It’s Monday, and you know what that means? A fresh new week of chaos in IR. Here are some real red flags I’ve come across in AWS environments while investigating security events — the kind that make my brain twitch 🧠⚡👇

The scene is set for #PIVOTcon25. Let’s go!

DPRK is getting a full drains up exposure so far at #PIVOTcon2025 - super insight into both IT Worker and CNO activity from a couple of talks so far, with more to come later.

“You know those videos which zoom out from earth to show you that there are thousands of other planets in the galaxy? That’s what analysing scams look like on the blockchain” - J. Burns Koven #PIVOTcon25

NCSC Director of Operations Paul Chichester CMG MBE chairs the lively discussion on efforts made across the spectrum to give our adversaries a bad day … or year.

Cyber espionage is often viewed as the sexy side of threat intel, but the one thing consistently getting impromptu applause at #PIVOTcon25 are the stories of intel work leading to mitigations and interventions which are protecting individuals from fraud & scam loss.

Hate to break it to some people, but pentesting is a customer-facing role. Whether you're involved in the initial scoping, onsite doing testing, or giving a report readout call, you *will* have to learn to speak to customers.

Only in its second year, PIVOTcon has already established itself as a standout gathering for some of the finest CTI practitioners and researchers. With its relatively small size (~160 people) as one of its key features, this trusted environment again produced some amazing

Dr. Anton Chuvakin What we’ve seen in every organization is the REASON they aren’t following the basic advice is most haven’t planned for infrastructure to do it or hired correctly. It’s an org maturity process failure based on years of buying security products instead of investing in security

Russia's most ideal objective remains to achieve sweeping victory in Ukraine. Outcomes in-theatre depend on success on the periphery. It would be monumentally stupid to assume that RU cyber operations in Ukraine are fully contained. What is used there will be used elsewhere.

NCSC CTO Ollie Whitehouse on the market's investment in cyber resilience

In the age of remote work, your incident response plan should include how you can continue to operate without a VPN in place, or how you can very quickly lock it down, because most IR firms are going to recommend you disable it very quickly if you are facing likely ransomware

mf squid piyush jain Ask yourself: If our main identity provider (Okta, AD, etc.) gets compromised… what functions must still work? What tools must we still trust? - Should the attacker be able to read your IR tickets? - Access internal chats between blue team members? - Tamper with EDR alerts or

Be enjoyable to deal with

This is still funny and still rings true.

New samples of previously-unseen UMBRELLA STAND & SHOE RACK malware just landed on VirusTotal! These custom implants target Fortinet FortiGate firewalls, reinforcing a growing trend we've seen during the past years: router exploitation as a long-term foothold and stealth access.

Most enterprise intrusions that I’ve analyzed in my career have had alerts generated by some security product along the way. The issue/blocker has been figuring out which ones to get in front of a human to realize importance/significance to mobilize action by an org to mitigate

I wrote a short rant about what irks me when people anthropomorphize LLMs: addxorrol.blogspot.com/2025/07/a-non-…

State of Statecraft (SOS) is a new security and intelligence conference purposed to bring together observers of espionage, sabotage, influence, and other unique forms of covert statecraft to share their work with a community hyper-focused on tackling state-sponsored ops.