#detectionengineering — Public Fediverse posts

VIKI SNIFFER analyzed 72,953 CVEs in the latest OSINT cycle.

Key findings:

47,064 CVEs still have no CVSS
64 MITRE ATT&CK techniques identified
Strong growth in:
T1071 — Application Layer Protocol
T1055 — Process Injection
T1003.005 — Cached Credentials
T1020 — Automated Exfiltration

https://jaroslawkuchta.substack.com/p/tlpamber-viki-sniffer-threat-brief?r=8gt0a0

#CyberSecurity #ThreatIntelligence #SOC #BlueTeam #MITREATTACK #ExposureManagement #CTEM #ThreatHunting #OSINT #CVE #KEV #InfoSec #IdentitySecurity #LLMSecurity #OpenAPI #MCP #DetectionEngineering

VIKI SNIFFER analyzed 72,953 CVEs in the latest OSINT cycle.

Key findings:

47,064 CVEs still have no CVSS
64 MITRE ATT&CK techniques identified
Strong growth in:
T1071 — Application Layer Protocol
T1055 — Process Injection
T1003.005 — Cached Credentials
T1020 — Automated Exfiltration

https://jaroslawkuchta.substack.com/p/tlpamber-viki-sniffer-threat-brief?r=8gt0a0

#CyberSecurity #ThreatIntelligence #SOC #BlueTeam #MITREATTACK #ExposureManagement #CTEM #ThreatHunting #OSINT #CVE #KEV #InfoSec #IdentitySecurity #LLMSecurity #OpenAPI #MCP #DetectionEngineering

[DxBP] Part 1 - Technical Detection Engineering Best Practices

https://kqlquery.com/posts/dxbp-part1/

Read on HackerWorkspace: https://hackerworkspace.com/article/dxbp-part-1-technical-detection-engineering-best-practices

#incidentresponse #threatintelligence #detectionengineering

[DxBP] Part 1 - Technical Detection Engineering Best Practices

https://kqlquery.com/posts/dxbp-part1/

Read on HackerWorkspace: https://hackerworkspace.com/article/dxbp-part-1-technical-detection-engineering-best-practices

#incidentresponse #threatintelligence #detectionengineering

[DxBP] Part 1 - Technical Detection Engineering Best Practices

https://kqlquery.com/posts/dxbp-part1/

Read on HackerWorkspace: https://hackerworkspace.com/article/dxbp-part-1-technical-detection-engineering-best-practices

#incidentresponse #threatintelligence #detectionengineering

[DxBP] Part 1 - Technical Detection Engineering Best Practices

https://kqlquery.com/posts/dxbp-part1/

Read on HackerWorkspace: https://hackerworkspace.com/article/dxbp-part-1-technical-detection-engineering-best-practices

#incidentresponse #threatintelligence #detectionengineering

[DxBP] Part 1 - Technical Detection Engineering Best Practices

https://kqlquery.com/posts/dxbp-part1/

Read on HackerWorkspace: https://hackerworkspace.com/article/dxbp-part-1-technical-detection-engineering-best-practices

#incidentresponse #threatintelligence #detectionengineering

DEATHCon CFP open until June. Great conference with great content.

https://deathcon.io/cfp.html

#deathcon #cfp #threathunting #detectionengineering

DEATHCon CFP open until June. Great conference with great content.

https://deathcon.io/cfp.html

#deathcon #cfp #threathunting #detectionengineering

CVE-2026-21902 represents a high-impact infrastructure exposure.

Affected platform: Junos OS Evolved on PTX series routers.

Attack vector: Unauthenticated network access.
Privilege level: Root execution.
Service: On-Box Anomaly Detection, enabled by default.

Strategic risk:
• Traffic interception capability
• Policy manipulation
• Controller redirection
• Lateral pivoting
• Long-term foothold persistence
Although no exploitation has been observed, historically, high-performance routing infrastructure is a prime target due to its control-plane visibility and network centrality.

Recommended actions:
– Immediate patch validation
– Control-plane traffic monitoring
– Service exposure review
– Network segmentation validation
– Threat hunting for anomalous routing behavior
Are infrastructure devices integrated into your continuous detection engineering pipeline?

Source: https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/

Engage below.
Follow TechNadu for high-signal vulnerability intelligence.
Repost to strengthen security awareness.

#Infosec #CVE2026 #Juniper #RouterSecurity #CriticalInfrastructure #ThreatModeling #DetectionEngineering #NetworkDefense #ZeroTrustArchitecture #CyberRisk #SecurityOperations #VulnerabilityManagement

CVE-2026-21902 represents a high-impact infrastructure exposure.

Affected platform: Junos OS Evolved on PTX series routers.

Attack vector: Unauthenticated network access.
Privilege level: Root execution.
Service: On-Box Anomaly Detection, enabled by default.

Strategic risk:
• Traffic interception capability
• Policy manipulation
• Controller redirection
• Lateral pivoting
• Long-term foothold persistence
Although no exploitation has been observed, historically, high-performance routing infrastructure is a prime target due to its control-plane visibility and network centrality.

Recommended actions:
– Immediate patch validation
– Control-plane traffic monitoring
– Service exposure review
– Network segmentation validation
– Threat hunting for anomalous routing behavior
Are infrastructure devices integrated into your continuous detection engineering pipeline?

