Summary

  • The July 2021 Kaseya VSA incident turned a vendor and managed-service provider problem into a downstream accountability problem because many affected businesses depended on MSP notice and recovery even though they did not directly operate VSA.
  • Public evidence shows that Kaseya was already working with DIVD through coordinated disclosure before the attack, that several vulnerabilities had been remediated, and that vulnerable on-premises systems still existed when REvil actors exploited VSA on July 2, 2021.
  • Kaseya's post-alert actions, including shutting down hosted VSA, advising on-premises customers to shut down, calling in responders, contacting government partners, and releasing a detection tool, were important. They do not answer every question about pre-exploit exposure reduction or how quickly downstream clients received usable guidance.
  • The victim denominator is layered. Kaseya later described fewer than 60 directly affected customers, many of them MSPs, and fewer than 1,500 downstream businesses. Those figures describe different positions in the dependency tree and should not be collapsed into one number.
  • The repair standard is observability: a managed-service ecosystem should be able to show who was exposed, who was warned, who shut down, who was encrypted, who received recovery instructions, and whether customers without direct control over VSA could see the risk in time to protect continuity.

Detection delay traveled through the service chain

The Kaseya incident is often described as a supply-chain ransomware attack. That is broadly right, but the phrase can hide the specific accountability path. The public record does not show that attackers altered Kaseya's software build or shipped a malicious vendor update. Kaseya's incident overview and technical details says attackers exploited zero-day vulnerabilities in on-premises VSA, bypassed authentication, achieved command execution, and used standard VSA functionality to deploy ransomware to managed endpoints. The trust path ran through administration authority, not a poisoned vendor package.

That distinction matters for detection and disclosure. VSA is remote monitoring and management software. Managed service providers use such tools to inventory devices, run maintenance, deploy software, and support customers that often lack their own full-time technical staff. When an attacker controls the VSA server, the malicious action can look like an administrative action until behavior, timing, payloads, or customer reports reveal otherwise. The first clear warning may appear at an MSP, a downstream client, a security vendor, the software company, or a government partner. None of those positions sees the entire chain.

Kaseya's July 5, 2021 press release said internal and external sources alerted the company to a potential attack at about 2 p.m. Eastern time on July 2 and that the company acted within an hour to shut down its hosted VSA environment and advise on-premises customers to shut down their servers. That after-alert action was consequential. It likely limited further spread. But a downstream accountability analysis asks a longer question: when did the risk become knowable at each layer, and how fast did the warning move from the first layer that knew to the businesses that would lose systems?

Huntress, which received early reports from affected partners, published a recap of events and lessons learned. Its account described MSP reports arriving close together, the common VSA link, payload staging, cleanup actions, and delivery through management functions. Sophos published a contemporaneous technical account from the endpoint and response side. Those responder narratives are not global victim counts, but they show why detection delay in this case was distributed. The first business noticing encryption was not necessarily the party with authority to fix VSA.

The FBI's public statement on the Kaseya attack reinforced the shutdown instruction and urged reporting. CISA and FBI later issued joint guidance through this advisory PDF, recommending the detection tool, multifactor authentication, restricted remote management communication, VPN or firewall protection for administrative interfaces, protected backups, and least privilege. Those are strong post-discovery measures. The unresolved issue is how much exposure could have been reduced before the criminal clock ran out.

Detection delay therefore cannot be measured only inside Kaseya. It must be measured at the points where MSPs could see abnormal VSA behavior, where downstream companies could recognize that their provider's tool was the path, and where public agencies could turn incident reports into broader warning. The incident turned a concentrated management platform into a relay problem.

Coordinated disclosure met a criminal deadline

The pre-exploit record is unusually important because it resists both easy condemnation and easy absolution. DIVD's limited disclosure said the nonprofit research group had begun examining VSA in April 2021 and had notified Kaseya on April 6. DIVD stated that Kaseya's response had been timely and engaged, and that the company was working with the researchers on fixes. That matters. The public evidence does not support a simple claim that the vendor ignored responsible reports.

DIVD's maintained case record shows the other side of the timeline. The case involved multiple vulnerabilities. Some were fixed before July. Kaseya's hosted environment received relevant fixes before the attack. On-premises VSA servers still needed action when the ransomware event began. DIVD later published full vulnerability details, including CVE-2021-30116, and NVD's CVE-2021-30116 entry now records that the issue was exploited in the wild.

