< ciso
brief />
Tag Banner

All news with #detection engineering tag

105 articles

Fixing data architecture vs. upgrading detection models

🔍 Security teams often default to retraining AI models when detections fail, but the real root cause is usually upstream data issues. Fragmented telemetry, inconsistent schemas and stale baselines degrade ML effectiveness long before models see events. Standardizing schemas, monitoring data quality at ingestion and applying governance to security telemetry are practical priorities that restore detection reliability without wholesale platform replacements.
read more →

GitHub API abuse fuels enterprise reconnaissance

🔎 Datadog Security Research has tracked sustained abuse of GitHub’s public APIs where automated scanners, leaked credentials, and ghost accounts map organizations and members. Attackers harvest source code, secrets, and pipeline data by blending requests into normal traffic and leveraging the /graphql endpoint and REST org-mapping calls. Detection requires auditing user agents, token types, and unusual actor behavior, while enterprises should enable audit log streaming, MFA, access reviews, and credential scanning.
read more →

Verify threat indicators before acting on feeds

🔍 The author recounts multiple cases where threat intelligence feeds and advisories mischaracterized malware or buried stronger indicators in machine-readable files. They describe a commercial feed mislabeling a Windows DonutLoader variant as the Linux Chalubo RAT, an official advisory whose PDF lacked stronger hashes present in the STIX bundle, and a CERT report with binary-level discrepancies. The piece stresses that labels and pipeline metadata are guesses until validated and urges analysts to open structured files and detonate samples when stakes are high.
read more →

SkillCloak research shows scanners can be bypassed

🛡️ Researchers at the Hong Kong University of Science and Technology show that simple file-level transformations and packing tricks can let malicious AI coding agent "skills" evade existing static scanners while still executing normally. Their tool, SKILLCLOAK, fooled multiple marketplace scanners over 80–99% of the time, while a runtime sandbox, SKILLDETONATE, detected most evasions at the cost of slower analysis. The study highlights active real-world abuse, practical mitigation ideas, and the need to move trust decisions to behavior observed at execution time.
read more →

Detection engineering rises as a core SOC capability

🔍 Detection engineering has moved from a niche role to a strategic imperative for many organizations, focused on building tailored, behavior-driven alerts that reduce false positives and improve response. It emphasizes threat modeling, SDLC/CI-CD practices, and integration of threat intelligence to craft detections specific to an organization’s environment. A SANS-Anvilogic survey found broad investment and leadership support, while AI and automation are increasingly used to tune rules and scale workflows.
read more →

AI-Augmented Threat Intelligence: Beyond IOCs

🛡️ The article examines how AI, particularly large language models, can bridge the gap between atomic indicators of compromise (IOCs) and richer strategic threat intelligence by indexing and relating unstructured reports. It highlights opportunities to retrieve relevant intelligence and generate tailored defensive advice while warning about data veracity and confidentiality. The piece also emphasizes practical Windows threats abusing COM and recommends tooling and hunting practices to detect such misuse.
read more →

AI-powered investigations preview for Amazon GuardDuty

🛡️ AWS previewed AI-powered investigations in Amazon GuardDuty to automate analysis of findings and reduce manual investigation time. The capability uses knowledge graphs and threat intelligence to examine 90 days of related activity, affected resources, and indicators, delivering disposition assessments with confidence scores, MITRE ATT&CK classifications, evidence, and remediation recommendations. Available in preview in 10 regions and accessible via the GuardDuty console, CLI, API, or AWS' MCP Server.
read more →

Unified SQL Analytics for Logs and Traces on Google Cloud

🛠️ Google Cloud announced enhancements to its Observability suite, rebranding Log Analytics as Observability Analytics and bringing trace data and the Observability API to general availability. The update unifies logs and traces, enables SQL queries across telemetry, and allows in-place analysis without duplicating data. Use cases include diagnosing AI agent tool failures and correlating latency with customer impact. Users can link observability buckets to BigQuery and run cross-dataset analytics directly in the Cloud console.
read more →

Growing detection gaps across non-email collaboration platforms

🔍 New research from KnowBe4 finds cybersecurity leaders increasingly lack confidence in detecting threats on non-email channels like Slack and Microsoft Teams. An Infosecurity Europe 2026 survey of 169 professionals reports that 50% of organizations do not have strong visibility across messaging and social platforms, even as 60% say attacks are moving beyond email. While email remains viewed as the riskiest channel, confidence in stopping email attacks (83%) is far higher than for Teams (61%), social media (51%), SMS/WhatsApp (50%) and Slack (40%).
read more →

Spyware embeds forbidden text to foil AI analysis

🛡️ At least one malware author is inserting large comment blocks with policy-triggering content about nuclear and biological weapons into JavaScript payloads to disrupt AI-driven analysis. The decoy text sits inside comments so execution is unchanged while early-stage LLM-based triage can be confused or refuse to process the file. Traditional detection methods like YARA rules, entropy checks, and deobfuscation remain effective. This tactic targets naive pipelines that expose untrusted file starts to language models.
read more →