Source: https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/

Engage below.
Follow TechNadu for high-signal vulnerability intelligence.
Repost to strengthen security awareness.

#Infosec #CVE2026 #Juniper #RouterSecurity #CriticalInfrastructure #ThreatModeling #DetectionEngineering #NetworkDefense #ZeroTrustArchitecture #CyberRisk #SecurityOperations #VulnerabilityManagement

CVE-2026-21902 represents a high-impact infrastructure exposure.

Affected platform: Junos OS Evolved on PTX series routers.

Attack vector: Unauthenticated network access.
Privilege level: Root execution.
Service: On-Box Anomaly Detection, enabled by default.

Strategic risk:
• Traffic interception capability
• Policy manipulation
• Controller redirection
• Lateral pivoting
• Long-term foothold persistence
Although no exploitation has been observed, historically, high-performance routing infrastructure is a prime target due to its control-plane visibility and network centrality.

Recommended actions:
– Immediate patch validation
– Control-plane traffic monitoring
– Service exposure review
– Network segmentation validation
– Threat hunting for anomalous routing behavior
Are infrastructure devices integrated into your continuous detection engineering pipeline?

Source: https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/

Engage below.
Follow TechNadu for high-signal vulnerability intelligence.
Repost to strengthen security awareness.

#Infosec #CVE2026 #Juniper #RouterSecurity #CriticalInfrastructure #ThreatModeling #DetectionEngineering #NetworkDefense #ZeroTrustArchitecture #CyberRisk #SecurityOperations #VulnerabilityManagement

CVE-2026-21902 represents a high-impact infrastructure exposure.

Affected platform: Junos OS Evolved on PTX series routers.

Attack vector: Unauthenticated network access.
Privilege level: Root execution.
Service: On-Box Anomaly Detection, enabled by default.

Strategic risk:
• Traffic interception capability
• Policy manipulation
• Controller redirection
• Lateral pivoting
• Long-term foothold persistence
Although no exploitation has been observed, historically, high-performance routing infrastructure is a prime target due to its control-plane visibility and network centrality.

Recommended actions:
– Immediate patch validation
– Control-plane traffic monitoring
– Service exposure review
– Network segmentation validation
– Threat hunting for anomalous routing behavior
Are infrastructure devices integrated into your continuous detection engineering pipeline?

Source: https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/

Engage below.
Follow TechNadu for high-signal vulnerability intelligence.
Repost to strengthen security awareness.

#Infosec #CVE2026 #Juniper #RouterSecurity #CriticalInfrastructure #ThreatModeling #DetectionEngineering #NetworkDefense #ZeroTrustArchitecture #CyberRisk #SecurityOperations #VulnerabilityManagement

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

Identity compromise continues to dominate intrusion chains.
From the Sophos Active Adversary Report 2026:
• 67% of initial access attributed to identity abuse
• 3.4-hour median to Active Directory pivot
• 3-day median dwell time
• 88% ransomware deployment off-hours
• 79% data exfiltration off-hours
Directory services remain high-value assets — authentication, authorization, policy control, privilege mapping.
The compressed timeline from credential misuse to directory-level access underscores the need for:
– Continuous identity monitoring
– Behavioral analytics
– After-hours SOC coverage
– Conditional access enforcement
– Least-privilege architecture
Generative AI is functioning as a force multiplier — improving phishing quality and campaign scale - not yet delivering autonomous attack chains.

Is identity governance keeping pace with adversary dwell time compression?
Engage below.

Source: https://www.sophos.com/en-us/press/press-releases/sophos-active-adversary-report-2026-identity-attacks-dominate-as-threat-groups-proliferate

Follow TechNadu for high-signal infosec analysis.

Repost to strengthen industry awareness.

#Infosec #IdentityThreats #RansomwareDefense #ActiveDirectorySecurity #ThreatModeling #GenAI #SecurityOperations #CyberRisk #ZeroTrustArchitecture #DetectionEngineering #EnterpriseSecurity #ThreatHunting

Identity compromise continues to dominate intrusion chains.
From the Sophos Active Adversary Report 2026:
• 67% of initial access attributed to identity abuse
• 3.4-hour median to Active Directory pivot
• 3-day median dwell time
• 88% ransomware deployment off-hours
• 79% data exfiltration off-hours
Directory services remain high-value assets — authentication, authorization, policy control, privilege mapping.
The compressed timeline from credential misuse to directory-level access underscores the need for:
– Continuous identity monitoring
– Behavioral analytics
– After-hours SOC coverage
– Conditional access enforcement
– Least-privilege architecture
Generative AI is functioning as a force multiplier — improving phishing quality and campaign scale - not yet delivering autonomous attack chains.

Is identity governance keeping pace with adversary dwell time compression?
Engage below.

Source: https://www.sophos.com/en-us/press/press-releases/sophos-active-adversary-report-2026-identity-attacks-dominate-as-threat-groups-proliferate

Follow TechNadu for high-signal infosec analysis.

Repost to strengthen industry awareness.

