When Your IR Vendor Is the Threat Actor: What the BlackCat Insider Sentencing Means for Third-Party Trust

On April 30, 2026, the US Department of Justice announced that Ryan Goldberg, a former incident response manager at Sygnia, and Kevin Martin, a former ransomware negotiator at DigitalMint, were each sentenced to four years in federal prison. The two pleaded guilty to conspiracy charges in connection with ALPHV/BlackCat ransomware attacks they carried out against US victims between April and December 2023. They sat on the defender's side of the table by day. By night, they were the threat actor. The cybersecurity industry has been pointing at insider threat as a structural risk for two decades. This is the case that brings the question to the IR retainer itself.

What the Court Filings Establish

The DOJ filings describe a coordinated operation. Goldberg and Martin, together with co-conspirator Angelo Martino, deployed BlackCat ransomware against five victim organizations: a Florida medical company, a Maryland pharmaceutical company, a California medical practice, a California engineering firm, and a Virginia drone manufacturer. One victim paid approximately 1.2 million dollars in Bitcoin. After BlackCat affiliate fees, the conspirators kept 80 percent of the payment and split it three ways through cryptocurrency laundering channels.

The element that elevates this case from a criminal matter to a governance matter is the role context. Goldberg was managing incident response engagements at a recognized DFIR firm. Martin was negotiating ransoms on behalf of victims at a recognized ransomware negotiation firm. Goldberg admitted to using confidential information gained from his negotiator role, including victim insurance policy limits and internal negotiating positions, to extract maximum ransom payments for himself and other BlackCat affiliates. Goldberg fled the country in June 2024 ten days after an FBI interview and was tracked through ten countries before his arrest that September.

The factual pattern is rare. The structural exposure it reveals is not. Every organization with a DFIR retainer, a ransomware negotiation provider, or a managed detection and response vendor has accepted a similar trust posture. The vendor sees the most sensitive operational data in the organization's worst week. The vendor's personnel hold institutional knowledge that has commercial value to the threat actors the organization is paying the vendor to defend against. The case forces every CISO to ask whether the controls around that trust posture are adequate.

The Trust Asymmetry of an IR Engagement

An incident response engagement creates an information asymmetry that no other vendor relationship in the security stack matches. Within hours of activation, the vendor sees the victim's network topology, identity infrastructure, EDR telemetry, backup posture, executive communications, and frequently the cyber insurance policy and its sub-limits. The vendor's negotiator may see the threat actor's chat channel, the threat actor's tooling artifacts, and the actor's prior victim list. Few engagement types put a single vendor in possession of both the defender's playbook and the attacker's playbook simultaneously.

The traditional control for this asymmetry is reputation, augmented by retainer language and the vendor's own SOC 2 report. None of the three controls would have detected an insider running affiliate operations on personal time. Reputation cannot detect what is hidden. Retainer language is enforced after the fact. SOC 2 reports test designed and documented controls, not the integrity of an individual employee operating outside the documented environment.

The control gap matters because the trust ladder above and below an IR vendor is short. An organization activating an IR retainer is rarely in a position to validate its vendor's claims in real time. The board and the CEO are pressing for resolution. The cyber insurer is asking for next steps. The legal team is structuring privilege. The CISO is trusting that the vendor on the call is acting in the client's interest. The BlackCat case shows that the trust assumption can fail at exactly the wrong moment.

Where the Case Maps to NIST CSF 2.0

NIST CSF 2.0 elevated cybersecurity supply chain risk management to a dedicated category under the Govern function, GV.SC, in early 2024. The category requires organizations to define a supply chain risk management strategy, establish roles and responsibilities, integrate supply chain risk into enterprise risk management, evaluate suppliers and third parties before formal relationships, monitor those relationships throughout their lifecycle, and address risk after engagements end. The IR vendor category is squarely inside GV.SC scope, even though many TPRM programs treat IR retainers differently from typical SaaS or managed service vendors.

