WSUS Exploited, Qilin Tradecraft, and Cloud Guardrails

Critical WSUS RCE (CVE-2025-59287) Actively Exploited

⚠️ A critical unauthenticated remote code execution vulnerability in Microsoft Windows Server Update Services was identified as CVE-2025-59287 and observed being actively exploited in October 2025. The flaw stems from unsafe deserialization in WSUS endpoints (GetCookie and ReportingWebService) and enables remote attackers to execute arbitrary code as SYSTEM. Microsoft issued an emergency out-of-band patch on Oct 23 after initial Patch Tuesday fixes were incomplete; organizations should apply the update or follow temporary mitigations such as disabling the WSUS Server Role or blocking inbound TCP ports 8530/8531 immediately.

Google Cloud Bigtable Adds Tiered Storage for Hot/Cold Data

🔔 Google Cloud previewed Bigtable tiered storage, which automatically moves less-frequently accessed data from high-performance SSD storage to an infrequent access tier while exposing the same Bigtable API. The fully managed feature integrates with Bigtable autoscaling so applications can read and write across hot and cold tiers via a single interface. Google says the infrequent access tier can be up to 85% less expensive than SSD and that a tiered-storage node offers substantially more usable capacity, making it suited for large time-series and telemetry datasets that require long-term retention for analytics or compliance.

Google: AI Studio Aims to Let Everyone 'Vibe Code' Games

🕹️ Google says its AI Studio will enable users to 'vibe code' simple video games by the end of the year. The company claims the tool can automatically select models and wire up APIs to streamline app creation, while noting current limitations for production-ready systems. Product lead Logan Kilpatrick highlighted the potential to broaden access to game creation, and startups like Cursor are pursuing similar next-generation vibe coding tools.

PayPal and Google Cloud Launch Agentic Commerce Solution

🛒 PayPal and Google Cloud announced a joint agentic commerce offering that integrates Google Cloud’s Conversational Commerce agent with payments powered by PayPal. The solution leverages the open Agent2Agent (A2A) Protocol and the Agent Payments Protocol (AP2)—which extends A2A and the Model Context Protocol—to enable agent-to-agent payment flows secured by Verifiable Digital Credentials. Merchants can deploy Google’s out‑of‑the‑box conversational agent or build custom agents with the Agent Development Kit (ADK), retaining control over tone, branding, and the customer relationship while benefiting from integrated payment and fraud controls.

Vertex AI Training Expands Large-Scale Training Capabilities

🚀 Vertex AI Training introduces managed features designed for large-scale model development, simplifying cluster provisioning, job orchestration, and resiliency across hundreds to thousands of accelerators. The offering integrates Cluster Director, Dynamic Workload Scheduler, optimized checkpointing, and curated training recipes, including NVIDIA NeMo support. These capabilities reduce operational overhead and accelerate transitions from pretraining to fine-tuning while improving cost and uptime efficiency.

Amazon Redshift Serverless Now in Osaka and Malaysia

🚀 Amazon Redshift Serverless is now generally available in the AWS Asia Pacific (Osaka) and Asia Pacific (Malaysia) regions. It enables data analysts, developers, and data scientists to run and scale analytics without provisioning or managing clusters by automatically provisioning and intelligently scaling compute capacity. You pay per-second for compute and can query data in-place from Amazon S3 (including Apache Parquet), use Redshift data shares, restore provisioned snapshots, or work through the Query Editor V2 or existing BI tools.

Amazon ECS Managed Instances Now in All Commercial Regions

🚀 Amazon ECS Managed Instances is now available in all commercial AWS Regions as a fully managed, EC2-based compute option that reduces infrastructure management overhead while retaining the full capabilities of Amazon EC2. Managed Instances dynamically scales EC2 capacity, continuously optimizes task placement, and applies security patching on a 14-day cadence. You specify task requirements such as vCPU, memory, and CPU architecture, and Amazon ECS provisions and operates optimal instances in your account. Management fees apply in addition to regular EC2 charges.

CISA orders patch for critical WSUS RCE exploited now

🔔 CISA ordered U.S. federal agencies to urgently patch a critical, actively exploited Windows Server Update Services vulnerability (CVE-2025-59287) that enables unauthenticated remote code execution with SYSTEM privileges. Microsoft released out-of-band security updates after proof-of-concept exploit code appeared, and administrators are urged to install them immediately or disable the WSUS Server role as an interim mitigation. Security firms reported scanning and attacks against WSUS instances exposed on default ports 8530/8531, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog, mandating federal patching under BOD 22-01.