#Infosec #IdentityThreats #RansomwareDefense #ActiveDirectorySecurity #ThreatModeling #GenAI #SecurityOperations #CyberRisk #ZeroTrustArchitecture #DetectionEngineering #EnterpriseSecurity #ThreatHunting

Identity compromise continues to dominate intrusion chains.
From the Sophos Active Adversary Report 2026:
• 67% of initial access attributed to identity abuse
• 3.4-hour median to Active Directory pivot
• 3-day median dwell time
• 88% ransomware deployment off-hours
• 79% data exfiltration off-hours
Directory services remain high-value assets — authentication, authorization, policy control, privilege mapping.
The compressed timeline from credential misuse to directory-level access underscores the need for:
– Continuous identity monitoring
– Behavioral analytics
– After-hours SOC coverage
– Conditional access enforcement
– Least-privilege architecture
Generative AI is functioning as a force multiplier — improving phishing quality and campaign scale - not yet delivering autonomous attack chains.

Is identity governance keeping pace with adversary dwell time compression?
Engage below.

Source: https://www.sophos.com/en-us/press/press-releases/sophos-active-adversary-report-2026-identity-attacks-dominate-as-threat-groups-proliferate

Follow TechNadu for high-signal infosec analysis.

Repost to strengthen industry awareness.

#Infosec #IdentityThreats #RansomwareDefense #ActiveDirectorySecurity #ThreatModeling #GenAI #SecurityOperations #CyberRisk #ZeroTrustArchitecture #DetectionEngineering #EnterpriseSecurity #ThreatHunting

Identity compromise continues to dominate intrusion chains.
From the Sophos Active Adversary Report 2026:
• 67% of initial access attributed to identity abuse
• 3.4-hour median to Active Directory pivot
• 3-day median dwell time
• 88% ransomware deployment off-hours
• 79% data exfiltration off-hours
Directory services remain high-value assets — authentication, authorization, policy control, privilege mapping.
The compressed timeline from credential misuse to directory-level access underscores the need for:
– Continuous identity monitoring
– Behavioral analytics
– After-hours SOC coverage
– Conditional access enforcement
– Least-privilege architecture
Generative AI is functioning as a force multiplier — improving phishing quality and campaign scale - not yet delivering autonomous attack chains.

Is identity governance keeping pace with adversary dwell time compression?
Engage below.

Source: https://www.sophos.com/en-us/press/press-releases/sophos-active-adversary-report-2026-identity-attacks-dominate-as-threat-groups-proliferate

Follow TechNadu for high-signal infosec analysis.

Repost to strengthen industry awareness.

#Infosec #IdentityThreats #RansomwareDefense #ActiveDirectorySecurity #ThreatModeling #GenAI #SecurityOperations #CyberRisk #ZeroTrustArchitecture #DetectionEngineering #EnterpriseSecurity #ThreatHunting

Operational summary:
Threat actor: UAC-0050
Alias: DaVinci Group / Mercenary Akula (per BlueVoyant)
Tooling: RMS (Remote Manipulator System)
Delivery: Spear-phishing, spoofed judicial domain, layered archives
TTP alignment consistent with reporting from CERT-UA.

Strategic overlay:
Russia-nexus actors, including APT29, continue high-confidence trust exploitation campaigns, as outlined by CrowdStrike.

Detection priorities:
- Monitor MSI execution anomalies
- Flag double-extension binaries
- Inspect outbound RMS traffic
- Harden executive email authentication
Follow for tactical intelligence briefings.
Comment with detection engineering recommendations.

#Infosec #ThreatIntel #UAC0050 #APT29 #RMS #SpearPhishing #DetectionEngineering #CyberEspionage #SOC #BlueTeam #SecurityOperations

We’re looking for a Detection Engineer to build and maintain detection rules using the detection-as-code principle (with Sigma!). If you’re into turning threat intelligence data into actionable alerts, we want to hear from you! 🚀

#detectionengineering

https://www.cert.europa.eu/vacancies/it-security-officer-detection-engineer

TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

Engage below.
Follow TechNadu for technical threat intelligence coverage.

#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

Engage below.
Follow TechNadu for technical threat intelligence coverage.

#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

Engage below.
Follow TechNadu for technical threat intelligence coverage.

#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

Engage below.
Follow TechNadu for technical threat intelligence coverage.

#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

According to Dragos, Volt Typhoon continues active operations inside U.S. utilities, shifting toward direct OT interaction and sensor data theft in 2025.

Notable elements:
• Pre-positioning in ICS environments
• Exploitation of Ivanti & Trimble Cityworks vulnerabilities
• GIS data harvesting for infrastructure mapping
• Access broker activity attributed to SYLVANITE
• Long-term persistence objectives
CEO Rob Lee stated some compromised sites may never be identified.

Technical question:
If adversaries maintain low-and-slow OT access, how should defenders adapt detection engineering?
– Network baselining?
– Sensor telemetry validation?
– Asset-level anomaly detection?
– Zero trust for OT?

Drop your technical analysis below.
Follow @technadu for advanced threat coverage.

#ICSsecurity #OTsecurity #ThreatHunting #DetectionEngineering #VoltTyphoon #InfrastructureDefense #CyberResilience #EnergyGrid #WaterUtilities #NationalSecurity #BlueTeam #CyberThreatIntel

According to Dragos, Volt Typhoon continues active operations inside U.S. utilities, shifting toward direct OT interaction and sensor data theft in 2025.

Notable elements:
• Pre-positioning in ICS environments
• Exploitation of Ivanti & Trimble Cityworks vulnerabilities
• GIS data harvesting for infrastructure mapping
• Access broker activity attributed to SYLVANITE
• Long-term persistence objectives
CEO Rob Lee stated some compromised sites may never be identified.

