All news with #threat hunting tag

🔍 Sysdig reported that a newly disclosed authentication bypass in the open-source orchestration framework PraisonAI was probed by internet scanners about 3 hours and 44 minutes after a GitHub advisory published on May 11. The flaw stems from a legacy Flask API server that ships with authentication disabled by default, affecting versions 2.5.6 through 4.6.33 and fixed in 4.6.34. Researchers urge immediate upgrades and monitoring for the “CVE-Detector/1.0” user-agent and suspicious /api/agents and related paths.

🛡️ Traditional purple teaming is failing because human handoffs and siloed toolchains make detection-to-fix cycles far slower than modern attackers. The author documents a collapse in the vulnerability-to-exploit window—from 56 days in 2024 to roughly 10 hours in early 2026 across CISA KEV, VulnCheck KEV, and ExploitDB—and warns that AI-assisted adversaries can act in seconds. Autonomous purple teaming pairs automated penetration testing, Breach and Attack Simulation, and AI-powered mobilization agents to close the loop at machine speed, converting red findings into blue tests and auto-deploying low-risk fixes while keeping every step auditable.

🔒 Having an incident response retainer or a pre-approved external firm is not the same as being operationally ready. Readiness requires pre-provisioned accounts, validated permissions, and practiced workflows so responders can gain immediate visibility into identity, cloud, EDR, and logs. The guide prioritizes identity-first visibility, out-of-band communications, a designated incident manager, and pre-tested activation procedures to eliminate delays that allow attackers to deepen compromise.

🔐 Rapid7 attributes a deception-driven intrusion to the Iranian-affiliated actor MuddyWater, which used Microsoft Teams social engineering to harvest credentials and manipulate MFA via live screen-sharing. Once inside, operators leveraged compromised accounts, remote-access tools like DWAgent and AnyDesk, and a trojanized WebView2 binary to maintain persistence and exfiltrate data rather than encrypt files. The campaign appears to have intentionally mimicked RaaS artefacts — including Chaos-related extortion indicators and a signed loader — to obscure state-backed motives and slow incident response.

🔍 CrowdStrike has introduced Falcon OverWatch for Defender, a managed threat-hunting service that brings continuous, expert-led hunting to Microsoft Defender environments without replacing existing endpoint protections. Running a lightweight Falcon sensor alongside Microsoft Defender, the offering combines human hunters, deep adversary intelligence, and AI-driven analytics to surface stealthy post‑exploit activity and escalate high-confidence threats. It promises AI-powered analysis at scale—up to 6.2 trillion events per day—broad visibility across millions of endpoints, and operationalized hunting patterns to improve detection and response across customers.

🛡️ Small and mid-size US defense contractors lack the network telemetry needed to detect nation-state reconnaissance and pre-positioning operations, Team Cymru analyst Stephen Campbell warns. He says state-backed groups are increasingly targeting edge infrastructure — routers, firewalls and VPN gateways — and using living-off-the-land techniques and legitimate cloud services to evade endpoint alerts. Campbell urges firms to deploy NetFlow pattern recognition, map infrastructure, patch and segment systems, and hunt for anomalous DNS and lateral movement to uncover stealthy access.

🔍 The 2026 Unit 42 Global Incident Response Report warns that adversaries are moving to exfiltration four times faster than in 2025 and are exploiting gaps created by an over-reliance on endpoint telemetry. Unit 42 found critical evidence present in logs for 75% of incidents, yet siloed systems and inaccessible telemetry prevented timely detection and response. The authors recommend a single-pane-of-glass, AI-driven SOC that centralizes logs and uses tools like Cortex XSIAM for alert stitching, ML-based scoring and unified investigations to reduce alert fatigue and close multi-surface blind spots.

🔐 Hazel Burton summarizes Cisco Talos' Year in Review and outlines five critical priorities for defenders facing an increasingly automated threat landscape. While AI and accessible exploit code have lowered the barrier for attackers, adversaries still follow predictable patterns and reuse infrastructure, producing detectable anomalies. Defenders should treat identity infrastructure as a top-tier asset, secure MFA workflows with strict verification, prioritize patching by internet exposure, hunt long-tail legacy risks, and apply enhanced monitoring to management-plane systems to focus detection on anomalous post-login behavior and reduce alert fatigue.

🔍 The UK National Cyber Security Centre (NCSC) cautions that many common SOC metrics are misleading and can actively harm security operations if used or reported externally. CTO Dave Chismon argues that only time to detect/time to respond (TTD/TTR) reliably demonstrates SOC effectiveness, while metrics such as ticket counts, closure times, rule counts or raw log volume create perverse incentives. He recommends red and purple team exercises to assess TTD/TTR, and suggests internal, non-public metrics — hypothesis-led hunting, strict false-positive thresholds, log coverage, tooling expertise and analyst engagement — to monitor week-by-week health without driving the wrong behaviours.

🔎 Join BleepingComputer's live webinar on April 30 at 2:00 PM ET to learn how to spot early indicators of cyberattacks before they escalate. Experts from Flare Systems and threat intelligence researcher Tammy Harper will demonstrate how monitoring dark web forums, Telegram channels, vulnerability discussions, and access marketplaces surfaces actionable signals. The session will show how to separate meaningful indicators from background noise and translate intelligence into prioritized defensive actions so teams can proactively reduce risk.