This sequence creates a hard accountability standard. A vendor that works with researchers in good faith can still face a downstream failure if remediation, exposure reduction, and customer warning do not outrun adversary rediscovery. Coordinated disclosure is designed to reduce harm by allowing fixes before public detail. It also creates a period in which a small number of people know that a high-consequence product is vulnerable while many operators do not know enough to change behavior. The more privileged the product, the shorter that period should be.

VSA's role amplified urgency. A remote administration product is not an ordinary content site. It is a control plane for customer machines. If a critical authentication or authorization weakness exists in an internet-facing VSA server, the plausible consequence is not only compromise of one server. It is malicious action across every endpoint that trusts that server. That means interim controls should be treated as part of the disclosure process, not as optional hardening after a patch.

The public record leaves several pre-attack questions unresolved. Which exposed operators did Kaseya privately contact before July 2? What exact interim restrictions were required or recommended? Were management interfaces pushed behind VPNs or dedicated firewall rules? Were high-risk on-premises customers asked to shut down until a patch? How did Kaseya verify that known exposed systems changed state? What telemetry, if any, existed to distinguish suspicious procedure creation from ordinary remote-management work? Those questions do not assume negligence.

They identify the evidence needed to assess whether pre-exploit warnings matched VSA's blast radius.

Kaseya later published notices such as the August 4, 2021 important notice and additional recovery materials, while also providing a compromise detection tool page. Those documents were part of the post-incident control record. They do not by themselves reconstruct what was possible in June 2021. The durable lesson is that coordinated disclosure for privileged management software should include observable exposure reduction long before the public headline.

Shutdown advice exposed the on-premises divide

Kaseya could shut down the environment it operated. It could not directly shut down every customer-operated VSA server. That distinction is the center of the detection-disclosure problem. A hosted product gives the vendor operational control during crisis. An on-premises product gives the vendor knowledge and code authority, while the running service remains under customer or MSP control. In the Kaseya event, that meant the shutdown message had to reach each on-premises operator and then be acted on during a holiday-weekend Friday.

This is not merely an inconvenience. Every minute in the relay mattered because attackers were using trusted administration functions. A Kaseya message had to reach an MSP leader or administrator, that person had to understand that "shut down VSA" outweighed the normal cost of disabling customer management, and the MSP had to confirm that malicious procedures were not already queued or executed. Downstream clients then needed to know whether their own systems were safe, encrypted, disconnected, or awaiting restoration. The relay contained technical, business, and customer-communications steps.

The joint CISA-FBI guidance recognized that the answer was not only "apply a patch." It emphasized shutting down VSA servers, running the detection tool, preserving backups, restricting remote management communication, and using least privilege. This guidance spoke to on-premises reality: a compromised management server could remain dangerous even after the first public notice if operators restarted without clearing malicious state or tightening exposure.

Kaseya's later SOC 3 report stated that 57 on-premises customers were affected. The report is useful as company-provided assurance context, but it is not a full independent incident narrative for every downstream business. Reuters, carried by Investing.com, reported the chief executive's estimate that 800 to 1,500 businesses were affected. Those figures are not interchangeable. One counts direct customers at one layer. The other counts downstream organizations at another layer.

This layered denominator affects notice quality. A direct Kaseya customer might receive vendor guidance. A small business served by an MSP might receive an email, a phone call, a portal notice, or no clear explanation until systems were unavailable. A grocery store, dentist, local government office, or retailer may not know the term VSA at all. Yet its continuity depended on VSA's state and the MSP's response. The party bearing outage consequences could be the least informed party in the chain.

That is why managed-service contracts should define emergency notice duties before the emergency. Clients should know what remote-management tools have privileged authority, who can shut them down, what happens to monitoring and maintenance during a shutdown, how client systems will be isolated, how restoration will be prioritized, and how evidence will be shared. Without those terms, the first clear accountability conversation may occur after encryption, when every party is under pressure and facts are incomplete.

The downstream denominator changed the harm

Kaseya's direct victim count was small relative to its total customer base, and Kaseya rightly emphasized that not every customer was affected. That fact should be preserved. It should not be used to minimize the event's operational shape. The incident mattered because some affected direct customers were managed service providers. A single MSP can connect one compromised control plane to dozens or hundreds of businesses.