Technical question:
If adversaries maintain low-and-slow OT access, how should defenders adapt detection engineering?
– Network baselining?
– Sensor telemetry validation?
– Asset-level anomaly detection?
– Zero trust for OT?

Drop your technical analysis below.
Follow @technadu for advanced threat coverage.

#ICSsecurity #OTsecurity #ThreatHunting #DetectionEngineering #VoltTyphoon #InfrastructureDefense #CyberResilience #EnergyGrid #WaterUtilities #NationalSecurity #BlueTeam #CyberThreatIntel

According to Dragos, Volt Typhoon continues active operations inside U.S. utilities, shifting toward direct OT interaction and sensor data theft in 2025.

Notable elements:
• Pre-positioning in ICS environments
• Exploitation of Ivanti & Trimble Cityworks vulnerabilities
• GIS data harvesting for infrastructure mapping
• Access broker activity attributed to SYLVANITE
• Long-term persistence objectives
CEO Rob Lee stated some compromised sites may never be identified.

Technical question:
If adversaries maintain low-and-slow OT access, how should defenders adapt detection engineering?
– Network baselining?
– Sensor telemetry validation?
– Asset-level anomaly detection?
– Zero trust for OT?

Drop your technical analysis below.
Follow @technadu for advanced threat coverage.

#ICSsecurity #OTsecurity #ThreatHunting #DetectionEngineering #VoltTyphoon #InfrastructureDefense #CyberResilience #EnergyGrid #WaterUtilities #NationalSecurity #BlueTeam #CyberThreatIntel

According to Dragos, Volt Typhoon continues active operations inside U.S. utilities, shifting toward direct OT interaction and sensor data theft in 2025.

Notable elements:
• Pre-positioning in ICS environments
• Exploitation of Ivanti & Trimble Cityworks vulnerabilities
• GIS data harvesting for infrastructure mapping
• Access broker activity attributed to SYLVANITE
• Long-term persistence objectives
CEO Rob Lee stated some compromised sites may never be identified.

Technical question:
If adversaries maintain low-and-slow OT access, how should defenders adapt detection engineering?
– Network baselining?
– Sensor telemetry validation?
– Asset-level anomaly detection?
– Zero trust for OT?

Drop your technical analysis below.
Follow @technadu for advanced threat coverage.

#ICSsecurity #OTsecurity #ThreatHunting #DetectionEngineering #VoltTyphoon #InfrastructureDefense #CyberResilience #EnergyGrid #WaterUtilities #NationalSecurity #BlueTeam #CyberThreatIntel

The UK is moving toward mandatory proactive detection of nonconsensual intimate images.

Under proposals backed by Keir Starmer, platforms must:
• Remove flagged content within 48 hours
• Prevent reuploads using hash matching
• Deploy proactive detection “at source”
• Face fines up to 10% of global revenue

Regulator Ofcom is accelerating its decision on requiring technical enforcement mechanisms.
Technical considerations:
- Hash collision and false-positive risks
- Cross-platform hash database coordination
- Encryption vs scanning tradeoffs
- Abuse-report automation workflows
- AI-generated image detection accuracy
Is mandatory proactive scanning the future of online content governance?

Source: https://therecord.media/united-kingdom-noncensual-images-fines

Drop your technical analysis below.

Follow @technadu for advanced cybersecurity and policy reporting.

#Infosec #DetectionEngineering #AIsecurity #HashMatching #ContentModeration #DigitalForensics #CyberPolicy #OnlineSafety #DeepfakeDetection #PrivacyEngineering #ThreatModeling #SecurityArchitecture

The UK is moving toward mandatory proactive detection of nonconsensual intimate images.

Under proposals backed by Keir Starmer, platforms must:
• Remove flagged content within 48 hours
• Prevent reuploads using hash matching
• Deploy proactive detection “at source”
• Face fines up to 10% of global revenue

Regulator Ofcom is accelerating its decision on requiring technical enforcement mechanisms.
Technical considerations:
- Hash collision and false-positive risks
- Cross-platform hash database coordination
- Encryption vs scanning tradeoffs
- Abuse-report automation workflows
- AI-generated image detection accuracy
Is mandatory proactive scanning the future of online content governance?

Source: https://therecord.media/united-kingdom-noncensual-images-fines

Drop your technical analysis below.

Follow @technadu for advanced cybersecurity and policy reporting.

#Infosec #DetectionEngineering #AIsecurity #HashMatching #ContentModeration #DigitalForensics #CyberPolicy #OnlineSafety #DeepfakeDetection #PrivacyEngineering #ThreatModeling #SecurityArchitecture

The UK is moving toward mandatory proactive detection of nonconsensual intimate images.

Under proposals backed by Keir Starmer, platforms must:
• Remove flagged content within 48 hours
• Prevent reuploads using hash matching
• Deploy proactive detection “at source”
• Face fines up to 10% of global revenue

Regulator Ofcom is accelerating its decision on requiring technical enforcement mechanisms.
Technical considerations:
- Hash collision and false-positive risks
- Cross-platform hash database coordination
- Encryption vs scanning tradeoffs
- Abuse-report automation workflows
- AI-generated image detection accuracy
Is mandatory proactive scanning the future of online content governance?

Source: https://therecord.media/united-kingdom-noncensual-images-fines

Drop your technical analysis below.

