🔥 Amazing day at the @SANSInstitute #AISummit 2026. I had the chance to join the SANS360 lightning talks. 10 practitioners, 6 minutes each. No fluff. My message was simple: #AI is collapsing prevention time, but time-based security still holds. Speed doesn’t make these attacks smarter. In fact, it often makes them more fragile. To show how #AllAroundDefenders can flip the script, today we introduced #Decipio, our latest community project from the @AWNetworks Labs team. #Decipio injects controlled “lies” into the environment to expose credential theft the moment it begins. It also applies automation and AI-assisted workflows defensively, creating a home-field advantage for defenders. To protect the #cyberdefense community, we decided to release Decipio as a gated, community-driven release. 👉 You can start requesting access today through our website, and learn more about it in our latest blog: 🔹 arcticwolf.com/decipio/ 🔹 arcticwolf.com/resources/blo… #CyberDefense #AI #ThinkRedActBlue

This week's @themondaybrief marks a first: our debut guest perspective, and Vicente Diaz (@trompi) opens the series. The theme this week is cost inversion. Attackers are borrowing the tools we already trust. As Vicente said in his commentary: "we've seen this movie before." The techniques aren't novel. The speed and scale are. open.substack.com/pub/themon… #ThinkRedActBlue #TheMondayBrief w/ @fulmetalpackets

New Monday Brief is live. This week the attacker's R&D budget shrank while your attack surface grew. Tricked AI bots, automated EDR evasion, a Claude Code repo takeover, and fake recruiters. No zero-days needed. Plus a first for us: our debut guest perspective, featuring the great Vicente Diaz @trompi Douglas McKee (@fulmetalpackets) thinks 🔴 Ismael Valenzuela (@aboutsecurity) 🔵 Vicente Diaz (@trompi) adds the threat intel lens 🔍 open.substack.com/pub/themon… #ThinkRedActBlue #TheMondayBrief

You've been muted...permanently. Thanks @bittner and N2K | CyberWire for having me on your show to talk about our latest @AWNetworks research on #BlueNoroff targeting #crypto and #Web3 executives. Check it out here👇🏼 thecyberwire.com/podcasts/re…

Arctic Wolf has observed a significant expansion of the phishing-as-a-service operation #Kali365, which abuses Microsoft’s OAuth device authorization flow to bypass MFA. More details here: arcticwolf.com/resources/blo…

Deeply saddened to hear of Eric's passing. I had the privilege of knowing him for over 15 years. He was one of the people who inspired me to become a SANS Instructor, and I had the honor of sharing the stage with him several times at SANS Summits. His energy and his passion for cyber were unparalleled. My heart goes out to his family and to all of us who learned from him. You'll be missed, @drericcole.

The fastest way to understand your defenses is to reason like the person trying to beat them. This is at the core of the #ThinkRedActBlue strategy, and this week made the exercise easy. 🔴 Think Red: I do not need a zero-day. I need you to be slower than my automation. I am not breaking in. I am moving faster than the humans you put in front of the decision. 🔵 Act Blue: So the human gate is the thing to fix. Containment that waits for a phone call before isolation fires is not defense, it is documentation of loss. The rest, with @fulmetalpackets, is in this week's issue of @TheMondayBrief: the Gentlemen ransomware, GreyVibe's AI-built attacks, the FortiClient EMS exploitation, and Iran's Nimbus Manticore. 🔗open.substack.com/pub/themon… #ThinkRedActBlue #TheMondayBrief #ZeroTrust #ThreatIntelligence #DetectionEngineering

Four unrelated campaigns last week. One control they all beat: your approval chain. → ransomware that spreads itself over SMB, WMI, and PsExec, no operator needed → AI-built lures and malware at machine scale → a credential stealer pushed as a trusted update → trojanized Zoom installers aimed at US firms New issue of @TheMondayBrief by @fulmetalpackets and @aboutsecurity is out 👇 open.substack.com/pub/themon… #ThinkRedActBlue #TheMondayBrief

