TeamPCP open-sourced Shai-Hulud today. The OIDC token extraction technique that made the TanStack attack different from every previous campaign is now a public toolkit.

Security Research

AI Research

Threat Briefings

May 11, 2026

5/11/2026

Gearóid Ó Fearghaíl

and

Improve SIEM and SOAR Workflows with Better Security Signal

Learn how Vectra AI improves SIEM and SOAR workflows with behavior-driven signal, investigation-ready telemetry, and better security orchestration.

ShinyHunters isn’t a group. It’s a pattern.

ShinyHunters isn't a single group. It's a pattern of attacks where authentication succeeds. Here's how to detect them before the data warehouse.

How Vectra AI Secures the AI Enterprise

Learn how Vectra AI uses AI to secure the AI enterprise—reducing risk, accelerating detection, and enabling faster, more confident response.

AI agents: the new workforce — and attack surface.

AI agents are becoming the new workforce, and a new attack surface. Learn the risks they introduce and how to maintain visibility and control at AI speed.

How Vectra AI Scoring Helps Security Teams Focus on What Matters First

Why Modern Threat Scoring Must Reflect Attacker Progression

What’s Next for the Enterprise After Two GenAI Tidal Waves?

Claude Mythos and GenAI are reshaping security — discover why faster exploits, endless patching, and resilient detection now define defense.

If An Identity was Compromised, Would We Know?

Identity-based attacks are increasing across hybrid environments. Learn how to detect compromised identities before attackers move laterally.

Help Over Hype: Claude Mythos, Project Glasswing and the Real Questions CISOs Want Answered

Claude Mythos accelerates risk—not just hype. Learn what CISOs must focus on now: visibility, speed, and understanding attacks as they unfold.

Azure Logging just Changed - Your Detections May be Missing it

This blog explains how Microsoft's shift from the legacy Azure Diagnostics Agent to the Azure Monitor Agent fundamentally changes how VM logging is controlled and highlights how this redesign can introduce detection blind spots if security teams don't update their monitoring approach.

When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild

Three leaked Windows Defender exploits are now hitting real enterprise targets. Here is what the attack chain looks like, why endpoint tools alone cannot contain it, and where the Vectra AI Platform with RUX surfaces it before the damage is done.

AI-Assisted Search: Clarity at the Speed of a Question

AI-assisted search lets analysts ask investigative or hunting questions in plain language.

4 Ways to Improve SOC Efficiency with AI

Discover four key ways AI can enhance SOC efficiency by improving alert accuracy, optimizing investigations, automating threat hunting, and prioritizing high-risk threats.

Why triage alerts - when AI can do it for you?

If you ask security analysts to describe the biggest pain points in their role, you will no doubt get a diverse set of answers. One thing that they will almost certainly have in common is the challenge of dealing with alert fatigue.

The Two Control Points That Will Define the Future of Cybersecurity – Network and Identity

Identity and network are the new control points in cybersecurity. Learn why securing them is critical for visibility, detection, and resilient defense.

Attackers Don’t Hack In — They Log In: The MFA Blind Spot

Attackers bypass MFA using non-interactive sign-ins. Learn how to detect and stop credential-based threats before they escalate.

Supply chain-driven data theft in SaaS: ShinyHunters, Anodot, and the pattern that's repeating.

Another supply-chain breach hit SaaS in April 2026 — Anodot tokens used to access Snowflake. Why the same ShinyHunters-branded pattern keeps repeating, and what makes the MO hard to detect.

What We Learned from Analyzing Millions of Alerts

We took a deep dive into millions of detections across MDR/MXDR and Respond UX deployments with the goal of getting a clearer picture of where the real threats are so that we can get a better understanding how security teams can work smarter, not harder.

EDR Isn’t Enough: Why Forward-Thinking CISOs Are Turning to Network + Identity

EDR alone can’t stop modern breaches. Learn why CISOs are uniting network and identity signals to outpace attackers and build resilience.

FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access

Compromise of endpoint management systems changes the attack path entirely. Learn how control-plane attacks bypass early detection and why behavior across identity, network, and endpoints is the only reliable signal.

Detecting Compromise After the Axios Supply Chain Attack.

The axios supply chain compromise shows why risk begins after execution. Learn how to detect post-compromise behavior across CI/CD pipelines, identity systems, and network activity.

Who’s Doing What on Your Network?

Can you confidently answer who is doing what on your network? Learn why visibility into user activity is key to security, risk, and compliance.

Breaking down the axios supply chain incident

A compromised npm package is only the entry point. The axios incident shows how quickly attackers pivot from code execution to credential abuse, identity misuse, and cloud access.

Detecting Sliver C2: When Advanced Beaconing Tries to Hide in Plain Sight

Detect how Sliver C2 evades traditional beacon detection and how behavioral AI identifies command-and-control activity hidden in encrypted traffic.

Prompt Control: How Context Becomes the Command-and-Control Layer for AI Agents

Prompt control turns AI agents into command-and-control systems by manipulating context, memory, and inputs—enabling persistent, stealthy attacker control through normal agent behavior.

How Attackers Move Through Hybrid Networks After the Initial Breach

Learn how attackers move laterally across hybrid networks, abusing identity, credentials, and legitimate tools to reach critical systems before launching ransomware or stealing data.

How Attackers Establish Persistence in Hybrid Environments

Learn how attackers maintain hidden access inside hybrid networks and how SOC teams can detect persistence before it leads to data theft or ransomware.

What the Stryker Incident Reveals About Handala’s Attack Playbook

Inside the Stryker incident: how Handala likely moved from identity access to disruption, and the identity, scripting, and data transfer signals SOC teams should watch.

Why Cyber Resilience is Lagging in the AI Era

Cyber resilience is lagging as defenders face alert overload, visibility gaps, and AI-speed attacks. Learn what SOC teams must change to stay resilient.

5-Minute Hunt: Six Queries to Detect Iranian APT Activity

Detect Iranian APT activity across identity and network telemetry with six practical threat hunts. Run ready-to-use queries in the Vectra AI Platform to uncover credential abuse, C2 infrastructure, and early compromise signals.

AI-Powered Attacks Are Here, But So Is AI-Powered NDR to Stop Them

AI-powered attacks are accelerating with agentic AI, but network behaviors remain visible. Learn why AI-powered NDR detects and stops these threats.

What is hiding in AI traffic

AI traffic now hides autonomous, agentic attacks. Learn how MCP-enabled swarms blur legitimate AI activity and command and control, reshaping detection and defense.

AWS Compromised by AI Agents in Minutes

An AI-driven AWS attack reached admin access in minutes using valid credentials. Learn how identity abuse and automation compress cloud attack timelines.

The UX of Cybersecurity AI: Designing for Behavior at Machine Speed

UX teams must translate attacker behavior—not alerts—to help SOC teams act on AI-driven threats that move at machine speed.

Molt Road and the Automation of Underground Marketplaces

Molt Road reveals how attacker marketplaces could evolve when autonomous agents trade services, coordinate attacks, and remove humans from the loop.

Moltbook and the Illusion of “Harmless” AI-Agent Communities

Moltbook exposes how autonomous AI agents turn trust and interaction into attack paths, enabling prompt injection, lateral movement, and covert command and control.

From Network Detections to Understanding Risk: The Vectra AI Take on Gartner’s Redefinition of NDR

Gartner redefines NDR—and Vectra AI agrees. Learn why true resilience starts with understanding risk, not just detecting anomalies.

From Clawdbot to OpenClaw: When Automation Becomes a Digital Backdoor

Clawdbot – now Moltbot – shows how autonomous AI agents become shadow superusers, enabling initial access, lateral movement, and ransomware when trust is abused.