Follow @technadu for advanced cybersecurity and policy reporting.

#Infosec #DetectionEngineering #AIsecurity #HashMatching #ContentModeration #DigitalForensics #CyberPolicy #OnlineSafety #DeepfakeDetection #PrivacyEngineering #ThreatModeling #SecurityArchitecture

The UK is moving toward mandatory proactive detection of nonconsensual intimate images.

Under proposals backed by Keir Starmer, platforms must:
• Remove flagged content within 48 hours
• Prevent reuploads using hash matching
• Deploy proactive detection “at source”
• Face fines up to 10% of global revenue

Regulator Ofcom is accelerating its decision on requiring technical enforcement mechanisms.
Technical considerations:
- Hash collision and false-positive risks
- Cross-platform hash database coordination
- Encryption vs scanning tradeoffs
- Abuse-report automation workflows
- AI-generated image detection accuracy
Is mandatory proactive scanning the future of online content governance?

Source: https://therecord.media/united-kingdom-noncensual-images-fines

Drop your technical analysis below.

Follow @technadu for advanced cybersecurity and policy reporting.

#Infosec #DetectionEngineering #AIsecurity #HashMatching #ContentModeration #DigitalForensics #CyberPolicy #OnlineSafety #DeepfakeDetection #PrivacyEngineering #ThreatModeling #SecurityArchitecture

Palo Alto Networks to acquire Koi Security for $400M, targeting the emerging Agentic Endpoint attack surface.

Koi (Assaraf, Dardikman, Kruk) developed LLM-powered analysis to detect:
• Malicious extensions/plugins
• Package ecosystem abuse (NPM, Homebrew)
• AI agent exploit chaining
• Model artifact manipulation
• Credential hijacking within agent frameworks

Planned integration into Prisma AIRS™ and Cortex XDR® aims to improve AI runtime visibility and enforcement.

Question for defenders:
Are your telemetry pipelines mapping AI agent behavior - or just traditional executables?

Source: https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint

Drop your technical perspective below.
Follow Technadu for advanced threat intelligence reporting.

#Infosec #ThreatModeling #AppSec #EndpointSecurity #AIsecurity #DetectionEngineering #XDR #ZeroTrust #SupplyChainSecurity #LLMsecurity #BlueTeam #RedTeam #CyberArchitecture

Palo Alto Networks to acquire Koi Security for $400M, targeting the emerging Agentic Endpoint attack surface.

Koi (Assaraf, Dardikman, Kruk) developed LLM-powered analysis to detect:
• Malicious extensions/plugins
• Package ecosystem abuse (NPM, Homebrew)
• AI agent exploit chaining
• Model artifact manipulation
• Credential hijacking within agent frameworks

Planned integration into Prisma AIRS™ and Cortex XDR® aims to improve AI runtime visibility and enforcement.

Question for defenders:
Are your telemetry pipelines mapping AI agent behavior - or just traditional executables?

Source: https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint

Drop your technical perspective below.
Follow Technadu for advanced threat intelligence reporting.

#Infosec #ThreatModeling #AppSec #EndpointSecurity #AIsecurity #DetectionEngineering #XDR #ZeroTrust #SupplyChainSecurity #LLMsecurity #BlueTeam #RedTeam #CyberArchitecture

Palo Alto Networks to acquire Koi Security for $400M, targeting the emerging Agentic Endpoint attack surface.

Koi (Assaraf, Dardikman, Kruk) developed LLM-powered analysis to detect:
• Malicious extensions/plugins
• Package ecosystem abuse (NPM, Homebrew)
• AI agent exploit chaining
• Model artifact manipulation
• Credential hijacking within agent frameworks

Planned integration into Prisma AIRS™ and Cortex XDR® aims to improve AI runtime visibility and enforcement.

Question for defenders:
Are your telemetry pipelines mapping AI agent behavior - or just traditional executables?

Source: https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint

Drop your technical perspective below.
Follow Technadu for advanced threat intelligence reporting.

#Infosec #ThreatModeling #AppSec #EndpointSecurity #AIsecurity #DetectionEngineering #XDR #ZeroTrust #SupplyChainSecurity #LLMsecurity #BlueTeam #RedTeam #CyberArchitecture

Palo Alto Networks to acquire Koi Security for $400M, targeting the emerging Agentic Endpoint attack surface.

Koi (Assaraf, Dardikman, Kruk) developed LLM-powered analysis to detect:
• Malicious extensions/plugins
• Package ecosystem abuse (NPM, Homebrew)
• AI agent exploit chaining
• Model artifact manipulation
• Credential hijacking within agent frameworks

Planned integration into Prisma AIRS™ and Cortex XDR® aims to improve AI runtime visibility and enforcement.

Question for defenders:
Are your telemetry pipelines mapping AI agent behavior - or just traditional executables?

Source: https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint

Drop your technical perspective below.
Follow Technadu for advanced threat intelligence reporting.