🤖 Amazon CloudWatch pipelines now offers AI-assisted processor configuration that translates plain-language instructions into pipeline processor definitions. In the CloudWatch console, enable the AI-assisted option at the processing step, describe the transformations you need, and receive a generated processor configuration plus a sample log event to validate output before deployment. This reduces setup time and lowers the need for deep processor expertise; the feature is available at no additional cost where the service is generally available, while standard CloudWatch Logs ingestion and storage rates still apply.

🔐 AI is compressing the timeline of cyber risk, turning vulnerabilities that once took weeks to exploit into issues weaponized in hours, while also enabling defenders to analyze and mitigate faster. Fortinet has used AI in FortiGuard Labs since 2015 and now leverages generative and frontier models—including early access to Anthropic’s Mythos preview—to scale code analysis, threat hunting, and automated remediation. The recommendation is clear: embed AI across development, detection, and response, shorten mitigation cycles with automation and virtual patches, and design systems for continuous, integrated security.

🔍 Artificial intelligence is transforming how security teams detect and hunt threats by processing vast telemetry at scale, correlating noisy signals, and surfacing behavioral anomalies faster than traditional tools. Organizations report efficiency gains—often 40–50% on lower-tier SOC tasks—as AI automates alert triage, log review, documentation, and evidence collection. Vendors say AI reduces alert fatigue by clustering and prioritizing incidents, but experts stress a human-in-the-loop approach and strong governance to avoid amplifying weak security practices.

🤖 Traditional tabletop exercises build shared understanding, clarify escalation paths and satisfy compliance, but they often test knowledge of a plan rather than the ability to execute it. The authors—experienced facilitators—note scripted injects and calls to “suspend disbelief” reveal a gap between documentation and operational reality. AI agentic capabilities can simulate adaptive adversaries and reactive stakeholders, turning static scenarios into dynamic, consequence-driven drills. Even so, skilled facilitators and a judgment-focused post-mortem remain essential.

🔒 The White House's new cyber strategy and recent moves by major tech firms mark a clear shift from reactive defense toward proactive cyber, emphasizing disruption of adversaries earlier in the attack chain. Industry leaders frame this as the legal, intelligence-driven use of takedowns, litigation, public exposure of tools, and product hardening to impose cost and friction on attackers. While large platform providers can act at scale, enterprises are urged to focus on fundamentals, share telemetry, and support coordinated disruption rather than conduct offensive operations themselves.

🔍 Gartner's new guidance outlines seven focused questions security teams should ask when evaluating AI SOC agents, urging outcome-driven assessments rather than feature demos. The research highlights the need to measure improvements in TDIR and MTTC, assess vendor viability and pricing, verify deep integrations with SIEM/EDR/SOAR/identity stacks, and confirm that agents transparently augment analyst skills rather than merely shifting workload. Prophet Security is cited as an example of a platform emphasizing explainable investigations and non-centralized integrations.

🔐 This collection from Google Cloud offers a behind-the-scenes look at how Google approaches modern cybersecurity challenges, from fundamentals to AI. Across practical essays and expert perspectives, it covers modernizing threat detection, building AI agents for defense, red teaming at scale, vulnerability management and supply chain controls like Binary Authorization. The pieces emphasize operational rigor, the application of SRE to security, and a commitment to Secure by Design principles to help defenders adopt scalable, enterprise-ready practices.

🛡️ AI-driven honeypots pair large language models with deception servers to create dynamic, realistic environments that keep attackers engaged longer and collect richer threat intelligence. Academic research by Dr. M. Abdullah Canbaz and others showed LLMs can parse traffic and handle complex Linux commands, prompting open-source and commercial efforts such as Beelzebub and Deutsche Telekom’s T-Pot. These systems significantly lower the cost and engineering effort of high-interaction deception while enabling deployment in novel locations like APIs and AI agents. However, defenders must balance benefits with risks—attackers are using AI to automate attacks and may develop countermeasures such as deception-detection services or data poisoning—so CISOs should view AI honeypots as a complement to existing sensors and an important tool for improved visibility and hunting.

🔒 Google has been named a Leader in the IDC MarketScape: U.S. State and Local Government Professional Security Services 2025–2026 assessment. The recognition highlights Mandiant integration with Gemini AI and Google’s secure, AI-optimized infrastructure to accelerate detection rule generation, attacker script analysis, and incident investigations. The report also notes Mandiant’s full incident lifecycle support—including crisis communications, legal coordination, and board-level reporting—delivered across engagements with Fairfax County, the State of Nevada, and the University of Hawaii.

🔍 Modern security frameworks — including AI, automation, and Zero Trust — depend on deep, trustworthy visibility to function effectively. An October 2025 Forrester study commissioned by NETSCOUT reports that 72% and 69% of organizations view NAV and packet-level visibility as essential to threat hunting, detection, and incident response. Omnis Cyber Intelligence offers packet-level fidelity, behavioral analytics, unified hybrid visibility, context-rich metadata, and retrospective investigation to strengthen detection, validation, and safe automation.