Threat Hunting Insights

Post one of fourteen. Access Control is the foundation. If you mess it up, none of the other thirteen domains save you, because the bad guy is already inside your environment looking at CUI.

CISA and NCSC co-released a Malware Analysis Report today on a Cisco ASA/Firepower backdoor that patching does not remove. Here is what it does, why Sigma will not save you, and what to do this week.

Phase 2 of CMMC begins November 10, 2026. No Level 2 certification means no contract, no option year, no extension. The small shops that actually build America’s weapons do not have six-person compliance teams. They have Dave. Here is what we built for them.

The definitive brief on the Stryker attack. Two MOIS teams, one kill chain: MuddyWater pre-positioned for weeks, Handala pulled the trigger via Intune. Detection Pack v3 ships 25 rules covering every phase. Full IOC set and configuration hardening included.

April 2026 Patch Tuesday is the largest in years: 167 CVEs from Microsoft plus 344 released throughout the month for 512 total updates. An actively exploited SharePoint zero-day, wormable RCEs in Remote Desktop and Active Directory, and preview-pane Office exploits demand immediate action.

The CMMC Level 2 deadline is real. Consulting firms charge $80K-$200K to hand you a binder. JAXBERT is a purpose-built platform that walks defense contractors through every step of compliance, from assessment to C3PAO package.

CISA published an advisory on endpoint management hardening after the Stryker wipe. Their Multi Admin Approval recommendation is a speed bump, not a wall. Here is what actually stops a Global Admin compromise: no standing privileges, PIM with Authentication Context, FIDO2 hardware keys, and automated session revocation.

Iran was inside before the war started. How the March 6 server report connects to the Stryker wipe. The two-team MOIS playbook. What the 72-hour intelligence confirms. And the PIM Authentication Context gap that made it possible.

Five new Sigma rules and KQL queries for Microsoft Sentinel covering MuddyWater pre-positioning IOCs, the PIM Authentication Context gap, three-layer bulk wipe prevention, stale session detection, and Rclone exfil to MuddyWater cloud infrastructure.

Full disclosure of a live Iranian operational server. Open directory on active threat actor infrastructure revealed custom attack tools, 11 CVEs, confirmed victims including EgyptAir and the Portuguese Immigration Service, and 280+ Israeli targets.

Handala weaponized Microsoft Intune to remotely wipe Stryker Corporation across 61 countries. We built 10 Sigma rules, KQL queries, and OpenSearch queries covering the full attack chain. Download the detection pack.

Scattered Spider walked into Snowflake environments at Ticketmaster, AT&T, and Santander using stolen credentials. No zero-days. No malware. Just accounts without MFA. Here is the attack chain, what to look for in your logs, and what to fix.

March 2026 Patch Tuesday delivers 86 CVEs including 10 Critical and 2 publicly disclosed zero-days. A SQL Server privilege escalation grants sysadmin over the network, and a Microsoft Authenticator info disclosure threatens MFA integrity. Here is what to patch first.

Ransomware, phishing, and malware through the first 68 days of 2026. We tracked 2,522 ransomware claims across 81 groups, the continued rise of infostealers, and why the attack chain is running at scale.

Browser-in-the-Browser (BitB) attacks make URL-checking advice useless. The URL looks perfect because the entire browser window is fake. Here is how they work, why your security stack misses them, and what defenders must monitor.

Infostealer malware is everywhere — in Chrome extensions, WhatsApp, fake AI tools, and GitHub repos. Attackers are not breaking your MFA. They steal what comes after it. The target is the session.

CISA lost a third of its staff and its acting leader uploaded sensitive docs to public ChatGPT — while China sits inside U.S. critical infrastructure.

The ILOVEYOU worm infected 50 million machines in 10 days. Full technical breakdown and why the same attack pattern still works today.

This has been our busiest week of 2026 so far. Chaos is cover. Confusion is opportunity. Fatigue is the best vulnerability scanner ever invented.

AiTM attacks bypass MFA completely — attackers steal sessions while your tools see nothing wrong. Here is how to detect them.

Learn what threat hunting is, why it matters for your organization, and how proactive detection differs from traditional security monitoring.

Discover how our agentic AI platform detects credential stuffing, password spraying, and other authentication attacks in real-time.

Our hunt teams share the most significant attack patterns and threat actor behaviors observed across our client base this year.