#Infosec #ThreatModeling #AppSec #EndpointSecurity #AIsecurity #DetectionEngineering #XDR #ZeroTrust #SupplyChainSecurity #LLMsecurity #BlueTeam #RedTeam #CyberArchitecture

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

🏋️ 𝗡𝗼𝗿𝘁𝗵𝗦𝗲𝗰 𝟮𝟬𝟮𝟲 𝗙𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻𝘀/𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴𝘀 (9/12): "Advanced Detection Engineering in the Enterprise" 𝗽𝗮𝗿/𝗯𝘆 Olaf Hartong & Rogier Boon (FalconForce)

📅 Dates: May 11, 12 and 13, 2026 (3 days)
📊 Difficulty: Medium
🖥️ Mode: On-Site

Description: "𝘍𝘢𝘭𝘤𝘰𝘯𝘍𝘰𝘳𝘤𝘦 𝘥𝘦𝘷𝘦𝘭𝘰𝘱𝘦𝘥 𝘢 𝘴𝘱𝘦𝘤𝘪𝘢𝘭𝘪𝘴𝘵 𝘸𝘰𝘳𝘬𝘴𝘩𝘰𝘱 𝘧𝘰𝘳 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘱𝘳𝘰𝘧𝘦𝘴𝘴𝘪𝘰𝘯𝘢𝘭𝘴 𝘵𝘰 𝘩𝘦𝘭𝘱 𝘵𝘢𝘬𝘪𝘯𝘨 𝘵𝘩𝘦𝘪𝘳 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯 𝘦𝘯𝘨𝘪𝘯𝘦𝘦𝘳𝘪𝘯𝘨 𝘤𝘢𝘱𝘢𝘣𝘪𝘭𝘪𝘵𝘪𝘦𝘴 𝘵𝘰 𝘵𝘩𝘦 𝘯𝘦𝘹𝘵 𝘭𝘦𝘷𝘦𝘭. 𝘈𝘯 𝘶𝘭𝘵𝘪𝘮𝘢𝘵𝘦 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯 𝘦𝘯𝘨𝘪𝘯𝘦𝘦𝘳𝘪𝘯𝘨 𝘭𝘦𝘢𝘳𝘯𝘪𝘯𝘨 𝘦𝘹𝘱𝘦𝘳𝘪𝘦𝘯𝘤𝘦 𝘸𝘪𝘵𝘩 𝘵𝘩𝘦 𝘰𝘱𝘱𝘰𝘳𝘵𝘶𝘯𝘪𝘵𝘺 𝘵𝘰 𝘨𝘰 𝘢𝘭𝘭-𝘪𝘯 𝘸𝘪𝘵𝘩 𝘳𝘦𝘢𝘭-𝘭𝘪𝘧𝘦, 𝘩𝘢𝘯𝘥𝘴-𝘰𝘯 𝘭𝘢𝘣 𝘦𝘹𝘦𝘳𝘤𝘪𝘴𝘦𝘴. 𝘛𝘩𝘦 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘤𝘰𝘷𝘦𝘳𝘴 𝘢 𝘧𝘶𝘭𝘭, 𝘳𝘦𝘢𝘭𝘪𝘴𝘵𝘪𝘤 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳 𝘴𝘤𝘦𝘯𝘢𝘳𝘪𝘰 𝘪𝘯 𝘢𝘯 𝘦𝘯𝘵𝘦𝘳𝘱𝘳𝘪𝘴𝘦 𝘦𝘯𝘷𝘪𝘳𝘰𝘯𝘮𝘦𝘯𝘵: 𝘧𝘳𝘰𝘮 𝘵𝘩𝘦 𝘦𝘯𝘥𝘱𝘰𝘪𝘯𝘵, 𝘵𝘩𝘳𝘰𝘶𝘨𝘩 𝘵𝘩𝘦 𝘈𝘤𝘵𝘪𝘷𝘦 𝘋𝘪𝘳𝘦𝘤𝘵𝘰𝘳𝘺 𝘢𝘯𝘥 𝘪𝘯𝘵𝘰 𝘵𝘩𝘦 𝘤𝘭𝘰𝘶𝘥 𝘦𝘯𝘷𝘪𝘳𝘰𝘯𝘮𝘦𝘯𝘵.

𝘛𝘩𝘪𝘴 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘪𝘴 𝘭𝘦𝘥 𝘣𝘺 𝘦𝘹𝘱𝘦𝘳𝘪𝘦𝘯𝘤𝘦𝘥 𝘪𝘯𝘴𝘵𝘳𝘶𝘤𝘵𝘰𝘳𝘴 𝘵𝘩𝘢𝘵 𝘵𝘦𝘢𝘤𝘩 𝘴𝘵𝘶𝘥𝘦𝘯𝘵𝘴 𝘵𝘰:
𝘜𝘯𝘥𝘦𝘳𝘴𝘵𝘢𝘯𝘥 𝘩𝘰𝘸 𝘵𝘰 𝘳𝘦𝘴𝘦𝘢𝘳𝘤𝘩 𝘢𝘯 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳 𝘵𝘦𝘤𝘩𝘯𝘪𝘲𝘶𝘦 𝘶𝘴𝘦𝘥 𝘪𝘯 𝘤𝘰𝘳𝘱𝘰𝘳𝘢𝘵𝘦 𝘦𝘯𝘷𝘪𝘳𝘰𝘯𝘮𝘦𝘯𝘵𝘴. 𝘉𝘶𝘪𝘭𝘥 𝘳𝘦𝘴𝘪𝘭𝘪𝘦𝘯𝘵 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯𝘴 𝘵𝘩𝘢𝘵 𝘢𝘳𝘦 𝘩𝘢𝘳𝘥𝘦𝘳 𝘵𝘰 𝘦𝘷𝘢𝘥𝘦 𝘣𝘺 𝘢𝘯 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳. 𝘝𝘢𝘭𝘪𝘥𝘢𝘵𝘦 𝘵𝘩𝘦𝘪𝘳 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯𝘴 𝘵𝘰 𝘮𝘢𝘬𝘦 𝘴𝘶𝘳𝘦 𝘵𝘩𝘦𝘺 𝘬𝘦𝘦𝘱 𝘧𝘶𝘯𝘤𝘵𝘪𝘰𝘯𝘪𝘯𝘨 𝘢𝘴 𝘪𝘯𝘵𝘦𝘯𝘥𝘦𝘥. 𝘛𝘩𝘦 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘧𝘰𝘤𝘶𝘴𝘦𝘴 𝘰𝘯 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵 𝘚𝘦𝘯𝘵𝘪𝘯𝘦𝘭 𝘢𝘯𝘥 𝘋𝘦𝘧𝘦𝘯𝘥𝘦𝘳 𝘟𝘋𝘙, 𝘣𝘶𝘵 𝘤𝘰𝘯𝘤𝘦𝘱𝘵𝘴 𝘤𝘢𝘯 𝘣𝘦 𝘢𝘱𝘱𝘭𝘪𝘦𝘥 𝘵𝘰 𝘰𝘵𝘩𝘦𝘳 𝘴𝘵𝘢𝘤𝘬𝘴 𝘢𝘴 𝘸𝘦𝘭𝘭."