Agenda (Qilin) weaponizes Linux binaries against Windows

🛡️ Trend Micro reports that the Agenda (Qilin) ransomware group is running a Linux-based encryptor on Windows hosts to evade Windows-only detections. The actors abused legitimate RMM and file-transfer tools — including ScreenConnect, Splashtop, Veeam, and ATERA — to maintain persistence, move laterally, and execute payloads. They combined social engineering, credential theft, SOCKS proxy injection, and BYOVD driver tampering to disable EDR and compromise backups, impacting more than 700 victims since January 2025.

Critical WordPress Plugin Flaws Exploited at Scale Globally

🔴 Wordfence warns that threat actors are actively exploiting three critical 2024 CVEs in popular WordPress plugins, GutenKit and Hunk Companion, which report more than 40,000 and 8,000 active installations respectively. The vulnerabilities permit unauthenticated attackers to install and activate arbitrary plugins or upload spoofed plugin files, enabling remote code execution (RCE) and straightforward site takeover when exploited or chained with other flaws. Discovered via Wordfence's bug bounty in late September and early October, the campaign reignited on 8 October and the vendor has already blocked nearly 8.8 million exploitation attempts while urging administrators to update or remove affected versions.

Qilin Ransomware Employs Linux Payloads and BYOVD Tactics

🔒 Qilin (aka Agenda, Gold Feather, Water Galura) has sharply increased operations in 2025, claiming dozens of victims monthly and peaking at 100 leak-site postings in June. Cisco Talos and Trend Micro analyses show affiliates gain initial access via leaked admin credentials, VPN interfaces and RDP, then harvest credentials with tools like Mimikatz and SharpDecryptPwd. Attackers combine legitimate remote-management software (for example AnyDesk, ScreenConnect, Splashtop) with a BYOVD vulnerable driver to disable defenses, exfiltrate data, and deploy a Linux ransomware binary on Windows systems before encrypting files and removing backups.

Qilin Ransomware: Attack Methods and TTPs Exposed Globally

🔍 Cisco Talos details widespread Qilin ransomware operations observed in late 2025, highlighting persistent leak-site activity and sustained victim publication. The analysis links many intrusions to exposed administrative credentials and unprotected remote access, with manufacturing, professional services, and wholesale trade heavily affected. Talos documents abuse of open-source exfiltration tools (notably Cyberduck), dual-encryptor deployment patterns, credential harvesting with mimikatz and SharpDecryptPwd, and numerous defense-evasion techniques, recommending layered controls such as MFA, credential monitoring, and hardened backups.

LeetAgent and Dante: ForumTroll Toolset Revealed Report

🔍 Our GReAT team reconstructed ForumTroll’s infection chain and identified the malware family dubbed LeetAgent, delivered via spear‑phishing and an exploit of CVE-2025-2783 in Google Chrome when recipients were lured with invitations to the Primakov Readings. Further analysis linked the same delivery tools to the commercial spyware Dante (formerly developed by Hacking Team, now Memento Labs), which uses modular plugins, per‑victim encryption keys and a timed self‑destruct mechanism. Initial detections were made by Kaspersky XDR; full technical details and IOCs have been compiled for APT subscribers.

Weekly Cyber Recap: WSUS Exploited and LockBit 5.0 Surge

⚠️ Microsoft released an out-of-band patch for a critical WSUS remote code execution (CVE-2025-59287) after researchers observed active exploitation that drops a .NET executable and Base64 PowerShell payloads. LockBit has resurfaced with a new multi-platform 5.0 variant claiming victims, while a modified Telegram Android app distributing the Baohuo backdoor has infected tens of thousands of devices. Reporting also shows the F5 breach began in late 2023 and has since widened, underscoring the need for urgent patching and threat hunting.

OpenAI Atlas Omnibox Vulnerable to Prompt-Injection

⚠️ OpenAI's new Atlas browser is vulnerable to a prompt-injection jailbreak that disguises malicious instructions as URL-like strings, causing the omnibox to execute hidden commands. NeuralTrust demonstrated how malformed inputs that resemble URLs can bypass URL validation and be handled as trusted user prompts, enabling redirection, data exfiltration, or unauthorized tool actions on linked services. Mitigations include stricter URL canonicalization, treating unvalidated omnibox input as untrusted, additional runtime checks before tool execution, and explicit user confirmations for sensitive actions.