Three GV.SC subcategories are particularly relevant to the BlackCat case. GV.SC-04 requires that suppliers are known and prioritized by criticality. An IR retainer is high criticality by definition: the vendor is the on-call team for the worst day of the year. GV.SC-06 requires planning for and assessing risks before formal supplier relationships, which includes due diligence on the vendor's personnel practices, conflict of interest controls, and prior incident history. GV.SC-07 requires ongoing monitoring of supplier risk throughout the relationship, which encompasses public reporting on the vendor and any of its named principals or staff. The BlackCat case is the kind of public report that should trigger an immediate GV.SC-07 review for any client of the firms involved.

For organizations building or maturing a NIST CSF-aligned program, the case is a useful prompt to validate that GV.SC-aligned controls exist not just on paper but in operating practice. Our NIST CSF maturity assessment evaluates GV.SC implementation and gaps as a standard part of every engagement. Organizations starting earlier in their journey can review our practitioner guide to NIST CSF 2.0 implementation for the function-level structure.

The SOC 2 Trust Services Criteria Angle

Customers of an IR or ransomware negotiation vendor should request that vendor's SOC 2 Type 2 report and read the relevant Trust Services Criteria with this case in mind. Four criteria are pertinent.

CC1, control environment. CC1 covers the entity's ethical values, hiring practices, and personnel integrity. A SOC 2 Type 2 report should describe how the vendor screens, onboards, and ongoingly evaluates personnel with access to client data. Look for evidence of pre-hire background checks (criminal, employment, financial, references), conflict of interest disclosures, and periodic re-screening for personnel in high-trust roles.

CC2, communication and information. CC2 covers the entity's policies and how they are communicated. For IR vendors, the relevant policies include client confidentiality, separation of duties, and personal trading or affiliate activity. A robust report describes whether the firm prohibits personnel from holding cryptocurrency wallets that could receive ransom payments and from communicating with threat actors outside of authorized client engagements.

CC4, monitoring activities. CC4 covers ongoing monitoring of the control environment. The most relevant control is whether the firm monitors personnel access to client data after engagements end. An IR engagement may close in a week, but knowledge of the client's network and insurance posture persists in the analyst's memory and notes for years. Monitoring should include logging of post-engagement access, periodic peer review of analyst activity, and exit procedures that preserve client confidentiality after personnel changes.

CC9, risk mitigation. CC9 covers how the entity addresses risks, including the risks created by personnel and third parties. For IR vendors, CC9 should include conflict of interest monitoring, ethics hotlines, and procedures for investigating suspected employee misconduct. The BlackCat case is the worst-case CC9 failure scenario.

Equally important to the vendor's own SOC 2 controls are the complementary user entity controls (CUECs) that the customer is expected to implement on its side. For IR engagements, the CUECs should include client-side approval of all negotiation positions, client-side custody of decryption keys and recovered data, and client-side authority over ransom payment decisions. Many IR retainers blur these CUECs by deferring to the vendor on operational decisions during a live incident. The BlackCat case argues for tightening them.

Practical Steps for the Next 30 Days

The BlackCat sentencing does not require panic. It does require a structured review. The following steps are appropriate for any organization with an active IR retainer, a ransomware negotiation arrangement, or an MDR contract that includes incident handling.

Action	Owner	Framework Anchor
Inventory all IR, negotiation, MDR, and DFIR retainers	CISO / TPRM	NIST CSF GV.SC-04
Request and review each vendor's SOC 2 Type 2 report	TPRM	SOC 2 CC1, CC2, CC4, CC9
Confirm conflict of interest and personal trading attestations	Legal / TPRM	SOC 2 CC1, CC9
Validate that retainer includes audit rights and notification of staffing changes	Legal	NIST CSF GV.SC-06
Update IR runbook to require client custody of ransom payment decisions	CISO / Counsel	NIST CSF RS.MA
Brief the cyber insurance broker and carrier on changes to IR posture	CISO / Risk	NIST CSF GV.RM
Test the runbook in a tabletop exercise scoped to vendor failure	CISO	NIST CSF RS.MI

Organizations without a formal IR retainer face a related question: have you defined who you would call, on what terms, and with what controls. A retainer signed under pressure during a live incident is far more likely to inherit the trust gaps the BlackCat case exposed than one negotiated with deliberation. Selection should treat IR vendor diligence with the same rigor as a managed service provider or cloud platform, not as a checkbox formality.