About the trainers:
Olaf Hartong has a vast experience in digital security, specialized in security operations, detection engineering and threat hunting. Olaf has extensive knowledge of different monitoring platforms, in particular the Microsoft Defender XDR and Sentinel stack. He presents on well-known security conferences, such as BlackHat, Defcon, WWHF, BRUcon, SOcon, NorthSec, Insomni'hack and MITRE ATT&CKcon. Olaf is the author of ThreatHunting for Splunk, ATTACK datamap, FalconHound, and Sysmon-modular tools.

Rogier Boon has over 20 years experience as both a security consultant and in-house technical specialist. Throughout his career, Rogier had roles as offensive specialist and blue teamer (TIER2/3 SOC, incident response, detection engineer). Rogier brings extensive experience working in various high-tech environments and researching a multitude of technologies. Rogier facilitated at Black Hat US and various private trainings sessions for in-house SOC teams.

🔗 Save Your Spot: https://nsec.io/training/2026-advanced-detection-engineering-in-the-enterprise/

#NorthSec #cybersecurity #detectionengineering #infosec #blueeteam

🏋️ 𝗡𝗼𝗿𝘁𝗵𝗦𝗲𝗰 𝟮𝟬𝟮𝟲 𝗙𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻𝘀/𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴𝘀 (9/12): "Advanced Detection Engineering in the Enterprise" 𝗽𝗮𝗿/𝗯𝘆 Olaf Hartong & Rogier Boon (FalconForce)

📅 Dates: May 11, 12 and 13, 2026 (3 days)
📊 Difficulty: Medium
🖥️ Mode: On-Site

Description: "𝘍𝘢𝘭𝘤𝘰𝘯𝘍𝘰𝘳𝘤𝘦 𝘥𝘦𝘷𝘦𝘭𝘰𝘱𝘦𝘥 𝘢 𝘴𝘱𝘦𝘤𝘪𝘢𝘭𝘪𝘴𝘵 𝘸𝘰𝘳𝘬𝘴𝘩𝘰𝘱 𝘧𝘰𝘳 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘱𝘳𝘰𝘧𝘦𝘴𝘴𝘪𝘰𝘯𝘢𝘭𝘴 𝘵𝘰 𝘩𝘦𝘭𝘱 𝘵𝘢𝘬𝘪𝘯𝘨 𝘵𝘩𝘦𝘪𝘳 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯 𝘦𝘯𝘨𝘪𝘯𝘦𝘦𝘳𝘪𝘯𝘨 𝘤𝘢𝘱𝘢𝘣𝘪𝘭𝘪𝘵𝘪𝘦𝘴 𝘵𝘰 𝘵𝘩𝘦 𝘯𝘦𝘹𝘵 𝘭𝘦𝘷𝘦𝘭. 𝘈𝘯 𝘶𝘭𝘵𝘪𝘮𝘢𝘵𝘦 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯 𝘦𝘯𝘨𝘪𝘯𝘦𝘦𝘳𝘪𝘯𝘨 𝘭𝘦𝘢𝘳𝘯𝘪𝘯𝘨 𝘦𝘹𝘱𝘦𝘳𝘪𝘦𝘯𝘤𝘦 𝘸𝘪𝘵𝘩 𝘵𝘩𝘦 𝘰𝘱𝘱𝘰𝘳𝘵𝘶𝘯𝘪𝘵𝘺 𝘵𝘰 𝘨𝘰 𝘢𝘭𝘭-𝘪𝘯 𝘸𝘪𝘵𝘩 𝘳𝘦𝘢𝘭-𝘭𝘪𝘧𝘦, 𝘩𝘢𝘯𝘥𝘴-𝘰𝘯 𝘭𝘢𝘣 𝘦𝘹𝘦𝘳𝘤𝘪𝘴𝘦𝘴. 𝘛𝘩𝘦 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘤𝘰𝘷𝘦𝘳𝘴 𝘢 𝘧𝘶𝘭𝘭, 𝘳𝘦𝘢𝘭𝘪𝘴𝘵𝘪𝘤 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳 𝘴𝘤𝘦𝘯𝘢𝘳𝘪𝘰 𝘪𝘯 𝘢𝘯 𝘦𝘯𝘵𝘦𝘳𝘱𝘳𝘪𝘴𝘦 𝘦𝘯𝘷𝘪𝘳𝘰𝘯𝘮𝘦𝘯𝘵: 𝘧𝘳𝘰𝘮 𝘵𝘩𝘦 𝘦𝘯𝘥𝘱𝘰𝘪𝘯𝘵, 𝘵𝘩𝘳𝘰𝘶𝘨𝘩 𝘵𝘩𝘦 𝘈𝘤𝘵𝘪𝘷𝘦 𝘋𝘪𝘳𝘦𝘤𝘵𝘰𝘳𝘺 𝘢𝘯𝘥 𝘪𝘯𝘵𝘰 𝘵𝘩𝘦 𝘤𝘭𝘰𝘶𝘥 𝘦𝘯𝘷𝘪𝘳𝘰𝘯𝘮𝘦𝘯𝘵.