Qilin Ransomware: Over 40 Victims Listed Monthly in 2025

🔒 Cisco Talos reports that Qilin ransomware sustained a surge through the second half of 2025, publishing more than 40 victim listings per month on its leak site and peaking at roughly 100 postings in June and August. The group uses a double-extortion model, encrypting systems and threatening to publish stolen data if ransoms are not paid. Operating as a RaaS, Qilin and its affiliates have heavily targeted manufacturing, professional/scientific services and wholesale trade. Investigators observed use of Cyberduck, standard Windows utilities for file viewing, and dual encryptors that spread laterally via PsExec and encrypt multiple network shares.

Italian Spyware Vendor Linked to Chrome Zero-Day Attacks

🔎 Kaspersky links a Chrome zero-day used in Operation ForumTroll to spyware tied to Memento Labs, a company formed from assets of the former Hacking Team. The campaign, revealed in March, used targeted phishing invites to the Primakov Readings and exploited a sandbox escape (CVE-2025-2783) to deploy a persistent loader. That loader decrypted and executed LeetAgent, a modular spyware, and in some cases introduced the Dante implant. Chrome and Firefox received patches soon after the discovery.

ChatGPT Atlas 'Tainted Memories' CSRF Risk Exposes Accounts

⚠️ Researchers disclosed a CSRF-based vulnerability in ChatGPT Atlas that can inject malicious instructions into the assistant's persistent memory, potentially enabling arbitrary code execution, account takeover, or malware deployment. LayerX warns that corrupted memories persist across devices and sessions until manually deleted and that Atlas' anti-phishing defenses lag mainstream browsers. The flaw converts a convenience feature into a persistent attack vector that can be invoked during normal prompts.

AWS Payment Cryptography Now Available in Three Regions

🔐 AWS Payment Cryptography is now available in Canada (Montreal), Africa (Cape Town) and Europe (London). The fully managed service centralizes payment-specific cryptographic operations and key management for cloud-hosted payment applications and scales elastically to meet changing workloads. It is assessed as compliant with PCI PIN and PCI P2PE, reducing the need for dedicated payment HSMs. Customers can position cryptographic operations closer to latency-sensitive applications and pursue multi-Region high availability.

Amazon Location Service adds granular API key restrictions

🔒 AWS has introduced enhanced API key restrictions for Amazon Location Service to help developers secure location-based applications. Keys can now be bound to specific Android applications using package names and SHA-1 certificate fingerprints, or to iOS apps using Bundle IDs, enabling separate keys for testing and production. The feature is available in multiple AWS Regions and is configurable via the console or APIs. This reduces the risk of key misuse and enforces app-level access control.

Europol Dismantles Network Behind 49 Million Fake Accounts

🔒 Europol, together with police in Estonia, Finland, Latvia and Austria, dismantled a cybercrime-as-a-service network during coordinated raids on October 10. Seven suspects were arrested and authorities seized five servers, some 40,000 active SIM cards, luxury vehicles, bank accounts and crypto wallets. Investigators say the operation created roughly 49 million fake accounts across about 80 countries and used those identities to swindle millions of euros.

QNAP: NetBak PC Backup Affected by Critical ASP.NET Flaw

🔔 QNAP has warned that its NetBak PC Agent, a Windows backup utility, may include an affected ASP.NET Core runtime vulnerable to CVE-2025-55315. The flaw resides in the Kestrel ASP.NET Core web server and can allow low-privileged attackers to hijack other users' credentials or bypass front-end security via HTTP request smuggling. QNAP recommends reinstalling the app or manually installing the latest ASP.NET Core Runtime (Hosting Bundle) from the .NET 8.0 downloads to secure systems.

Amazon Cognito Adds Resource Indicators for OAuth 2.0

🔐 Amazon Cognito now accepts resource indicators in OAuth 2.0 access token requests, enabling app clients to request tokens targeted to a specific protected resource rather than a broad service audience. After authenticating the client, Cognito issues an access token with the aud claim set to that resource. This replaces prior workarounds that relied on non‑standard claims or custom scopes and simplifies issuing resource‑specific tokens for agents and other clients. The capability is available to Cognito Managed Login customers on Essentials and Plus tiers in Regions where Cognito is offered, including AWS GovCloud (US).

