The idea that a cyberattack can instantly kill a company has been repeated so often that it’s become accepted truth. It shows up in conference talks, vendor pitches, and boardroom conversations. It’s simple. It’s scary – and it’s largely unsupported.
That’s the problem Adrian Sanabria set out to solve.
I've known Adrian for many years. We've worked together a lot in that time, including during my role right before joining CYBR.SEC.Media. I've always been impressed by the level of detail that goes into his work, whether he's hosting a webcast, helming his Enterprise Security Weekly podcast or assembling technical reviews of various security vendors and their products.
He just launched a website for a project he's been working on for the last decade: "Destroyed By Breach." Let's have a look at the site, why it was created and what Sanabria hopes people will walk away with after visiting:
The site lists all known companies who ultimately ceased to exist because they couldn't overcome the damage from a data breach.
A detailed table lets the reader search by company, year of compromise and ultimate cause of destruction.
The cybersecurity industry has spent years telling companies that a breach is an extinction-level event. Sanabria went looking for proof and couldn’t find it. What he did find was a much smaller set of companies that actually collapsed after breaches, and a much clearer pattern: they weren’t prepared to recover.
Origins
The origin of "Destroyed By Breach" goes back to two moments that didn’t sit right with Sanabria:
The first was Code Spaces, a small company that lost access to its AWS environment in 2014 and shut down almost immediately. It was shocking, but also highly specific: a five-person team with no real safety net.
The second was a statistic that gets thrown around constantly: 60% of small businesses go out of business within six months of a breach. There was no credible evidence behind the number.
So Sanabria went looking for real data. Starting in 2017, he began collecting examples of companies that actually failed following a breach. Over time, that list grew, but not in the way the fear-driven narrative would suggest.
The reality: companies rarely go out of business because of a breach. What they do instead is get breached and then fail to recover because they didn't have the right procedures in the first place.
Uncomfortable Truths
When you look at the companies that did collapse, the pattern is consistent. The breach wasn’t the root cause. It was the trigger. The real problem was everything that came after.
- No incident response plan.
- No ability to contain the damage.
- No backups or recovery strategy.
- No operational resilience.
Once systems went down, they stayed down. Once customers lost trust, it didn’t come back. The business didn’t just take a hit, it had no way to stabilize.
This aligns with what Sanabria and Adam Shostack discussed in their RSAC 2026 session "Failure is a Terrible Thing To Waste: The Case for Breach Transparency."
Other industries have built entire systems around failure analysis. Aviation, healthcare, transportation — they investigate incidents in detail, publish findings, and turn them into operational improvements. Cybersecurity, by contrast, still operates on fragments: breach headlines, partial disclosures, and marketing spin.
The result is a distorted understanding of risk.
More Noise Than Signal
Part of the problem is structural. Companies don’t want to share breach details. The reasons are predictable: fear of litigation, regulation, reputational damage, and plain embarrassment.
But that lack of transparency creates a vacuum and the industry fills it with assumptions. That’s how bad statistics spread. That’s how narratives harden into “truth.” And that’s how security teams end up chasing the wrong priorities.
Sanabria’s data challenges that directly. If breach-driven business collapse is rare, then the conversation needs to shift. The focus shouldn’t be on preventing every possible breach at all costs. That’s not realistic. It should be on what happens next.
Fail Less Hard
One of the more useful ideas in Sanabria’s research is that you may not be able to avoid failure, but you can control how hard you fail.
The data backs that up. Breaches happen quickly while detection and response still lag behind. That gap is where damage compounds. And it’s where prepared organizations separate themselves from the ones that collapse.
The companies that survive aren’t the ones that never get breached. They’re the ones that can:
- Detect and contain quickly
- Restore systems without chaos
- Communicate clearly under pressure
- Maintain enough trust to keep operating
Why This Makes People Uncomfortable
Sanabria’s work undercuts a convenient narrative. If breaches don’t usually kill companies, then “fear of extinction” isn’t a reliable way to drive security investment. It forces a more nuanced and harder conversation about risk, priorities, and outcomes.
It also shifts accountability.
Instead of blaming attackers, it puts the spotlight on internal decisions: planning, investment, execution, and leadership. That’s a tougher message to sell. It doesn’t fit neatly into marketing slides. And it doesn’t give easy answers.
What Matters Now
"Destroyed By Breach" isn’t arguing that breaches don’t matter, but that we’ve been focusing on the wrong part of the story. The breach is the beginning. What determines the outcome is everything that follows.
The companies that collapsed didn’t just get breached. They were exposed as unprepared, and when the pressure hit, they had nothing to fall back on. Each failure presents a lesson that can help organizations increase their chances of survival going forward.
That’s the real lesson Sanabria hopes visitors of the site walk away with.
