Get MILBERT.ai FREE for 90 daysActivate Now
    Back to Blog
    Threat Intel

    The News Cycle Is Burning. Threat Actors Are Still Working.

    James McMurryFebruary 5, 202610 min read

    This week has been pure insanity.

    OpenClaw showed up like the security world's worst new party guest. A shiny open source AI agent with real traction, real deployments, and now very real security risk when people rush it into production with default configs and wishful thinking. There is already a one click remote code execution CVE tied to it, plus the usual second order problems that come with agents that can run commands and touch data at scale.

    The Epstein Files dropped in volume, and then the reality of publishing millions of pages hit like a brick. Millions of pages, plus thousands of videos and a huge image set. Within days, the release was getting slammed for sloppy redactions, victim info leaks, and documents getting yanked for emergency fixes.

    Markets did what markets do when fear gets fed after midnight. Tech got smoked, and investors started asking if the hype cycle is about to eat its own young.

    Jobs news turned bleak in a very specific way. January layoffs hit levels people have not seen since 2009, and hiring plans are basically in the toilet.

    And sitting over all of it, geopolitical tension does what it always does. It adds noise, distraction, and stress while the internet keeps spinning. US and Iran talks today (Friday) are real, high stakes, and happening in a climate where everyone is already on edge.

    So yeah. Crazy week.

    Now here is the part that matters.

    Did Breaches Slow Down Because the World Was Busy?

    Not even a little.

    Threat actors do not take sick days for headlines. They do not pause because your board is doomscrolling. Chaos is cover. Confusion is opportunity. Fatigue is the best vulnerability scanner ever invented.

    When everyone is distracted, that is when the easy stuff lands:

    • People click faster
    • Change control gets sloppy
    • Alerts get triaged into oblivion
    • Security tools get left in "we will tune it later" mode
    • Identity events that look weird get hand waved because "it's probably travel" or "it's probably a vendor"

    Attackers love that.

    This Has Been Our Busiest Week of 2026 So Far

    Inside ThreatHunter.ai, this week has been the busiest of the year to date. More Scouts. More Hunts. More real time Milbert interventions stopping AiTM style session theft while it is happening.

    If you are new to our terms:

    Scouts are rapid sweeps. They are built to answer one question fast: is this normal or is this a problem that needs a human right now? Scouts move through identity, endpoint, network, and cloud telemetry looking for patterns that do not belong.

    Hunts are what happens when "does this smell off" turns into "prove it." Hunts are human driven, threat informed, and designed to build a defensible story. Timeline, impact, access path, and what to do next.

    Milbert sits in the identity lane and treats trust as a continuous decision, not a one time checkpoint. AiTM attacks are built around a simple truth: MFA can succeed and the access can still be hostile. When an attacker steals a session or abuses tokens, a login can look "valid" while everything about it is wrong.

    This week, we saw more of that than we should. And we stopped more of it than most teams can even see.

    The Uncomfortable Truth About "Buying Security"

    Buying a security product does not mean you are secure.

    It means you bought potential.

    If you buy an EDR and leave it in monitor mode only, you did not buy defense. You bought a checkbox. You bought a line item that looks good in a compliance document and feels good in a budget meeting.

    Monitor mode only is not a strategy. It is the security equivalent of installing a smoke detector and removing the batteries because it was "too noisy."

    If you are paying real money for EDR, here is the bare minimum reality check:

    • If it can block, you need blocking somewhere
    • If it has tamper protection, it needs to be enabled
    • If it has prevention policies, they need to be enforced
    • If it can kill a malicious process, you need it allowed to do that
    • If disabling the agent is not a high priority alert, you are inviting ransomware crews to take their shoes off and get comfortable

    Yes, tuning matters. Yes, you do not flip every prevention knob to max on day one and pray.

    But if you never turn it on, you are not "reducing risk." You are documenting it.

    The Theme of the Week

    The theme of this week is not OpenClaw. Not markets. Not politics. Not leaks.

    The theme is speed.

    Attackers move fast. News moves fast. Your environment changes fast. And your security posture either keeps up, or it becomes a museum exhibit.

    If your program is built around quarterly reviews, weekly reports, and "we will investigate later," then you are playing defense with a calendar while the attacker plays defense with a stopwatch.

    That is why we run Scouts. That is why we run Hunts. That is why Milbert makes real time decisions on identity activity instead of treating MFA as the finish line.

    If You Want to See What This Looks Like in Your Environment

    If this week felt loud for you, it probably was. And if you are not watching identity sessions, tokens, and abnormal access paths in real time, then you are only seeing the part of the attack that is easiest to log.

    Request a demo. We will show you what your tools are missing, what your users are doing, what your attackers are doing, and what "turn it on" actually looks like in a way that does not light your environment on fire.

    Visit ThreatHunter.ai.