How a CISA red team assessment proved one agency’s hardened network was still vulnerable to phishing attacks and credential theft.