Swedish retailer Coop became a public symbol of downstream continuity loss. Investing.com carried Reuters reporting that a cyber attack against the US IT provider forced the Swedish chain to close 800 stores. Later reporting described affected firms facing recovery that could take weeks. These accounts should not be treated as a full victim list. They show how a remote-management compromise can reach public-facing services that consumers experience as closed doors, unavailable payments, or interrupted local operations.

For small and medium-sized enterprises, managed service is rational. It gives access to specialist labor, monitoring, backup management, patching, and support that many small organizations could not build alone. The same concentration creates correlated failure. A set of businesses that appear separate by geography and sector may share one MSP, one remote tool, one backup pattern, and one recovery staff. A ransomware event at that layer can make many supposedly independent continuity plans fail at once.

Public-sector continuity can be affected in the same way. Local governments, schools, utilities, and public-facing agencies often depend on MSPs or similar outsourced support. The citizens affected by downtime do not care whether a tool was operated by an agency employee, a contractor, a reseller, or a software vendor. They need services restored. The accountability path, however, runs through those technical relationships, and delays can be introduced at every handoff.

This is where detection and disclosure become economic. A small business that learns quickly can disconnect systems, preserve backups, warn employees, switch payment handling, postpone work, or call customers. A business that learns only after encryption has fewer choices. It may face lost sales, payroll disruption, customer frustration, regulatory reporting uncertainty, and insurance paperwork. The same technical exploit produces different harm depending on when the downstream party receives usable information.

The CISA, NSA, FBI, and international partners later issued broader guidance to protect managed service provider and customer relationships, announced by CISA in this advisory notice. That guidance reflects a systemic point: MSP security is not only the MSP's private problem. It is a shared continuity issue for the customers that inherit its trust.

Law enforcement action did not replace repair evidence

The Kaseya incident also produced law-enforcement records. The Department of Justice announced in 2021 that a Ukrainian national had been arrested and charged in connection with the ransomware attack. Europol announced that five affiliates tied to Sodinokibi/REvil had been unplugged. The Department of Justice later announced that a Sodinokibi/REvil affiliate had been sentenced for a wider ransomware role. These records are important for attacker accountability.

They do not answer the operational questions. Criminal charges and sentences can identify alleged or convicted actors, disrupt infrastructure, recover evidence, and deter future campaigns. They do not prove which MSP customers had adequate backups, which clients were told in time, which VSA servers were exposed before July 2, or whether every downstream organization rebuilt safely. Attacker accountability and service accountability coexist because they concern different controls.

The same distinction applies to congressional attention. The House hearing record available through GovInfo captured public concern about ransomware, critical services, and private-sector preparedness. Oversight can elevate patterns and reveal policy needs. It still cannot substitute for entity-level evidence about detection clocks, notice content, shutdown execution, and restoration quality.

NIST's SP 800-161 Rev. 1 gives a broader supply-chain risk vocabulary. It treats suppliers, products, services, and life-cycle controls as part of cybersecurity governance. Kaseya's incident shows why that vocabulary has to include managed-service operational evidence. A procurement team cannot simply ask whether an MSP uses a remote-management platform. It should ask how that platform is exposed, how it is monitored, who can disable it, how client segmentation works, how backups are isolated, how incidents are reported, and how evidence will be shared.

Repair evidence after Kaseya should therefore be layered. Kaseya should show product-security remediation, vulnerability intake maturity, customer-warning channels, and secure-by-default expectations for high-risk deployments. MSPs should show restricted administrative access, multifactor enforcement, segmentation, least privilege, protected backups, client-notice playbooks, and tabletop exercises that include tool compromise. Downstream customers should show that they know which provider tools can administer their systems and what continuity alternatives exist if those tools must be shut down.

No law-enforcement success removes the need for these records. A ransomware affiliate can be arrested while a business still lacks a recoverable backup. A vendor can release a patch while an MSP has not reached every client. A government advisory can be correct while the smallest affected company still does not understand what happened. Accountability must reach the layer where harm lands.

Observability is the repair standard

The second-lens question for Kaseya is not whether managed service is bad. Managed service can improve security for organizations that otherwise would have little support. The question is whether the risk created by concentrated administration is observable by the parties that depend on it. A hidden control plane creates hidden accountability.

