Isn't digital security just a checklist I can follow once?

No. Security is a process, not a product — the phrase the EFF uses for a reason. A checklist completed once protects you against last month's threat model, not this month's beat. The right baseline is to threat-model honestly (who would want this material, what can they do, and what happens if they get it), apply the controls that match, and revisit them when the beat or the adversary changes. We point you to the established baselines first, then add what forensics can verify.

What hardening actually moves the needle for a working journalist?

A short list does most of the work: phishing-resistant two-factor authentication using FIDO2 security keys or passkeys (not SMS codes), full-disk encryption on every device, Signal for sensitive conversations, a password manager with unique credentials, prompt OS and app updates, and compartmentalization so a sensitive beat does not share accounts or devices with everyday life. The Freedom of the Press Foundation, CPJ, and EFF maintain the canonical step-by-step guides — we treat those as the standard, not something to out-checklist.

If I do all of that, am I safe from spyware like Pegasus?

Hardening reduces your exposure substantially, but it is not immunity. Mercenary spyware has used zero-click exploits that need no mistake from the target, and good operational security does not change that. What hardening does is shrink the attack surface and make most opportunistic and criminal threats far harder. For the rare targeted-spyware case, the answer is not a stronger checklist — it is forensic confirmation. That is the line where this guide hands off to device compromise response.

Do you work with our existing IT or security staff?

Yes. On a newsroom team we slot in alongside in-house IT — we are the forensic and incident-confirmation layer, not a replacement for your day-to-day security operations. Where a matter needs legal direction we work with your media-law counsel, and where it needs field investigation we coordinate with licensed private investigators.

Digital Security for Journalists

Security is a process, not a product

The strongest sentence in journalist digital security is the one the EFF keeps repeating: it is a process, not a product. There is no single app, setting, or purchase that makes a reporter safe. What works is a habit — threat-model honestly, apply the controls that match, and revisit them when the beat or the adversary changes. This guide does not try to out-checklist the organizations that maintain the canonical baselines. It points you to them, then focuses on the part most guides skip: what to do, and what forensics can establish, when prevention has already failed.

Start with a threat model

Before any tool, answer four questions: what are you protecting, who wants it, what can they realistically do, and what happens if they succeed? A local-corruption reporter and a national-security reporter face different adversaries and need different defenses. The EFF’s Surveillance Self-Defense calls this making a security plan, and it is the step that makes every later choice rational instead of superstitious. EFF Surveillance Self-Defense is the reference we send people to first.

The hardening that earns its place

A small set of controls does most of the protective work for a working journalist:

Phishing-resistant 2FA. FIDO2 security keys or passkeys, not SMS codes — the single highest-value account control.
Full-disk encryption on every laptop and phone, with a strong passphrase.
Signal for sensitive conversations, with disappearing messages where it fits.
A password manager with unique credentials for every account, so one breach does not cascade.
Prompt updates. Many targeted exploits chase patched bugs; lagging updates are an open door.
Compartmentalization. Keep a sensitive beat off the accounts and devices you use for everyday life.

The step-by-step versions of all of this are maintained, and kept current, by the people whose job it is: the Freedom of the Press Foundation and the Committee to Protect Journalists. We treat those as the canonical baseline. We are not affiliated with them; we apply the same standards and cite them as the reference.

A direct line to Quinn, the founder — not a sales pipeline.
Worked in-house by the examiner who scoped it.
Explainable findings you can verify, with the methodology shown.

When prevention is not enough

Hardening shrinks your attack surface dramatically, and against most opportunistic and criminal threats that is decisive. It is not immunity. Mercenary spyware has been delivered through zero-click exploits that require no mistake from the target — no link tapped, no attachment opened. When a credible reason exists to think something already happened, the answer is not a longer checklist. It is confirmation.

What forensic confirmation can establish

A prevention guide cannot tell you whether you were already breached. A forensic examination can look for indicators of compromise — anomalous sign-ins, planted mail-forwarding rules, unexpected configuration profiles, artifacts consistent with known spyware families — and document what is and is not present, to a standard that can support an insurance claim, a police report, or your counsel. We are candid about the limit: forensics can report “no known indicators of compromise found,” which is not the same as proving a device is clean. If you suspect a targeted intrusion right now, move to newsroom device compromise response, which covers preservation and the confirmation method in detail.

What working with us means

Written scope before any work. You see a written scope — deliverables, timeline, and price — and approve it before we begin. You are never billed for work you did not authorize.
We commit to findings, not outcomes. We tell you up front what the evidence can and cannot establish. Recovery, attribution, and prosecution are decided by banks, platforms, insurers, and courts — we produce the record they act on, and we put that distinction in writing.
Every case is investigated, not just scanned. A credentialed examiner reviews every case before findings leave the practice. You get a documented investigation to court-admissible standards — not a single automated scan and a one-line answer.
We will tell you if you do not need us. If a free or simpler step — a police report, an IC3 filing, a platform's own recovery flow — would resolve your situation, we point you there first.

Related guides

Protecting a specific source or intake channel is its own discipline — see protecting journalistic sources. Verifying open-source material for a story is covered in OSINT for journalists. The overview of how a forensic practice supports reporting is on the For Journalists hub.

Quinnlan Varcoe

Founder & CEO

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response