Who Owns the Setup Window

Every attack begins with infrastructure that is planned, staged, and configured long before any malicious payload is delivered. Domains are registered through intermediaries. Certificates are issued to blend in with legitimate traffic. Servers are configured with open ports, delivery paths, and fallback logic that can support attack continuity even in the face of disruptions.

This is the attack setup window - activity that unfolds quietly and methodically. It happens hours or days before an attack is executed, and it shapes how the campaign will function once it starts.

Security teams can (and frequently do) identify setup window activity as it’s happening. They see the indicators in DNS records, certificate logs, external scans, and threat intelligence feeds. They can tell it aligns with known adversarial behavior. Yet the infrastructure stays in place, and no team steps in to suppress it.

As we’ve discussed in previous blogs, this is an issue of awareness and tooling. But it’s also an issue of ownership. Responsibility for attacks in large organizations typically begins after the compromise occurs. In this blog, we’ll take a deep dive into the setup window, who owns it and how to close it. Because as long as it remains unclaimed, adversaries will continue building their infrastructure in plain sight – without contest or interruption.

Signals Live in Disconnected Systems

One reason the setup window remains open is that early signals land in different systems, in front of different teams, with no unified path to escalate or act.

Domains registered through known infrastructure kits show up in threat intelligence feeds, which are tracked by intel teams. Certificate transparency logs reveal staging patterns that are monitored by infrastructure or PKI groups. DNS resolution activity surfaces through network tools that are operated by infrastructure or connectivity teams. External scanners flag exposed services and infrastructure that looks like what attackers used in past staging activity – and this is reviewed by vulnerability management teams. Each group usually works with its own platform, guided by separate workflows and reporting structures.

Even when these signals are recognized as part of the same campaign, it’s an organizational challenge to mount a coordinated response. The reason? Each team sees a different slice of the threat and operates according to its own scope, priorities, and triggers. The result is fragmented accountability. Teams observe setup activity without a shared mandate to suppress it. Adversarial infrastructure that everyone knows is out there stays online. The setup window stays open long after the threat is actually visible. And when no one steps in to close it, it gets used.

When No One Makes a Move, the Attacker Can

Nature abhors a vacuum - and an unclaimed setup window fills with risk. When no team is tasked with suppression, the attacker can move forward unopposed. The setup window becomes, for the attacker, an opportunity to strengthen infrastructure, test delivery paths, and ensure everything is ready to operate at scale. What defenders experience as quiet time is, for the adversary, a window of operational freedom.

That freedom comes at a cost - one that the organization will pay later.

The more infrastructure that stays active during setup, the more quickly the attack can move, the more systems it can reach, and the more effort it will take to contain. Why more effort? Because as the impact spreads, more teams are pulled in. What starts with the SOC quickly involves IT, identity teams, and business units. Legal and compliance teams step in to manage the regulatory exposure. Executives get pulled in to coordinate messaging and make risk management decisions. The longer the setup window stays open, the more people get involved - and the harder it becomes to control the impact.

The Setup Window Doesn’t Close Itself

To act during the setup window, teams need a defined way to evaluate signals across systems, then act with authority. Traditionally, that type of operational clarity comes from a playbook - a pre-prepared organizational guide that defines what should be considered actionable, who owns the decision, and what the next steps are in any given scenario.

A good playbook gives teams a common way to judge what matters. It helps everyone agree on what’s in scope, what’s worth acting on, and how confident you need to be before making a move. It spells out what kinds of infrastructure to flag, how to confirm intent, when to let automation take over, and when it’s time for a person to step in. It also lays out who’s responsible, how fast they need to respond, and what needs to be documented.

The right playbook is organizationally crucial to give teams clarity. But clarity alone doesn’t close the setup window. You also need tools that can spot the right signals, apply the right rules, and move fast enough to matter. That’s where Malanta comes in.

The Right Tools for the Job

Malanta was purpose-built to close the setup window. The platform identifies attacker infrastructure during the staging phase then maps those signals to your actual environment. Each finding is evaluated based on attacker intent and business impact, so the noise stays low and the response stays focused.

From there, Malanta applies policy. It routes findings to the right teams, suppresses verified threats automatically, or initiates action through structured review. Every step is documented. Every move aligns with your thresholds for risk, scope, and confidence.

The Malanta platform takes the passivity out of the setup window. Teams act on what they see. Infrastructure gets taken down before it’s used. Risk is reduced at the source, not after the fact. Adversaries lose time, access, and momentum - because someone now owns the setup window. With Malanta and a solid pre-attack prevention playbook, the setup window is no longer a gap - it’s a decision point.

See how Malanta gives your team control over the setup window. Access the Platform today.

‍