In today's issue of @TheMondayBrief, @aboutsecurity and @fulmetalpackets unpack four signals where adversaries went after the layers defenders use to define trust itself: 1️⃣ A PAN-OS zero-day (CVE-2026-0300) gave suspected state-sponsored actors root on internet-facing firewalls for nearly a month before disclosure. 2⃣MuddyWater dressed an Iranian espionage operation as a Chaos ransomware hit to misdirect IR. 3⃣Russian-linked actors struck Polish water treatment SCADA amid a 144% year-over-year surge in attacks on Poland. 📷 🔗Read the full issue: themondaybrief.substack.com/… #ThinkRedActBlue #ThreatIntelligence #ZeroTrust #DetectionEngineering #CISO

#ThinkRedAcBlue 🔴🔵

🚨 Two US cybersecurity professionals have been sentenced for moonlighting as ALPHV BlackCat ransomware affiliates. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, deployed BlackCat ransomware against multiple US victims between April and December 2023. They paid the operators a 20% cut for access to the platform, hit medical and engineering firms, leaked patient data to pressure payment, and split a $1.2 million Bitcoin ransom three ways with co-conspirator Angelo Martino. Martino had a second job. He worked as a ransomware negotiator for victims, and used that role to leak confidential victim information to the attackers to push ransom prices up. When Goldberg tried to flee abroad, the FBI tracked him through 10 countries before he was caught. Both men were sentenced yesterday. Martino is sentenced July 9.

MFA isn't enough. Trusted updates became weapons. And AI agents are acting outside expected behavior. Ismael Valenzuela is connecting the dots on The Replicant Problem LIVE at #SecureYourFortress 🤖🔍 Tune in → go.sans.org/vQQO0A #ZeroTrust #AIAgents #CyberDefense

Visibility is the foundation of Zero Trust. 👁️ Ismael Valenzuela dropping wisdom at #SecureYourFortress on governing AI agents in an era where the threats you can't see are the most dangerous ones. 🤖🔍 Watch now → go.sans.org/vQQO0A #ZeroTrust #AIAgents #CyberDefense

Arctic Wolf Labs reports BlueNoroff using fintech-themed impersonation & fake Zoom meetings to target a Web3 company. The victim’s live camera feed was captured for reuse in future lures; the infection chain deployed fileless PowerShell & browser injection arcticwolf.com/resources/blo…

Attackers didn’t break new ground this week. They operated where no one was looking. Four intrusions. Different entry points. Same pattern. - A stolen OAuth token from an AI tool became cross-environment access - A patched firewall stayed compromised for months - Consumer routers became covert relay infrastructure - Teams messages delivered malware outside traditional inspection paths The pattern is clear. The attack surface is not where controls exist. It is where visibility ends. 🔴 Think Red: You don’t need to bypass controls if you can operate outside of them 🔵 Act Blue: Monitor the parts of your environment that fall outside your normal coverage Read the full breakdown by @fulmetalpackets and @aboutsecurity: themondaybrief.substack.com/… The Monday Brief is written to be shared. #Cybersecurity #ThreatIntelligence #CISO #DetectionEngineering #TheMondayBrief

Arctic Wolf recently observed a large scale device code phishing campaign leveraging the Kali365 phishing‑as‑a‑service platform to obtain initial access and conduct follow-on activity. Learn more here: ow.ly/brHg50YPwrs

📣 Don’t miss the return of SANS360 — starting now! 💥 10 experts. 360 seconds each. = 60 minutes of rapid-fire technical brilliance! We’re closing out the virtual portion of Day 1 of SANS AI Cybersecurity Summit with power-packed AI Cybersecurity talks — featuring practical solutions you can use now to integrate AI/ML into your security workflows. ➡️ It's not too late to Register for Free & Join Us: sans.org/u/1CNB #AISummit #AI #GenAI #cybersecurity

Jacob Klein, head of threat intel at @AnthropicAI, sharing how AI (Claude in this case) is powering and enabling threat actors. Are you thinking the same I am thinking? 🤔💭 #AISummit

Bruce Schneier kicking off the @SANSInstitute #AISummit talking about integrity, trust, manipulation, and our choices when it comes to decision making.

Attackers didn’t bypass defenses this week. They used them. Defender zero-days. MCP flaws. Obsidian plugin abuse. Same pattern: 👉 Weaponizing trusted tools 🔴 Think Red: Inherit trust 🔵 Act Blue: Monitor your controls Read the latest issue by @aboutsecurity and @fulmetalpackets: 🔗open.substack.com/pub/themon… #Cybersecurity #ThreatIntel