Securing the AI Enterprise: How I’m Thinking About It as a CEO

AI moves fast—leaders must move smarter. Vectra AI’s CEO shares how to balance innovation with resilience in today’s machine-speed enterprise.

Cybersecurity Predictions 2026: AI, Agents, and SOC Defense

AI agents are accelerating the kill chain faster than defenders can respond. See what changes in 2026 and where SOCs fall behind.

OPSEC Failures: How Threat Actor Mistakes Help Defenders

Threat actors try to stay invisible, but OPSEC mistakes keep exposing them. A look at real-world failures and what they reveal about human error and AI-driven attacks.

How Threat Actors Turned AI Into a Weapon

AI is no longer assisting attackers, it is running the operation. A deep look at how threat actors moved from experimentation to autonomous, AI-driven cyberattacks.

CVE-2025-14847 MongoBleed in the Wild: Identifying MongoDB Exposure and Exploitation with Network Metadata

CVE-2025-14847 ‘MongoBleed’ exposes critical memory leaks—learn how Vectra AI detects vulnerable MongoDB instances across your network.

Pro-Russia Hacktivists Are Targeting Critical Infrastructure

Pro-Russia hacktivists are disrupting critical infrastructure by abusing legitimate access. Learn how these OT attacks work and why traditional tools miss them.

How Vectra AI Connects Network Detections to Endpoint Processes Automatically

Vectra AI instantly connects network detections to endpoint processes—no pivots, no delay, just complete attack context in one view.

How Vectra AI and CrowdStrike Deliver Complete Context Across Endpoint and Network

See how Vectra AI and CrowdStrike unite EDR and NDR to deliver full attack context, faster investigations, and clearer, more decisive threat response.

You are the Blackboard - AI Agent Assisted Bug Hunting

TCP Reset Does Not Stop Modern Attacks – Here's Why

TCP resets don’t stop modern attackers. Learn why they fail—and how Vectra AI’s 360 Response delivers true, enforced containment across identity, device, and traffic.

Shai-Hulud: When a Supply-Chain Incident Turns Into a Worm

How the Shai-Hulud worm hijacked trusted development tools and why defenders need behavioral visibility to catch the attack after the first package is installed.

How Typhoon APTs Infiltrate Infrastructure Without Leaving a Trace

Chinese state-backed Typhoon APTs infiltrate networks using trusted tools. Learn how the Vectra AI Platform detects their stealthy, persistent behavior.

Think Your Microsoft Environment Is Resilient to Attacks? Think Again

Microsoft prevention isn’t enough. Learn how attackers exploit gaps across Azure, M365, and Entra ID—and how Vectra AI delivers the visibility to stop them.

Europol Operation ENDGAME: Takedown of Initial Access Brokers

Europol seized 1,000+ servers and €21M across three phases targeting initial access brokers. Criminal groups rebuilt within days — static defenses cannot keep up.

What 400+ NDR Power Users Taught Us About Network Visibility

Discover insights from 400+ NDR power users on how network visibility closes security gaps, boosts SOC efficiency, and speeds threat response.

How Attackers Gain Initial Access in Hybrid Environments

Learn how attackers gain initial access to your hybrid network, and how to stop intrusions before they turn into breaches.

Can Your SOC's AI Actually Think? Evaluating LLMs with the Vectra AI MCP Server

Vectra AI tests how LLMs like GPT and Claude perform in real SOCs—revealing which AI agents truly think, act, and reason in cybersecurity.

How Vectra AI Hybrid NDR Enables Proactive Threat Hunting and Outcome-Driven Defense

Transform SOC efficiency with AI-driven threat hunting. Detect stealthy attacks earlier, cut MTTR, and operationalize Gartner’s 2025 recommendations.

Introducing the Vectra AI MCP Server for On-Premises (QUX)

Introducing the Vectra AI MCP Server for QUX—bringing AI-powered SOC automation and MCP innovation to on-premises security environments.