Observability begins with asset knowledge. Each client should know which remote tools can run commands, deploy software, reset credentials, or access sensitive systems. The MSP should know which servers and tenants have that authority. The vendor should know which customers operate exposed, high-risk versions when licensing and telemetry make that possible. Public agencies should know how to reach critical service providers when an MSP incident threatens community services.

Observability continues with event timing. A useful incident record would identify the first known exploitation, the first internal alert, the first customer report, the first vendor shutdown instruction, the first MSP-to-client notice, the first downstream encryption, the first detection-tool result, and the time each affected party reached stable recovery. Without those timestamps, leaders can praise fast action after one point while missing delay before another.

Observability also requires denominator discipline. Fewer than 60 direct customers, 57 on-premises customers, up to 1,500 downstream businesses, and countless managed endpoints are different counts. They describe different units of accountability. A direct customer count speaks to vendor exposure. A downstream business count speaks to continuity harm. An endpoint count speaks to technical workload. Mixing them obscures where repair succeeded or failed.

Finally, observability needs customer-facing language. A small business does not need every exploit detail in the first hour. It does need to know whether its provider's remote-management tool was involved, whether its systems should be disconnected, whether backups are safe, whether files are encrypted, whether payments can continue, whether employees should stop using certain devices, and when the next update will arrive. The MSP's notice quality is part of the vendor incident's harm profile because the vendor's product enabled the MSP's reach.

The Kaseya event showed that a remote-management platform can concentrate both efficiency and fragility. The accountability task after 2021 is to keep the efficiency while making fragility visible. That means faster private warnings where public disclosure would increase risk, stronger default exposure limits, client contracts that name remote-management dependencies, and recovery plans that assume the MSP's favorite tool may itself become unavailable or hostile.

The notice chain needs its own service-level objective

The incident shows why managed-service security needs a notice service-level objective, not only a remediation objective. In an ordinary software vulnerability, the operator that receives the vendor advisory is often the same organization that will suffer if the system remains exposed. In managed service, the operator and the risk-bearing customer may be different. The MSP may receive the vendor warning; the small business may receive only the consequence. That gap needs a measurable standard.

A notice objective should begin with classification. If a remote-management tool can execute commands, deploy software, change security settings, or touch backups across client environments, then a serious vulnerability in that tool is not a routine ticket. It is a client-risk event. The MSP should have a prewritten category for "provider control-plane incident" that triggers client communications even before every technical detail is known. The message can be bounded and careful, but it should not wait until encryption is visible at the client.

The first notice does not need to expose exploit details that would aid attackers. It should tell clients what matters operationally: a privileged management platform is under emergency review; provider access may be restricted; certain maintenance tasks may pause; clients should preserve backups and avoid restarting affected machines without instructions; urgent contacts and next-update timing are available. If compromise is confirmed, the notice should say what systems are affected, what the provider is doing, what the client should do, and what evidence should be preserved.

The second notice should map the dependency. Many clients do not know the product names behind managed service. A company may understand "our IT provider handles patching" but not "VSA can run commands on every workstation." During an incident, that ignorance becomes a continuity problem. A client cannot explain the event to its own employees, insurer, customers, regulator, or board if the MSP will not name the control plane involved. Contracts should specify when product identity can be disclosed to clients during emergencies, and how much detail must be shared.

The third notice should address business operations. If an MSP shuts down VSA, routine monitoring, software deployment, remote support, and some security response functions may be impaired. Clients need to know what support remains available. They need alternate phone numbers, ticket channels, emergency access rules, and expected delays. A shutdown instruction that protects security can still harm continuity if no one explains the service consequence.

The fourth notice should document evidence and recovery. The client should know whether its devices were encrypted, whether suspicious procedures were executed, whether backups were touched, whether credentials were rotated, whether law enforcement or CISA guidance is relevant, and whether the provider used Kaseya's detection tool or other responder evidence. A client that receives only "we are working on it" cannot make its own legal, insurance, and customer decisions.

This notice chain should be timed. The MSP may promise an initial client notification within a set number of minutes after a confirmed provider control-plane event, a follow-up every defined interval, and a written closure record after recovery. The timeline will vary by client and severity, but the principle should not. Managed-service risk is delegated; accountability cannot be.

