LABScon25 Replay

When a company suffers a cyber breach, its stock price often takes a hit, but the timing, depth, and duration of that reaction are far less predictable. In this LABScon25 presentation, Mick Baccio and Scott Roberts explore whether public indicators of breach activity can be used to anticipate market response before formal disclosure.
Drawing on sources such as EDGAR filings, executive blog posts, and social media chatter, the speakers examine how public breadcrumbs can reveal incident activity early enough to support an opportunistic trading strategy. At the center of the talk is their “15/30” hypothesis: short the stock after a breach becomes visible, then flip long as the market recovers.
To test the idea, Baccio and Roberts used AI-assisted data collection to build a dataset of public disclosures relating to “material” cyber breaches at U.S. companies. They then compared their initial, intuition-led model with a more structured time-series analysis based on a Hidden Markov Model to see whether a more rigorous timeline could improve performance.
Along the way, the presentation digs into real-world breach cases, market misreads, and missed opportunities. One particularly useful comparison looks at two similarly sized casino operators hit by ransomware around the same period, illustrating how market outcomes can diverge sharply depending on factors such as response strategy, disclosure dynamics, and investor perception.
After working through a set of highly mixed results, the speakers arrive at what they call “quantitized nihilism”, a conclusion that questions many of the assumptions analysts bring to cyber-event trading and how the market actually values cyber failures.
This talk is essential viewing for security practitioners, investors, and analysts interested in the messy intersection of cyber risk, public disclosure, and market psychology.
About the Authors
Mick Baccio is a globally recognized security strategist with a career spanning offensive operations, threat intelligence, and national-level incident response. He currently advises organizations around the world through his role at Splunk, helping security leaders improve operations through data-informed approaches. Mick was the first Chief Information Security Officer for a U.S. presidential campaign (2020), and previously served in the Obama White House as the Chief of the Threat Intelligence Branch.
Scott J. Roberts is a cybersecurity leader with over 15 years of experience specializing in cyber threat intelligence and threat hunting after leadership roles at GitHub, Apple, and Splunk. He blends machine learning with traditional intelligence frameworks to track and disrupt nation state and criminal adversaries.
LABScon 2026 | Call For Papers
Submission Deadline: June 19, 2026
LABScon is a unique venue for original research to be shared among peers. The benefit of an invite-only audience of researchers is that there’s no need for long preambles or introductions – speakers are encouraged to dive right into their technical findings.
- Original content only.
- Talks are 20 minutes long + 5 minutes for Q&A.
- Workshops are 90 minutes long.
- LABScon is primarily a threat intelligence and vulnerability research conference but we keep an open-mind.
About LABScon
This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.
Keep up with all the latest on LABScon here.

Facts Only

* Mick Baccio and Scott Roberts explored anticipating market responses to cyber breaches.
* The research tested the "15/30" hypothesis: shorting stock after a breach becomes visible, then flipping long as the market recovers.
* The study used AI-assisted data collection from sources including EDGAR filings, executive blog posts, and social media chatter.
* Authors compared an initial, intuition-led model with a time-series analysis based on a Hidden Markov Model.
* The research examined real-world breach cases involving casino operators.
* The study concluded with a finding termed “quantitized nihilism.”
* Mick Baccio is a security strategist at Splunk.
* Scott J. Roberts specializes in cyber threat intelligence and threat hunting.
* The work was presented at LABScon 2025.

Executive Summary

Researchers investigated whether public indicators of cyber breach activity can be used to anticipate market responses before formal disclosure. The study explored an opportunistic trading strategy based on the "15/30" hypothesis: shorting stock after a breach becomes visible and flipping long as the market recovers. To test this, the authors used AI-assisted data collection from sources like EDGAR filings, executive blog posts, and social media chatter to build a dataset of material cyber breaches at U.S. companies. They compared an initial, intuition-led model with a more rigorous time-series analysis using a Hidden Markov Model to assess the predictive power of structured timelines. The analysis examined real-world casino operator cases to illustrate how market outcomes diverge based on response strategies and disclosure dynamics. The research ultimately led the speakers to a conclusion termed "quantitized nihilism," questioning existing assumptions about how the market values cyber failures and the role of analyst input in cyber-event trading.

Full Take

The research enters the debate over market efficiency and the value assigned to cyber risk by testing whether publicly available information provides a predictive edge for opportunistic trading. The core tension lies between the intuitive, event-driven approach and the more rigorous, model-based timeline analysis. The finding of "quantitized nihilism" suggests that the predictive power derived from public breadcrumbs may be significantly weaker than assumed by many analysts, implying that the market outcome is driven by factors beyond immediate public disclosure and easily quantifiable indicators. This challenges the notion that security practitioners and investors can reliably profit from the lag between incident activity and formal disclosure. The implications suggest that public disclosures, while important, are not the primary drivers of market valuation during a cyber event; rather, the true valuation is governed by complex, non-public factors related to organizational response, internal risk assessment, and institutional sentiment. This shifts focus from exploiting disclosure timing to understanding the deeper, hidden dynamics of cyber failure valuation.
Patterns detected: ARC-0043 Motte-and-Bailey, ARC-0024 Ambiguity

Sentinel — Human

Confidence

The text reads as a professional summary of an academic presentation, exhibiting high coherence and specific detail consistent with human research reporting, rather than purely synthetic generation.

Signals Detected

Natural variance in sentence length and varied tone; specific academic/industry terminology is integrated smoothly.

Coherent flow between the research hypothesis, methodology, findings, and conclusion, maintaining a consistent voice.

No evidence of verbatim replication or forced alignment with external talking points; attribution is specific.

All specific data points (names, organizations, conference context, methodology types) appear internally consistent and verifiable within the context of a public presentation summary.

Human Indicators

The presence of highly specific, non-generic details (names, specific methodologies like Hidden Markov Model, and precise conference/submission dates) suggests human authorship or strict human-vetted input.

The integration of complex, domain-specific concepts (cyber threat intelligence, time-series analysis, market psychology) flows naturally, indicating deep subject matter expertise.

The stylistic rhythm is not uniformly metronomic; the text shifts between technical explanation and narrative framing effectively.