Research hub

Mind Your Attack Gaps.

Detection isn't broken. It's incomplete.

Three gaps every modern stack carries right now. Nothing looks wrong. Authentication succeeds. Movement isn't visible. Real attackers are stitching them together while existing tools watch each domain alone.

Download the ebook

Browse attack anatomies

THE FRAMEWORK

The patterns underneath every modern breach.

None of these patterns is new on its own. What's new is that defenders keep treating them as separate problems while attackers stitch them into single campaigns.

GAP 1

Nothing looks wrong.

Living-off-the-land tactics. Native admin tools. No malware to scan. Volt Typhoon sat inside US infrastructure for up to five years using only what was already there.

GAP 2

Authentication succeeds.

Real credentials, real OAuth tokens, real MFA codes. Every audit log says yes. Scattered Spider, BlackFile, ShinyHunters all live here.

GAP 3

Movement isn't visible.

Cross-domain pivots through SaaS, identity, and cloud planes. Three security tools, three audit logs, three SOC tickets, one breach.

GAP 1

Nothing looks wrong.

The attacker uses what's already on the machine. PowerShell. Remote Desktop. Standard Windows admin tools. Signed software with a malicious component bolted on.

The February 2024 CISA, NSA, and FBI joint advisory documented PRC-attributed operators (Volt Typhoon) sitting inside US critical-infrastructure networks for up to five years using nothing but native Windows tools. No malware to scan. No alerts to fire.

The reason they weren't kicked out wasn't a missing patch. It's that nothing they did ever looked wrong.

EDR has nothing to flag because there's no malware. SIEM rules don't fire because every action is documented admin behaviour. Identity tools log a successful sign-in because the credentials are valid. The customer-side defensive playbook is one step behind by design.

Read the Volt Typhoon anatomy

See all Gap 1 campaigns

GAP 2

Authentication succeeds.

Real password, real one-time code, real OAuth token, real session cookie. Every fire in the room is a sign-in the audit log waved through.

Scattered Spider call the helpdesk. The BlackFile cluster (now resolved into Cordial Spider and Snarky Spider per GTIG's January 2026 paper) does the same thing at industrial scale: a vishing call, an AiTM page themed for the victim's SSO, then straight into SaaS. ShinyHunters operate a step further upstream, stealing OAuth tokens from sanctioned vendors (Salesloft Drift, Gainsight, Anodot) and reusing them against hundreds of downstream customers.

Every successful campaign in this category produces sign-ins that look completely valid. The audit log records them as successful. From any tool that watches for failed logins, suspicious files, or known bad IPs, nothing happened.

The 2024 hardening playbook (turn on MFA, rotate stolen passwords, restrict by network) is still right. It no longer covers the access path. Attackers don't hack MFA. They pick up the phone and ask the user to type the one-time code into a fake login page.

Read the Scattered Spider anatomy

See all Gap 2 campaigns

GAP 3

Movement isn't visible.

What happens after access. Not the lateral movement most security teams were trained to look for. Today it means SaaS-to-SaaS jumps through OAuth tokens. An on-prem server crossing into Microsoft Entra ID and then into AWS through legitimate federation. An npm worm spreading through 500 packages in a day.

An intrusion documented in 2025 showed an attacker reaching AdministratorAccess in AWS in eight minutes. No malware. No zero-day. Every API call valid. AI removed the friction between phases.

Three security tools, three audit logs, three SOC tickets, one breach. The IBM Cost of a Data Breach Report 2025 puts the multi-environment cost premium at 25% precisely because no single tool watches the whole journey. Nobody's watching the whole journey.

Read the AWS-AI-agents anatomy

See all Gap 3 campaigns

How the three gaps stack in real campaigns.

Real campaigns don't respect category boundaries. ShinyHunters' OAuth supply-chain wave is Gap 2 (authentication succeeded with a stolen vendor token) and Gap 3 (the same token pivoted into hundreds of customer SaaS tenants). Volt Typhoon is Gap 1 (LOTL) and Gap 3 (lateral movement using stolen admin credentials). Defenders need all three views to see one attack.

Anatomy of a ShinyHunters Attack

ATTACK ANATOMIES

Named campaigns, walked stage by stage.

Each anatomy walks six phases of a real intrusion. What attackers did. Where existing tools went silent. What behaviour would have caught it.

GAP 2 - AUTHENTICATION SUCCEEDS

Mind Your Attack Gaps.

The patterns underneath every modern breach.

Nothing looks wrong.

Authentication succeeds.

Movement isn't visible.

How the three gaps stack in real campaigns.

Named campaigns, walked stage by stage.

Inside Volt Typhoon's five-year stay.