Pre-authorized shutdown is a governance control

Kaseya's instruction to shut down on-premises VSA servers exposed an awkward truth: a security-safe action can be a business-disruptive action. Shutting down a remote-management platform can reduce attacker reach, but it can also remove the MSP's primary way to support clients. If the MSP has not pre-authorized who can make that decision, the response can stall at the worst possible moment.

Pre-authorization should specify who may disable the tool, under what evidence threshold, and how clients are told. It should also specify what functions remain available after shutdown. Can technicians still support clients by phone? Can they use alternate remote access? Is alternate access more or less secure? Which client environments are too sensitive for emergency remote tools? Which clients require written approval before provider agents reconnect? These details feel tedious until a Friday afternoon attack makes them urgent.

The same logic applies to the vendor. For a product like VSA, a vendor's hosted shutdown is under direct company control, but on-premises operators need clear thresholds. A vendor can recommend or require shutdown in support terms, but execution belongs to customers. If the vendor knows that certain internet-facing on-premises deployments are at high risk before a patch is ready, it needs a private escalation model: direct outreach, high-severity notices, support-case tracking, and verification where possible. The goal is not to shame customers. It is to reduce the number of exposed control planes before criminals act.

Shutdown authority also interacts with backups. Ransomware response depends on retrievable, protected backups, but many MSPs manage backups through the same administrative ecosystem that supports routine service. If the control plane is suspect, responders must know whether backup consoles, credentials, storage, and restore procedures are independent. The CISA-FBI guidance emphasized air-gapped or otherwise protected backups because a management compromise can threaten recovery as well as production.

Clients should not have to discover during an incident that the MSP's backup plan depends on the compromised tool. A managed-service contract should describe whether backups are logically and administratively separated, how often restores are tested, who can authorize restore, and what happens if the MSP's management environment is offline. For small businesses, that contract language may be the only practical visibility they have into resilience.

Pre-authorized shutdown also helps insurers and regulators. A client that can show a provider followed a documented shutdown and notice playbook is in a different position from a client reconstructing decisions from scattered emails. Evidence of pre-authorized action does not eliminate harm, but it shows governance. It can also reduce disputes between vendor, MSP, client, insurer, and law enforcement after the event.

The Kaseya record shows that rapid post-alert action is valuable. The next standard should push the decision earlier and make it more automatic where the blast radius is clear. A remote-management control plane should be designed to fail closed, with a known path for operating in reduced mode. If shutting it down requires a custom debate every time, then the business model has not fully priced the security role the tool plays.

Downstream evidence is part of the product record

Software vendors naturally focus on direct customers, but a managed-service product's consequences extend through the customer base of those customers. That means downstream evidence belongs in the product record. A vendor may not know every endpoint or every business served by an MSP, but it should design incident reporting to preserve the dependency chain as far as reasonably possible.

The first evidence problem is identity of the affected chain. Which Kaseya customer operated the affected VSA instance? Was that customer an MSP? Which client environments did that VSA instance manage? Which agents checked in during the exposure window? Which procedures ran? Which endpoints received payloads? Which endpoints were offline and later at risk on reconnect? Without this chain, counts become ambiguous and recovery becomes uneven.

The second problem is time. A downstream business needs to know when its systems were touched, not only when the vendor discovered the incident. If a malicious procedure ran at a specific time, that timestamp anchors endpoint investigation, backup selection, payroll decisions, and customer notification. If the MSP cannot provide timing, the client may have to treat a wider period as suspect, increasing cost.

The third problem is evidence custody. Logs may live at the VSA server, at the MSP, on endpoints, in security tools, and with the vendor. During a ransomware event, some evidence can be deleted, encrypted, overwritten, or disconnected. A mature product should make high-consequence administrative actions durable enough that responders can reconstruct what happened even if the management server is compromised. That does not require publishing sensitive telemetry to the world. It requires designing for incident reconstruction.

The fourth problem is client-ready language. A downstream business may need to report to a regulator, school board, mayor, owner, insurer, or customer. It cannot simply forward a technical vendor bulletin if the bulletin does not say whether its own environment was affected. MSPs should convert vendor evidence into client-specific statements: in scope, not in scope, encrypted, not encrypted, unknown due to missing evidence, restored from backup, credentials rotated, or still under investigation. "Unknown" is acceptable when true; pretending to know is not.

