A pattern across well-documented breaches and across less-documented territories.

Marriott acquired a network and removed the people who could read it. MGM built a helpdesk operated by people who could not refuse the calls the policy was designed to refuse. Target drew a security boundary that did not include the contractors who held the keys to the back door. Booking.com built a trust architecture in which no actor in the chain could verify the actor next to them. DarkHotel found the place where every link in the business travel chain had already conceded the territory. Across the Maghreb, infrastructure is administered by people whose names appear on no contract, in scans that return clean because the methodology was built for a different geography, on devices sold for the price of a meal.

These cases are expressions of the same structural feature. Organisations and territories distribute power according to internal logic, which means they also distribute attention according to internal logic. The distribution of attention is the map of the security perimeter, and that map is rarely drawn by the people who would draw it differently.