You ever get that gut feeling when something smells off?
That’s what one of our partners felt when a client forwarded them a resume last week. We helped them analyze it. The issue? It looked like a normal PDF. Clean, crisp, nothing sketchy—until we popped it open in our lab.
Welcome to MatrixPDF—the new darling of the hacker underground. It’s the digital equivalent of a clown car that explodes when you open the trunk.
This thing takes a real document—yes, a real one—and gives it a hidden payload. Blurred overlays, fake “secure document” pop-ups, and scripts that silently call home when someone clicks anything. It even runs JavaScript inside the PDF. All it needs is one trusting user to click “Allow,” and the malware is already unpacking itself like it just got home from a cruise.
Now pair that with SpamGPT—AI-powered phishing at scale—and suddenly your “clean inbox” is now a hacker’s delivery queue.
You Can’t Stop the Clicks
Let’s face it: someone on your client’s team is going to click.
You’ve trained them. (And have evidence that training links back to their controls…right?) You’ve simulated phishing. You’ve sent the “Don’t Click Suspicious Links” policy three times and even got a “read receipt” once.
Doesn’t matter.
Because when that resume lands on Brenda’s desk with the job title she’s hiring for, Brenda’s not thinking about cyber threats. She’s thinking, “Finally, someone who didn’t use Cosmic Sans.”
And click—now you’re in Incident Response Mode.
Your Controls Aren’t Failing. They’re Getting Outsmarted.
MatrixPDF doesn’t need to break your firewall. It just waits for your user to open a document.
SpamGPT doesn’t need zero-days. It just creates a convincing fake email at scale and keeps hammering inboxes until someone takes the bait.
So let me be clear: your tools are working. But they’re not enough.
Attackers are shifting tactics. They’re not looking for open ports—they’re looking for open people. And most MSPs are still acting like we can patch our way out of that problem.
The Real Risk? You Don’t Have a Plan
When someone clicks, what happens next?
If your answer is “well, we open a ticket and start triage,” you’re already behind.
You need a documented, tested, repeatable incident response plan. Not just for you—but for every client.
Because when ransomware hits, your client’s insurer or lawyer isn’t going to be asking about your endpoint detection. They’re asking:
- Where’s the incident response protocol?
- Who made the decisions?
- Who’s accountable?
- Why wasn’t this prevented?
If you don’t have it documented, it isn’t a great look. And there isn’t great ending to the story.
Here’s the Part Where You Get Paid
If you’re writing incident response plans for free, you’re doing it wrong.
Every one of your clients should have a documented response plan—with real steps, real escalation procedures, and real contact trees.
And yes, you should be billing for it.
Why? Because it’s not optional anymore. Compliance isn’t protection. Antivirus isn’t prevention. Your plan is the only thing between a breach and a bankruptcy filing.
How to Scale It Without Going Insane
If you're thinking, “There’s no way I can write IR plans for all my clients,” you’re right—not without help.
That’s why we built Cyber Liability Essentials. It’s your shortcut to scale.
It gives you a structured, standardized, repeatable way to roll out incident response plans—across every client, regardless of size. And it makes it easy to track who’s compliant, who’s signed off, and who’s overdue (and likely to click next).
You don’t need to reinvent the wheel. You need to document the response—and make sure your clients know they’re on the hook if they ignore it.
Your Action Items—Yes, Right Now
- Write incident response plans for every client. No exceptions. Yes, even Steve’s brother-in-law’s dry cleaning business.
- Bill for the work. You’re not a charity. You’re a risk mitigation engine.
- Use Cyber Liability Essentials to scale it across your entire stack.
Because someone is going to click.
Might as well be ready when they do.