Cloudflare Speed Test: Measuring Real-World Internet Quality

⚡ Cloudflare’s Speed Test measures the quality users actually experience rather than peak bandwidth. It sends predefined data blocks via the Network Quality API from the user’s browser to Cloudflare Workers routed by anycast, recording idle and loaded latency, jitter, packet loss, and throughput across sizes. Results appear live and culminate in an AIM score summarizing suitability for streaming, gaming, or conferencing.

Europol Raises Alarm Over Caller ID Spoofing Crisis

🚨 Europol has issued a Position Paper warning of a rising wave of caller ID spoofing, where criminals falsify numbers to impersonate banks, government bodies or relatives. The agency estimates global losses around €850m annually and reports spoofing now underpins roughly 64% of phone- and SMS-related fraud. Europol calls for harmonized technical standards, stronger cross-border cooperation and regulatory convergence to make spoofing harder to perpetrate and easier to investigate.

First Wap Altamides: SS7 Phone-Tracking Empire Revealed

🔎 Operating from Jakarta, First Wap markets a covert phone-tracking system called Altamides that leverages the legacy telecom protocol SS7 to locate subscribers in real time. Unlike device-targeting spyware such as Pegasus, Altamides requires no malicious link or implant and leaves minimal forensic traces on phones. Reporting from Mother Jones and Lighthouse Reports traces how permissive export rules and a global client network have allowed this capability to spread.

Cloudflare Radar's Evolution: Expanding Internet Observability

📡 Since its 2020 debut, Cloudflare Radar has evolved into a comprehensive observability platform that aggregates Cloudflare telemetry to illuminate security, performance, and usage trends. Initially centered on Radar Internet Insights, Domain Insights, and IP Insights, the service has grown to include Certificate Transparency metrics, TCP reset/timeouts visibility, post-quantum adoption tracking, and AI-focused crawler analytics. Radar also added routing tools such as route leak and origin hijack detection, real-time BGP views, AS-SET monitoring, and notifications, while improving programmatic access via the Radar API and an MCP server for LLM integration. Popular utilities like the URL Scanner, expanded search and date-range options, and internationalized interfaces reinforce Radar's mission to make the Internet more observable and resilient.

Ransomware Payments Plunge as Victims Stop Paying Ransoms

🔒 Coveware reports ransomware payment rates have fallen to a record low — just 23% of victims paid in Q3 2025, continuing a multi-year decline from 28% in Q1 2024. Over 76% of incidents now involve data exfiltration, and theft-only cases see payments drop to 19%. Average and median ransoms fell to $377,000 and $140,000, respectively, as attackers pursue more targeted victims.

Introducing TLD Insights on Cloudflare Radar Dashboard

📊 Cloudflare Radar now offers a dedicated Top-Level Domain (TLD) landing page and per-TLD reports that aggregate popularity, activity, and security signals. The new pages rank TLDs using a DNS Magnitude score based on unique client networks querying 1.1.1.1, and provide DNS, RDAP/WHOIS, Certificate Transparency, and registration information where available. Interactive charts, maps, and API access help TLD managers and site owners monitor visibility, abuse trends, and certificate issuance.

CrowdStrike Named Leader in 2025 Frost Radar for SSPM

🔒 CrowdStrike was named the Growth and Innovation Leader in the 2025 Frost Radar for SaaS Security Posture Management. The recognition highlights Falcon Shield, a fully native extension of the unified Falcon platform that correlates SaaS, endpoint and identity telemetry to deliver identity-centric detection, attack-path visualization and automated remediation. Frost & Sullivan cited >219% year-over-year growth and praised integrations such as Falcon Fusion SOAR and the Charlotte AI agentic system. Falcon Shield also offers 180+ prebuilt connectors and a no-code Integration Builder to scale protection and reduce mean time to remediation.

Exposure Management in 2025: Trends, Risks, and Response

🔒 Intruder’s 2025 Exposure Management Index analyzes scans from over 3,000 small and midsize businesses to show defenders adapting under mounting pressure. High-severity vulnerabilities rose nearly 20% year‑on‑year, even as 89% of resolved critical flaws were remediated within 30 days (up from 75% in 2024). The report highlights AI-driven exploit development, growing attack surfaces from cloud, shadow IT and supply‑chain risk, and faster remediation at smaller firms.

