Threat Hunting Insights

CISA published an advisory on endpoint management hardening after the Stryker wipe. Their Multi Admin Approval recommendation is a speed bump, not a wall. Here is what actually stops a Global Admin compromise: no standing privileges, PIM with Authentication Context, FIDO2 hardware keys, and automated session revocation.

Iran was inside before the war started. How the March 6 server report connects to the Stryker wipe. The two-team MOIS playbook. What the 72-hour intelligence confirms. And the PIM Authentication Context gap that made it possible.

Five new Sigma rules and KQL queries for Microsoft Sentinel covering MuddyWater pre-positioning IOCs, the PIM Authentication Context gap, three-layer bulk wipe prevention, stale session detection, and Rclone exfil to MuddyWater cloud infrastructure.

Full disclosure of a live Iranian operational server. Open directory on active threat actor infrastructure revealed custom attack tools, 11 CVEs, confirmed victims including EgyptAir and the Portuguese Immigration Service, and 280+ Israeli targets.

Handala weaponized Microsoft Intune to remotely wipe Stryker Corporation across 61 countries. We built 10 Sigma rules, KQL queries, and OpenSearch queries covering the full attack chain. Download the detection pack.

Scattered Spider walked into Snowflake environments at Ticketmaster, AT&T, and Santander using stolen credentials. No zero-days. No malware. Just accounts without MFA. Here is the attack chain, what to look for in your logs, and what to fix.

Ransomware, phishing, and malware through the first 68 days of 2026. We tracked 2,522 ransomware claims across 81 groups, the continued rise of infostealers, and why the attack chain is running at scale.

Browser-in-the-Browser (BitB) attacks make URL-checking advice useless. The URL looks perfect because the entire browser window is fake. Here is how they work, why your security stack misses them, and what defenders must monitor.

Infostealer malware is everywhere — in Chrome extensions, WhatsApp, fake AI tools, and GitHub repos. Attackers are not breaking your MFA. They steal what comes after it. The target is the session.

CISA lost a third of its staff and its acting leader uploaded sensitive docs to public ChatGPT — while China sits inside U.S. critical infrastructure.

The ILOVEYOU worm infected 50 million machines in 10 days. Full technical breakdown and why the same attack pattern still works today.

This has been our busiest week of 2026 so far. Chaos is cover. Confusion is opportunity. Fatigue is the best vulnerability scanner ever invented.

AiTM attacks bypass MFA completely — attackers steal sessions while your tools see nothing wrong. Here is how to detect them.

Learn what threat hunting is, why it matters for your organization, and how proactive detection differs from traditional security monitoring.

Discover how our agentic AI platform detects credential stuffing, password spraying, and other authentication attacks in real-time.

Our hunt teams share the most significant attack patterns and threat actor behaviors observed across our client base this year.