The fifth problem is fair allocation. If the vendor, MSP, and client all contribute to the final risk, the evidence record should allow that allocation. A vendor vulnerability may create entry. An MSP's internet exposure or segmentation may enlarge harm. A client's weak backups may lengthen recovery. Conversely, a vendor warning, MSP shutdown, and client continuity plan may all reduce harm. Accountability should be granular enough to credit and fault the right controls.

This is why downstream evidence is part of the product record. It is not enough for the vendor to know how many direct customers were affected if the product's economic role is to administer many more organizations. Product governance should anticipate the dependency tree. Incident templates, telemetry, support escalation, and public statements should preserve denominators by layer: direct customers, MSPs, downstream organizations, endpoints, and services. The Kaseya event became a landmark because those layers all mattered at once.

Contracts should expose the hidden control plane

Many managed-service customers do not buy Kaseya VSA directly. They buy outcomes: patched laptops, working email, reachable printers, monitored servers, help-desk support, and recovery after failure. The remote-management product is hidden behind the service promise. That hiddenness can be efficient in normal times, but during a ransomware incident it leaves the customer without a map. A customer cannot judge continuity risk if it does not know which outside systems can administer its environment.

Contracts should therefore name categories of privileged provider tools even if they do not publish every sensitive configuration. The client should know whether the MSP uses remote monitoring and management software, endpoint detection and response, backup consoles, remote desktop brokers, scripting engines, identity administration, or cloud management portals. For each category, the client should know whether the tool can deploy software, run commands, reset accounts, access backups, or change security controls. This is not curiosity. It is a dependency register.

The contract should also say how tool compromise will be handled. Will the MSP notify the client if a privileged provider tool is under active exploitation? Who decides to disconnect provider agents? Will the client receive a list of affected endpoints? How quickly will the MSP provide written facts for insurance and legal review? What evidence will be retained? What support remains if the tool is disabled? These terms turn a vague trust relationship into an accountable operating model.

A small business may not have the leverage to negotiate every clause. That is why industry standards, public guidance, insurers, and procurement templates matter. If many clients ask the same questions, MSPs can build repeatable answers. If no clients ask, the control plane remains invisible until an incident exposes it. The Kaseya event should make invisible administration harder to sell.

This does not mean every MSP must disclose sensitive internal details to every client. Security architecture can be described at the right level: authority, dependency, notice, evidence, and recovery. The client does not need exploit code or administrative passwords. It needs to know what can happen to its business if the provider's tool is compromised and what the provider is obligated to do next.

Typography note

Typography is the art and technique of arranging type to make written language legible, readable, and visually appealing. It involves selecting typefaces, point sizes, line lengths, line-spacing, and letter-spacing.

  • Typography originated with the invention of movable type by Johannes Gutenberg in the 15th century.
  • Key elements include font selection, kerning, tracking, and leading.
  • Good typography enhances readability and conveys mood or tone in design.

Residual unknowns

The public record does not establish every exploit request, every affected MSP, every downstream business impact, or every client-notice timestamp. It does not prove that the attackers learned of the vulnerabilities from the coordinated disclosure process. Parallel discovery is plausible and should not be converted into an unsupported accusation. It does not disclose every pre-attack interim control or every operator contacted before July 2. It does not independently validate the effectiveness of every later Kaseya or MSP control.

Those limits do not make the incident unknowable. They define the evidence still needed for strong managed-service accountability. The strongest known facts are enough: researchers had privately reported serious VSA weaknesses; fixes were in progress; hosted service had relevant fixes; on-premises systems remained exposed; attackers used VSA authority to distribute ransomware; Kaseya and partners issued urgent shutdown and recovery guidance; and downstream businesses carried harm that often originated in tools they did not directly operate.

The accountable question is therefore practical. When a managed-service control plane is at risk, can every party that will carry the consequences see enough, soon enough, to act? In July 2021 the answer was uneven. Some actors moved quickly once the attack was known. Many downstream organizations still depended on someone else's detection, someone else's shutdown decision, and someone else's explanation. That is the downstream accountability problem Kaseya made visible.

Typography

Typography is the art and technique of arranging type to make written language legible, readable, and visually appealing. It involves selecting typefaces, point sizes, line lengths, line-spacing, and letter-spacing.

  • Typography originated with the invention of movable type by Johannes Gutenberg in the 15th century.
  • Key elements include font selection, kerning, tracking, and leading.
  • Good typography enhances readability and conveys mood or tone in design.