Ransomware Recovery Failures: Paying Often Doesn't Work

🔐 A Hiscox survey of 1,000 mid-sized firms finds ransomware remains a major risk: 27% of organizations reported attacks in the past year and 80% of victims paid ransom. Yet only 60% of those who paid recovered data fully or partially. Experts cite faulty encryptors, unreliable decryptors, corrupted backups and double/triple extortion as common causes. Industry specialists recommend tested recovery plans, retainers with incident response teams, and robust cyber insurance rather than relying on ransom payments.

Proving Data Sovereignty: Controls, Keys, and Audits

🔒 The article argues that data sovereignty commitments like Project Texas must be supported by auditable, technical evidence rather than marketing promises. It prescribes five concrete, testable controls — brokered zero‑trust access, in‑region HSM keys, immutable WORM logs, continuous validation, and third‑party attestation — plus measurable metrics to prove compliance. A 90‑day blueprint and emerging AI automation are offered to operationalize verification and produce regulator‑ready, reproducible evidence.

Top 10 Challenges Facing CISOs and Security Teams Today

🔒 Security leaders face a rapidly evolving threat landscape driven by AI, constrained budgets, talent shortages, and a vastly expanded attack surface. Many organizations rushed into AI adoption before security controls matured, and CISOs report growing involvement in AI governance and implementation even while attackers leverage AI to compress time-to-compromise. Data protection, employee susceptibility to sophisticated scams, quantum readiness, and board alignment emerge as immediate priorities that require clearer risk-based decisions and frequent simulation exercises.

UK Fraud Cases Surge 17% as APP Losses Rise in H1 2025

💷 The UK saw a 17% annual rise in consumer fraud cases in H1 2025, with total losses of £629m across 2.1 million incidents, according to UK Finance’s Half Year Fraud Report 2025. Authorized push payment (APP) losses increased 12% despite an 8% decline in APP case numbers, driven largely by investment and romance scams originating on social media. Card-not-present activity pushed card losses to £299m, and criminals are increasingly using social engineering and compromised OTPs to scale attacks.

Windows 11 to Prompt Memory Scans After BSOD Crashes

🔍 Microsoft is testing a new feature in Windows 11 that prompts users to run a memory scan when signing in after a blue screen of death (bugcheck). If accepted, the system schedules an Windows Memory Diagnostic to run at the next reboot, typically taking five minutes or less, and will notify users post-reboot if issues are found and mitigated. Initially all bugcheck codes will trigger the prompt while Microsoft investigates correlations with memory corruption, with targeting to be refined over time.

Louvre Apollo Gallery Jewel Heist Reveals Security Gaps

🔍 The theft at the Louvre—where four thieves used an electric ladder, an angle grinder and seven minutes to remove jewels from the Apollo Gallery—exposed stark security lapses. A single outdoor camera pointed away from the balcony left no interior footage, and guards appeared focused on patrons rather than valuables. Arrests have been reported, but the pieces' likely disassembly will greatly reduce their recoverable value.

Microsoft adds policy to remove preinstalled Store apps

🛠️ Microsoft now enables IT administrators to remove selected pre-installed Microsoft Store apps on Windows 11 Enterprise 25H2 and Education 25H2 devices using a new app management policy. The policy can be applied via CSP, Group Policy, or the Microsoft Intune settings catalog and is disabled by default until explicitly enabled by admins. Once enforced, targeted packages and associated local app data are deprovisioned and deleted from devices, removing the need for custom Windows images or brittle scripts.

Working with Passive Data at Internet Scale: Challenges

🔍 During a 2022 internship at Cloudflare, Ram Sundara Raman examined whether connection tampering by network middleboxes can be detected using only passive production data. He sampled one in 10,000 TCP connections and logged the first ten inbound packets, then developed 19 tampering signatures while confronting scale, noisy telemetry, and limited ground truth. The work exposed practical limits of passive observation and the care required to interpret packet-level signals, and its outputs are published on Cloudflare Radar.

Internet Measurement, Resilience and Transparency Week

📡 This week Cloudflare Research publishes a series of posts revealing methods and findings that advance a more measurable, resilient, and transparent Internet. The series explores Internet measurement fundamentals, resilience frameworks, post-quantum deployment, and networking innovations, with deep dives into products such as Cloudflare Radar and experiments like Merkle Tree Certificates. Expect practical analysis, IETF-aligned protocol discussion, and real-world deployment considerations.

