On November 2025, the cyberattack on OnSolve CodeRED sent shockwaves across the US — and should also serve as a warning for businesses worldwide. According to reporting by BleepingComputer, the platform used by state, county, and municipal agencies to send emergency alerts was compromised, disrupting vital communications for weather events, evacuations, and public‑safety incidents. BleepingComputer+2Malwarebytes+2
The fallout from the breach was severe. The operator, Crisis24, decommissioned the legacy CodeRED environment after determining that it had been infiltrated. The attack affected the ability of numerous governments, first responders, and agencies to alert residents at critical moments.
The cybercriminal group INC Ransom has claimed responsibility for the breach. According to public claims, the adversaries gained access on November 1, encrypted data on November 10, and subsequently exfiltrated subscriber data — including names, addresses, emails, phone numbers, and even clear‑text passwords.
The attack exposed how even systems considered critical infrastructure are not immune to ransomware or data theft. For many municipalities, this meant a sudden loss of their primary tool for sending emergency alerts. Some agencies have since dropped the platform entirely, citing loss of trust and concerns over security.
For citizens who opted into CodeRED alerts, the stolen data raises concerns about identity theft, phishing, or future social engineering campaigns — especially if passwords were reused elsewhere.
This breach underscores a broader point: when software and services are compromised, the consequences ripple far beyond data loss. In this case, the breakdown impacted public safety and trust in institutions.
Most conventional cybersecurity — especially those built around detection, alerting, and response — assumes that attackers will be detected before they do real harm. But what happens when detection fails or comes too late? As with the CodeRED attack, by the time the breach was discovered, attackers had already exfiltrated data and disabled a critical system. For organizations that rely solely on reactive defenses, this scenario reveals a fundamental shortcoming: detection does not guarantee prevention.
This is where proactive protection like AppGuard makes a difference. With more than a decade of proven success, AppGuard’s approach is not about chasing attacks. It’s about preventing malicious activity from executing in the first place through isolation and containment.
AppGuard limits the ability for unknown or unauthorized code to run — reducing the attack surface against modern threats like ransomware, zero‑day exploits, or stealthy intrusion techniques.
With isolation-based defense, even if attackers manage to breach perimeter defenses, they cannot easily pivot inside the network or disrupt critical systems.
In contexts like CodeRED — whether public‑safety infrastructure, healthcare networks, manufacturing operations, or supply‑chain systems — AppGuard helps ensure continuity, even when adversaries try to exploit legacy systems or third‑party dependencies.
For businesses today — especially those operating in sectors like manufacturing, healthcare, logistics, or services with complex third‑party dependencies — the risk is not hypothetical. Ransomware, supply‑chain attacks, and vendor compromises are rising. A reactive security stance is simply too fragile.
If you care about preserving operations, protecting customer trust, and safeguarding critical services, now is the time to shift your strategy. Reactive, detect‑and‑respond defenses leave too many gaps. You need a proactive, containment-focused solution.
Talk with us at CHIPS about how AppGuard can help secure your business against threats like the one that crippled CodeRED. Let’s move beyond “Detect and Respond” and build resilience through “Isolation and Containment.”
Investing now could mean the difference between a contained incident and a business‑crippling disruption
Like this article? Please share it with others!