible, then go long as the market recovers.
- They built a dataset of public disclosures about “material” cyber breaches at U.S. companies using AI-assisted data collection.
- The analysis compares an intuition-driven model with a more structured Hidden Markov Model time-series approach.
- A case comparison of two similarly sized casino operators hit by ransomware shows that market outcomes can differ sharply based on response strategy, disclosure timing, and investor perception.
- The speakers conclude with “quantitized nihilism,” reflecting skepticism about assumptions behind cyber-event trading.
MITRE Techniques
- [T1591 ] Gather Victim Org Information – Public breach clues were collected from filings and online commentary to infer incident activity before disclosure (‘public breadcrumbs can reveal incident activity early enough’)
- [T1598 ] Phishing for Information – Open-source material was monitored to extract signals that could indicate a breach before formal announcement (‘EDGAR filings, executive blog posts, and social media chatter’)
- [T1597 ] Search Open Technical Databases – The team relied on public disclosures and regulatory filings as data sources for breach detection and analysis (‘Drawing on sources such as EDGAR filings’)
- [T1596 ] Search Open Websites/Domains – Social media and executive posts were reviewed as open-web signals of compromise (‘social media chatter’ and ‘executive blog posts’)
- [T1059 ] Command and Scripting Interpreter – AI-assisted data collection and structured modeling were used to automate dataset building and analysis (‘AI-assisted data collection’)
- [T1018 ] Remote System Discovery – Market and incident timelines were compared across multiple organizations to assess breach visibility and response patterns (‘two similarly sized casino operators hit by ransomware’)
- [T1120 ] Peripheral Device Discovery – No direct device discovery is described; omitted if not explicitly relevant.
Indicators of Compromise
- [Organizations ] Publicly discussed breach targets and conference hosts – U.S. companies, SentinelOne/SentinelLABS, and casino operators
- [File/Record Types ] Public disclosure sources used for analysis – EDGAR filings, executive blog posts, social media chatter
- [Event/Research Artifact ] Presentation and methodology references – “15/30” hypothesis, Hidden Markov Model
- [Dates ] Conference timeline and submission date – LABScon 2025, June 19, 2026
Read more: https://www.sentinelone.com/labs/labscon25-replay-breach-alpha-trading-on-cyber-fallout/