TCS Rejects Claims It Lost M&S Service Desk Contract

📰 Tata Consultancy Services has denied reports that it lost a service desk contract with Marks & Spencer following the retailer’s April cyber-attack. In an October 26 regulatory filing to Indian stock exchanges, TCS described a Telegraph article as "misleading" and pointed to "factual inaccuracies", saying the RFP to evaluate suppliers began in January 2025 and concluded before the incident. TCS said it continues to hold other active contracts with M&S, that a June investigation found no vulnerabilities originating in TCS networks, and that it does not provide cybersecurity services to the retailer.

Top IAM Vendors for Zero Trust and Identity Security

🔑 Identity is becoming the new perimeter as organizations accelerate the move to Zero Trust, making robust Identity & Access Management essential for secure access and continuity. This roundup examines leading IAM vendors and highlights capabilities in IGA, PAM, IDaaS, CIEM and risk-based authentication. Profiles cover strengths, pricing and integration trade-offs for vendors including CyberArk, Okta, Microsoft Entra ID, SailPoint, Avatier and BeyondTrust to help CISOs match products to requirements.

X requires re-enrollment of 2FA security keys by Nov 10

🔐 X is asking users who rely on passkeys or hardware security keys (for example, YubiKeys) to re-enroll their devices for two-factor authentication by November 10 or face account lockout. The requirement stems from X’s migration from the twitter.com domain to x.com, as existing keys are tied to the old domain. Users should visit x.com/settings/account/login_verification/security_keys to disable and then re-add keys; a password confirmation is required. Re-enrolled keys will be associated with the x.com domain and will continue to work after the migration.

X Tells Security Key Users to Re-enroll by Nov 10, 2025

🔐 X is asking users who registered passkeys or hardware security keys (for example, YubiKey) as their two-factor authentication method to re-enroll their key by November 10, 2025. The company says current key enrollments are tied to the twitter[.]com domain and must be associated with x[.]com before the legacy domain can be retired. Accounts not re-enrolled will be locked until users re-enroll, choose a different 2FA method, or opt out of 2FA.

How MDR Gives MSPs a Competitive Market Edge Today

🛡️ Managed detection and response (MDR) helps managed service providers (MSPs) overcome talent shortages, alert overload and rapidly evolving threats by outsourcing 24/7 SOC monitoring, behavioral detection, threat hunting and automated incident response. MDR can open recurring revenue streams, strengthen customer relationships and meet cyberinsurance conditions, while intelligent prioritization and GenAI-assisted playbooks reduce operational strain and false positives. Choosing a partner with proven threat intelligence, continuous operations and a human-plus-machine approach is critical.

SageMaker Unified Studio adds searchable match context

🔍 Amazon SageMaker in Unified Studio now surfaces additional search context that clarifies why each result appears by showing which metadata fields matched a query. Inline highlighting emphasizes matched terms and an explanation panel details matches across name, description, glossary, schema, and other metadata. The enhancement reduces time spent evaluating irrelevant assets by presenting match evidence directly in search results, enabling quicker validation without opening individual assets. The capability is available in all AWS Regions where SageMaker is supported.

Google Refutes False Claims of Massive Gmail Breach

🔒 Google says reports of a massive Gmail data breach are false and that the coverage mischaracterizes a large compilation of exposed credentials. The 183 million-account figure reflects aggregated infostealer databases and credential dumps compiled over years, not a single Gmail compromise. Troy Hunt added the dataset to Have I Been Pwned, which found 91% of entries were previously seen; 16.4 million addresses were newly observed. Users should check their accounts, run antivirus scans, and change any compromised passwords.

Challenges and Best Practices in Internet Measurement

📊 Cloudflare explains why measuring the Internet is uniquely difficult and how rigorous methodology, ethics, and clear representation make findings reliable. An internal February 2022 Lviv traffic spike illustrates how context and complementary data can prevent misclassification of benign events as attacks. The post contrasts active and passive techniques and direct versus indirect measurement, outlines a lifecycle of curation, modeling, and validation, and stresses low-impact, ethical approaches. It concludes by inviting collaboration and continued exploration of passive measurement methods.