From Conti to Black Basta to DevMan: The Endless Ransomware Rebrand

From Conti to Black Basta to DevMan, ransomware code keeps resurfacing. See how behavioral AI detects the attacker behaviors that rebrands cannot hide.

How the F5 Breach Exposed Critical Edge Security Gaps

The F5 compromise shows how attackers abuse trusted edge systems. Behavioral detection spots hidden persistence where perimeter tools fail.

Qilin’s 2025 Playbook, and the Security Gap it Exposes

Qilin’s 2025 variants use MFA bombing, SIM swapping, and AES-256-CTR encryption to evade detection. Discover how the Vectra AI Platform exposes their behavior before encryption starts.

Vectra Fusion: Extending the Vectra AI Platform to Build Resilience Both Pre and Post Compromise

Vectra Fusion unifies observability and detection to build SOC resilience before and after compromise across hybrid environments.

Seeing Beneath the Surface: What Crimson Collective Reveals About Cloud Detection Depth

Crimson Collective says defenders only “map the coastline.” See how Vectra AI dives deeper, turning cloud and identity telemetry into real-time detection of hidden threats.

Cl0p Is Back, Exploiting Supply Chains Again.

The Cl0p ransomware group’s link to the Oracle EBS exploit sparks debate. Learn how supply chain attacks evolve and what defenders must do next.

How to Choose the Best NDR for Hybrid Environments

Not all NDR tools cover hybrid networks equally. Identify capabilities that matter for detection and control.

Red Hat GitLab Breach Shows Why Consulting Data is a Goldmine for Attackers

The Crimson Collective claims to have stolen Red Hat consulting data, exposing customer engagement reports. Learn why consulting artifacts are prime attacker targets and how Vectra AI helps close the gap.

Why the GoAnywhere vulnerability exposed the limits of patching

Patching stops entry, but not attacker behavior. See how detection closes the post-exploitation gap

Vectra AI with Netography Redefining the SOC Platform around Modern Attack Resilience

Vectra AI and Netography deliver the first converged SOC platform, uniting prevention and response for resilience across hybrid enterprises.

Beyond Endpoints: How BRICKSTORM Exposed Security Blind Spots

Discover how BRICKSTORM hid for 400 days in enterprise blind spots and learn how Vectra AI closes detection gaps across network, identity, and cloud.

What Modern SOCs Should Know About NDR Alternatives

EDR stops at endpoints. SIEM reconstructs after the fact. See why NDR fills the detection gap where attackers operate

Scattered Lapsus$ Hunters Announce They Are Going Dark but the Threat Remains

Scattered Lapsus$ Hunters may claim they’re gone, but The Com endures. Cybercrime has moved beyond ransomware into an era where extortion is the goal.

LockBit is Back: What’s New in Version 5.0

LockBit is back with version 5.0. Discover its new features, TTPs, and how SOC teams can detect attacks where prevention alone falls short.

The Npm Exploit Is The Entry Point, What Follows Is Just As Critical.

Poisoned npm packages are just the entry point. Discover how attackers move next and why SOC teams must detect behaviors beyond the initial exploit.

How AI is Fueling Cybercrime and Why Security Gaps Are Growing

AI is accelerating cybercrime — from ransomware kits to insider fraud. Learn how attackers exploit security gaps and how Vectra AI helps you detect what others miss.

5-Minute Hunt: Detecting Risky Multi-Tenant Apps in Microsoft 365

Hunt for risky multi-tenant apps in Microsoft 365. Learn how attackers exploit consent-based access and how to detect misconfigurations in minutes.

GLOBAL RaaS: Dissecting a Modern Ransomware Franchise

Discover how GLOBAL RaaS empowers affiliates with enterprise-scale ransomware features, and how Vectra AI detects threats others miss.