𝘛𝘩𝘪𝘴 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘪𝘴 𝘭𝘦𝘥 𝘣𝘺 𝘦𝘹𝘱𝘦𝘳𝘪𝘦𝘯𝘤𝘦𝘥 𝘪𝘯𝘴𝘵𝘳𝘶𝘤𝘵𝘰𝘳𝘴 𝘵𝘩𝘢𝘵 𝘵𝘦𝘢𝘤𝘩 𝘴𝘵𝘶𝘥𝘦𝘯𝘵𝘴 𝘵𝘰:
𝘜𝘯𝘥𝘦𝘳𝘴𝘵𝘢𝘯𝘥 𝘩𝘰𝘸 𝘵𝘰 𝘳𝘦𝘴𝘦𝘢𝘳𝘤𝘩 𝘢𝘯 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳 𝘵𝘦𝘤𝘩𝘯𝘪𝘲𝘶𝘦 𝘶𝘴𝘦𝘥 𝘪𝘯 𝘤𝘰𝘳𝘱𝘰𝘳𝘢𝘵𝘦 𝘦𝘯𝘷𝘪𝘳𝘰𝘯𝘮𝘦𝘯𝘵𝘴. 𝘉𝘶𝘪𝘭𝘥 𝘳𝘦𝘴𝘪𝘭𝘪𝘦𝘯𝘵 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯𝘴 𝘵𝘩𝘢𝘵 𝘢𝘳𝘦 𝘩𝘢𝘳𝘥𝘦𝘳 𝘵𝘰 𝘦𝘷𝘢𝘥𝘦 𝘣𝘺 𝘢𝘯 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳. 𝘝𝘢𝘭𝘪𝘥𝘢𝘵𝘦 𝘵𝘩𝘦𝘪𝘳 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯𝘴 𝘵𝘰 𝘮𝘢𝘬𝘦 𝘴𝘶𝘳𝘦 𝘵𝘩𝘦𝘺 𝘬𝘦𝘦𝘱 𝘧𝘶𝘯𝘤𝘵𝘪𝘰𝘯𝘪𝘯𝘨 𝘢𝘴 𝘪𝘯𝘵𝘦𝘯𝘥𝘦𝘥. 𝘛𝘩𝘦 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘧𝘰𝘤𝘶𝘴𝘦𝘴 𝘰𝘯 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵 𝘚𝘦𝘯𝘵𝘪𝘯𝘦𝘭 𝘢𝘯𝘥 𝘋𝘦𝘧𝘦𝘯𝘥𝘦𝘳 𝘟𝘋𝘙, 𝘣𝘶𝘵 𝘤𝘰𝘯𝘤𝘦𝘱𝘵𝘴 𝘤𝘢𝘯 𝘣𝘦 𝘢𝘱𝘱𝘭𝘪𝘦𝘥 𝘵𝘰 𝘰𝘵𝘩𝘦𝘳 𝘴𝘵𝘢𝘤𝘬𝘴 𝘢𝘴 𝘸𝘦𝘭𝘭."

About the trainers:
Olaf Hartong has a vast experience in digital security, specialized in security operations, detection engineering and threat hunting. Olaf has extensive knowledge of different monitoring platforms, in particular the Microsoft Defender XDR and Sentinel stack. He presents on well-known security conferences, such as BlackHat, Defcon, WWHF, BRUcon, SOcon, NorthSec, Insomni'hack and MITRE ATT&CKcon. Olaf is the author of ThreatHunting for Splunk, ATTACK datamap, FalconHound, and Sysmon-modular tools.

Rogier Boon has over 20 years experience as both a security consultant and in-house technical specialist. Throughout his career, Rogier had roles as offensive specialist and blue teamer (TIER2/3 SOC, incident response, detection engineer). Rogier brings extensive experience working in various high-tech environments and researching a multitude of technologies. Rogier facilitated at Black Hat US and various private trainings sessions for in-house SOC teams.

🔗 Save Your Spot: https://nsec.io/training/2026-advanced-detection-engineering-in-the-enterprise/

#NorthSec #cybersecurity #detectionengineering #infosec #blueeteam