How This Connects to the Broader Trust Story

The BlackCat case is one node in a larger pattern. The same week, the cybersecurity industry watched the Medtronic and ShinyHunters extortion campaign illustrate the data-theft model and its regulatory implications under HIPAA. The week prior, the April 2026 threat roundup covered Patch Tuesday volume, COPPA enforcement, and the SaaS ransomware trajectory. Across all three signals, the operational concept is the same: the organizations defending mid-market enterprises depend on a deeper chain of vendors, models, libraries, and personnel than the typical TPRM program reviews. The work of governance is to make that chain visible and the trust assumptions explicit.

For organizations whose AI deployments now depend on a similar chain of model providers, inference vendors, and orchestration libraries, the same logic applies. Our recent practitioner guide on AI supply chain risk and third-party model governance walks through the parallel set of controls for the AI vendor stack. The unifying principle: the third-party trust surface is bigger than the contract surface, and the gap is where the next breach happens.

Frequently Asked Questions

What happened in the BlackCat insider sentencing case?

On April 30, 2026, the US Department of Justice announced four-year federal prison sentences for Ryan Goldberg, a former incident response manager at Sygnia, and Kevin Martin, a former ransomware negotiator at DigitalMint. They pleaded guilty to conspiracy charges related to ALPHV/BlackCat ransomware attacks against five US victim organizations between April and December 2023. One victim paid approximately 1.2 million dollars in Bitcoin, of which the conspirators kept 80 percent through laundering channels.

Why does this case matter beyond the criminal facts?

The case is a third-party trust failure at the most sensitive vendor relationship in the security stack. IR vendors and ransomware negotiators see the victim's network, playbook, insurance limits, and executive negotiating posture. Goldberg admitted to using confidential information from his negotiator role to extract maximum ransom payments as a BlackCat affiliate. The BlackCat case forces every CISO to ask whether their TPRM program covers this trust posture and whether their IR retainer language reflects the failure modes the case exposed.

What controls could have detected an IR vendor running ransomware on the side?

Five control categories: ongoing personnel screening at the vendor, separation of duties between negotiator and investigator roles, mandatory client communication routed through vendor leadership, audit rights in the master services agreement, and victim-side instrumentation that produces an independent timeline. None are exotic. They are the same NIST CSF Govern (GV) and Identify (ID) practices mature TPRM programs apply to other high-trust vendor categories.

How does NIST CSF 2.0 frame third-party trust for IR vendors?

NIST CSF 2.0 elevated cybersecurity supply chain risk management to GV.SC under Govern in early 2024. For IR retainers, GV.SC obligations include due diligence at selection (financial health, personnel screening, conflict of interest, prior incident history), contractual requirements (audit rights, sub-processor disclosure, notification of personnel changes), and ongoing monitoring (annual reassessment, public incident review, attestation validation). The BlackCat case is a textbook GV.SC failure scenario.

Should organizations rethink their IR retainer relationships after this case?

Most organizations should review the structure of their IR retainers, not necessarily replace the vendor. Key questions: Does the retainer require personnel screening and conflict of interest attestations. Does it require notification when staff who worked your engagements leave. Does it preserve audit rights to vendor case files in a dispute. Does your runbook require client leadership and counsel to make ransom payment decisions with vendor advice. Does your insurer maintain independent visibility into negotiations. Most retainers were not written with these failure modes in mind.

What is the SOC 2 angle for IR and ransomware negotiation vendors?

Customers should request the vendor's SOC 2 Type 2 report and review CC1 (control environment, including hiring and personnel integrity), CC2 (communication, including confidentiality and personal trading policies), CC4 (monitoring activities, including post-engagement access logging), and CC9 (risk mitigation, including conflict of interest monitoring). Equally important: review the vendor's complementary user entity controls and tighten the client-side controls the BlackCat case exposed.