Five new SOC roles emerging from AI evolution

🔒 The rise of AI-driven SOCs is reshaping security operations and creating new specialist roles rather than simply replacing people. Today's AI-SOC automates Tier 1 triage and is moving into Tier 2 investigation and remediation, prompting demand for skills in data engineering, agent orchestration, model training, threat hunting, and AI-savvy red teaming. Organizations will need professionals who can integrate diverse telemetry, manage agent swarms, fine-tune models, hunt adversary intent, and test AI-specific weaknesses.
read more →

Survey Finds Anonymized IPs Drive Modern Incidents

🔍 A recent study of over 200 security practitioners by Spur Intelligence shows anonymizing infrastructure—VPNs and residential proxies—appears in nearly every incident, yet many teams lack the context and workflows to act on IP data. Analysts increasingly face noisy enrichment feeds without attribution, behavioral signals, or automation to inform real-time decisions. Organizations remain reactive, applying IP intelligence mainly during investigations, while internal risks from employee VPNs and proxy usage add blind spots that zero-trust must address.
read more →

SOC Speed Gap: How Attack Timelines Compressed Fast

⚠️ This article launches Unit 42's series Inside the Modern SOC, drawing on customer environments, SOC assessments and investigations to highlight a defining challenge: the speed gap. Attack timelines have compressed dramatically — in some cases from initial access to data exfiltration in about 72 minutes — driven by identity-driven tactics and AI-accelerated adversaries. The piece emphasizes that manual, sequential workflows and fragmented tooling leave defenders behind and argues for automated correlation, predefined response actions and behavior-focused detection to close the gap.
read more →

Runtime signals to detect compromised AI agents

🛡️ In response to widespread prompt-injection risks, the article outlines runtime signals to detect compromised AI agents that possess the so-called lethal trifecta: access to private data, ingestion of untrusted content, and external communication ability. It argues that this trifecta is now the default for useful agents, so defenses must shift from architecture rules to behavioral, runtime detection. Recommended signals include instruction-following anomalies, unexpected tool-call sequences, low-bandwidth exfiltration channels, out-of-scope credential access, and suspicious memory writes.
read more →

Check Point Joins OpenAI TAC and Daybreak Initiative

🔒 Check Point announced it has joined OpenAI’s Trusted Access for Cyber (TAC) program and the Daybreak initiative to access advanced cyber-capable models. The company will use GPT-5.5, OpenAI’s Codex agentic framework, and direct support from OpenAI to enhance threat analysis, incident investigation, detection engineering, and secure code review. Check Point emphasizes disciplined, focused application of these models to strengthen prevention, speed delivery, and maintain product security for enterprise customers.
read more →

Fortinet Earns AV‑Comparatives EDR Detection Certification

🛡️ Fortinet announces that FortiEDR earned certification in the AV‑Comparatives 2026 EDR Detection Validation Test, with the same EDR capabilities available via FortiEndpoint. The product demonstrated validated visibility across 12 of 14 attack stages, combining active alerts with telemetry to support investigation and threat hunting. AV‑Comparatives evaluated detection visibility mapped to the MITRE ATT&CK framework, highlighting strong coverage for service‑based staging, process injection, and server lateral movement.
read more →

Hypothesis-Driven Threat Hunting at Cisco Talos

🔍 Cisco Talos Threat Hunting adopts a hypothesis-first approach: rather than waiting for alert thresholds, analysts formulate theories about adversary behavior and search telemetry to validate them. Using AI for scale and human expertise for context, continuous hunts run across global telemetry to surface candidates that automated detection misses. Confirmed findings are reported with remediation guidance and feed back into detection tuning and product improvements.
read more →

Less Panic Patching, More Precision in Remediation

🔍 This edition of Threat Source argues for smarter patch prioritization, pairing CVSS severity with EPSS likelihood to focus scarce operations on vulnerabilities being actively exploited. It contrasts centralized KEV visibility with emerging decentralized GCVE enrichment and highlights Cisco Talos' new open-source EvidenceForge for generating realistic synthetic logs to train defenders. The newsletter also summarizes recent incidents, vulnerability research, and tooling updates.
read more →

Industrialized exploitation and defenders’ response

🔎 Adversarial AI has transformed targeted attacks into high-speed, automated campaigns that no longer require elite technical operators. Existing security architectures—fragmented, tool-heavy, and visibility-poor—fail to show defenders the chained attack paths attackers can exploit. The author argues for shifting from vulnerability counting to Exposure Management, prioritizing remediation by real exploitability and mapping environments as attacker-seen networks. Defenders retain an advantage if they synthesize cross-boundary telemetry and continuously assess validated attack paths to critical assets.
read more →

Why AI Security Strategies Fail at the OT Edge

🔧 Industrial AI initiatives collide with legacy OT realities: an AI-ready control room can still depend on an unpatched Windows 7 maintenance laptop that alone communicates with protection relays. The author reports pervasive visibility gaps across utilities and plants, noting fewer than 10% of OT networks have meaningful monitoring. AI trained on IT telemetry misclassifies normal industrial traffic and automated responses risk shutting down production; passive monitoring of Level 0–2 protocols and a focus on crown-jewel processes are essential before layering AI.
read more →