“I spend all day, every day, looking at folks who misuse our models and our products. I want to walk through all of you what I've been seeing on the ground and how this has changed in the past year.” - Jacob Klein, @AnthropicAI's head of threat intel at the @SANSInstitute AI Summit. And then came the heartburn line: “Almost everything I’m walking through can be used by a defender as well.” He’s right. Defenders can point AI at endpoints at scale, code at scale, vulnerabilities, and SOC signals. Every serious defender already knows the list. The hard part is the operating reality: usable data, investigations that don’t depend on manual glue work, remediation that moves fast enough, and AI you can actually trust. What makes this a tougher sell is the reliability of the tools in our hands right now and our own skill gaps. And consider: we still get to watch some of this play out in the open. That window closes as attackers move to their own private tooling and infrastructure. The only way we get ready is by starting now: working on our own skill gaps, building muscle with the tools we have, stress-testing them in real environments, forcing the workflow changes that make AI for defense operational. Work on this directly with us: Find Evil! is live. Protocol SIFT is what happens when you wire an AI agent into a forensic workstation full of trusted tools and tell it to behave. It's an early capability with real outputs, failure mode. Join our community effort to make it something defenders can deploy. 42 days to enter. An incredible 2,500 builders and teams are in as of today. $22K in cash prizes. Sponsored by SANS Institute. findevil.devpost.com (You'll have to hear Jacob's full talk and the fireside chat with Bruce Schneier and Anne Neuberger: Are tech companies the new SOC? Check it out on the SANS Institute YouTube page.) Curious what you think. (And if you've entered in the hackathon?) #AIsecurity #cybersecurity #vulnops

hELLO the tIME HAS cOME oNCE AGAIN on my cONTENT cALENDAR for me to continue to scream and shout about oUR VIRTUAL EVENT ContinuumCon 2026 jUNE 12 - 14 continuumcon.com livestream run of show is free & public but all workshop sessions get into hands-on labs see u there ✌️

The threat landscape just changed — fast. And Jacob Klein is breaking it down live. At #AISummit, he’s showing: 🔘 How AI is helping low-skill actors bypass technical barriers 🔘 Why smaller teams are now operating at APT level 🔘 What it means when AI executes up to 90% of an attack You can still catch it Free Live Online today. Register & Join Us: sans.org/u/1CNB #AISecurity #CyberSecurity #ThreatIntelligence #CyberThreats

The FLARE Learning Hub is launching with three modules: - Malware Analysis Crash Course - The Go Reverse Engineering Reference - Introduction to Time Travel Debugging (TTD) 📟 Start learning: bit.ly/41x7MXs

Wild story on a big AI-powered social engineering campaign, leveraging Device Code phishing to steal Entra ID/Microsoft accounts -- all with entirely unique and personalized per-victim lures from vibecode-crafted infrastructure 🤯 Video link below cuz the X algorithm hates me: 👇

🤓 Sekoia recently uncovered a new Phishing as a Service platform called EvilTokens that automates Business Email Compromise at scale! The tool use AI to: - Automate the analysis of large volumes of emails to identify exploitable financial exposure - Map payment workflows and key contacts - Automatically generate realistic BEC scenarios based on target profile - Draft emails that match writing style, context, and urgency Sekoia also contributed the Adversarial Prompts they uncovered to PromptIntel privately, so the trusted community can benefit from the intel without exposing the raw instructions. Great work @crep1x @ncaproni 👏 👉 blog.sekoia.io/eviltokens-an…

Registration is OPEN for Find Evil! the first hackathon for autonomous AI incident response. Built by the community, for the community. $22K in prizes. Mission: Make Protocol SIFT, the framework connecting AI agents to the SIFT Workstation's full toolset, into a fully autonomous incident response agent. SIFT Workstation is a beat to shreds, open-source incident response platform with 200 tools. 19 years of community development. 60K downloads annually. No incident response background required. New to AI? Good. Get your hands on the tools and learn with us. Registration open April 1. Hackathon starts April 15. Submissions due June 15. Register: findevil.devpost.com Read more: robtlee73.substack.com/p/reg… Sponsored by @SANSInstitute

🎉New report out Monday 11/17 by @Friffnz, Daniel Casenove & @MittenSec! "The first instance of unauthorized access by the threat actor was a successful RDP logon to the beachhead host, a publicly exposed RDP server. The logon was performed using valid credentials, and... 1/3

🌟New report out today!🌟 Hide Your RDP: Password Spray Leads to RansomHub Deployment Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2 🔊Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/06/30…

🎉 Announcing DFIR Labs! 🎉 Introducing our DFIR Labs based on real intrusions from our public reports and private threat briefs! Whether you're starting out or looking to deepen your skills, our labs can help. 1/2

🚀 Exciting News Coming Soon! 🌟 🔍 We're launching an innovative platform to help boost your DFIR skills! 🙏 Thanks to our beta testers - your feedback was invaluable! ✨ Curious for a sneak peek? Head to our site to see what's coming!

⭐️New report out Monday 10/30 by @iiamaleks, @MittenSec, & @Miixxedup!!⭐️ ✉️Initial Access began with a ZIP file delivered to a victim through email, which eventually lead to NetSupport. ➡️Want to receive an email when we publish a new report? ➡️➡️thedfirreport.com/subscribe/

Thanks to everyone who listened to me rant for an hour about how to take effective notes in this strange field @bsidesatl My entire talk (and much more) can be found here: grahamhelton.com/blog/atomic…

Qakbot malware disrupted in international cyber takedown justice.gov/usao-cdca/pr/qak…

Very interesting data and writeup from team cymru on #Qakbot's tiered infrastructure team-cymru.com/post/visualiz…

1/ On a recent BEC investigation, I noticed the entry "Fraud reported - user is blocked for MFA" within the #Azure Audit logs from the compromised user (see screenshot below). I've never encountered this Activity, so let's dig in. 🧵

A macOS vulnerability could allow an attacker with root access to bypass System Integrity Protection (SIP) and perform arbitrary operations on a device. Learn more about CVE-2023-32369, which we refer to as “Migraine”, and its patch in our latest blog: msft.it/6018gegrs

Volt Typhoon, a Chinese state-sponsored actor, uses living-off-the-land (LotL) and hands-on-keyboard TTPs to evade detection and persist in an espionage campaign targeting critical infrastructure organizations in Guam and the rest of the United States. msft.it/6019gj8eH

IcedID Macro Ends in Nokoyawa Ransomware ➡️Initial Access: IcedID XLS Macro ➡️Credentials: LSASS, Creds in Files ➡️Persistence: Scheduled Task ➡️Lateral: RDP, SMB, WMI, WinRM, Psexec ➡️C2: IcedID, Cobalt Strike, VNC ➡️Impact: Nokoyawa Ransomware thedfirreport.com/2023/05/22… 1/X

RT @SentinelOne: 🍎 New from the front lines! The development of a Go implementation of CobaltStrike called ‘Geacon’ appears to be bringing…