What the CISA Advisory Reveals About Nation-State Attacks

Nation-state campaigns bypass prevention controls. Learn why post-compromise detection is now critical

New Technologies bring new risks: MCP-Powered Swarm C2

Explore how MCP-powered agent swarms evade detection, bypass EDR, and exploit LLMs for stealthy attacks. A new era of autonomous C2 is here.

4 Real-World Attacks That Show Why SOCs Need NDR

Discover how Scattered Spider, Volt Typhoon, Mango Sandstorm, and UNC3886 evaded defenses - and why SOC teams need NDR to stop them in time.

Why insider threats go undetected by security tools

DLP and EDR miss insider misuse. Learn behavioral indicators and how detection identifies risk before damage

Black Hat USA 2025: What Security Teams Asked Us in Las Vegas

What different stakeholders looking for an NDR asked the Vectra AI team at BlackHat 2025.

Vectra AI and Google Security Operations: Breaking Down Security Silos

Vectra AI and Google Security Operations unite to break security silos, streamline workflows, and strengthen threat detection and response.

Black Hat Takeaway: Everyone Talks Prevention, But Who Detects Compromise?

Modern attacks often begin with valid credentials and evade detection. Learn what questions to ask vendors about post-compromise visibility.

Black Hat USA 2025: What It Told Me About Protecting the Modern Network from Modern Attacks

Key takeaways from Black Hat USA 2025 on defending modern networks from AI-driven threats, identity attacks, and converged risks.

Introducing the Vectra AI MCP Server

Vectra AI MCP Server brings AI-native security—faster threat detection, investigation, and response with natural language prompts.

Cloud Security Grey Zone: Who Owns the Risk of Managed Identities?

Threats are not uniform. The most critical threat in one cloud may be a non-issue in another. Defenders and researchers must tailor their strategies, recognizing that there is no “1-to-1” approach to security controls in a multi-cloud environment.

CVE-2025-53770: A 9.8/10 Critical Exploit Targeting SharePoint

Critical SharePoint flaws CVE-2025-53770 and CVE-2025-53771 are under active attack. Learn what’s happening and how Vectra AI detects and stops it.

5 Ways Security Teams Can Start Driving Outcomes with Agentic AI

Discover 5 practical ways to use agentic AI for smarter threat detection, investigation, and response across network, identity, and cloud.

Behind the Hunt: Real-World Threat Hunting Practices and How Vectra AI Makes the Difference

Senior threat hunter René Kretzinger shares real-world hunting tactics and how the Vectra AI Platform accelerates detection, investigation, and response.

Vectra AI named in Gartner hype cycle for security operations 2025

See where Vectra AI appears on the Gartner Hype Cycle for Security Operations across NDR, XDR, ITDR, and AI-driven detection

Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking

What questions should you be asking when evaluating an NDR solution? See how Vectra NDR is the right choice for you.

Gartner Security and Risk Conference – Chaos meets Opportunity

Gartner’s SRM conference sparked insights on AI, platform consolidation, and NDR. Mark Wojtasiak from Vectra AI breaks down how chaos is creating opportunity for security leaders focused on resilience, visibility, and real outcomes.

Detecting Iranian APT identity attacks across hybrid environments

Iranian groups exploit identity and cloud trust relationships. Understand their tactics and how to detect them early

You Have the Right Tools. So Why Are Attackers Still Getting In?

Attackers aren't breaking your tools: they're slipping between them. Learn where your stack is blind and how to finally close the security gap.

Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR)

See what is really takes to lead in Network Detection and Response) and why Vectra AI leads and outperforms in GigaOm’s 2025 NDR report for the second year in a row

Challenges in Microsoft Log Monitoring: Insights for Your SOC

Vectra AI’s Security Research Team identified issues in Entra ID and Microsoft 365 logs that make your job harder — and may help attackers evade detection.

How Sanofi Detected and Stopped a Cyberattack

A LinkedIn message triggered a multi-stage attack. See how detection identified and contained it before impact.