top of page
Blog
What we’re seeing. What it means. What comes next.
Because understanding is the first step to staying ahead.
Threat Detection
Incident Response
Vulnerability Management
Compliance
Emerging Trends
Why Session Tokens Are the Ultimate Threat Vector
How adversaries bypass Multi-Factor Authentication and the continuous analytics required to stop them. For years, organizations relied on a singular security gospel: enforce strong passwords, enable Multi-Factor Authentication (MFA), and your cloud environments are secure. For a long time, this layer of defense worked efficiently by neutralizing bulk credential stuffing and basic phishing campaigns. However, the threat landscape has shifted dramatically, and sophisticated adv
Securing the Mind: How Cyber Reasoning Systems Are Rewriting the Attack Surface
A deep dive into the operational shift from patching static vulnerabilities to validating autonomous system logic. To understand how Cyber Reasoning Systems (CRS) are rewriting the attack surface, you first need to shift how you think about “what is being attacked.” At CyberSift, telemetry shows that Security Operations Center (SOC) analysts are increasingly interacting with CRS framework architectures, and their daily work is already being shaped by it. Instead of drowning u
Linux Privilege Escalation Is a Visibility Problem
Recent Linux LPE vulnerabilities highlight how limited telemetry delays detection and response. Linux systems sit at the center of modern infrastructure. They run production workloads, cloud platforms, development environments, and critical internal services. Because of that, they are often seen as stable and trustworthy by default. Recent Linux privilege escalation vulnerabilities, including Fragnesia (CVE-2026-46300), Dirty Frag (CVE-2026-43284, CVE-2026-43500), and Copy F
Detection Through Deception: Where It Fits in a Modern SOC Strategy
The visibility problem we keep running into Most SIEM deployments follow a familiar pattern: collect logs, apply rules, generate alerts. That approach works, but it starts to break down in one area we regularly see during investigations - telling the difference between legitimate activity and attacker behavior when both look the same. Attackers are no longer relying on obviously malicious tools. They use valid credentials, built-in admin utilities, and approved access paths.
Why SIEMs Need Strong Detection Engineering and How We Approach It at CyberSift
There is a recurring assumption in many environments: if the SIEM is properly configured, detection is “solved.” In reality, SIEMs don’t detect threats - they execute logic. And that logic is only as good as the assumptions behind it. What we consistently observe in real-world incidents is not a lack of SIEM coverage, but a lack of detection engineering discipline. At CyberSift, this is one of the core areas we continuously invest in: expanding, validating, and maintaining de
When the Run Dialog Becomes an Attack Vector
Recent research from Atos described a new variant of the ClickFix social engineering technique, where attackers trick users into executing malicious commands through the Windows Run dialog (Win + R). Instead of delivering traditional malware, attackers rely on user interaction with built-in Windows tools. Victims are instructed to copy and run commands that appear to resolve an issue - such as fixing a browser problem or completing a verification step. In reality, these comma
When Legitimate RMM Tools Become an Attack Vector
Remote Monitoring and Management (RMM) tools are widely used by IT teams to support remote administration and system maintenance. Tools such as AnyDesk, TeamViewer, and ScreenConnect provide powerful capabilities for managing endpoints across distributed environments. However, these same capabilities have made RMM tools increasingly attractive to attackers. In many modern intrusions, threat actors deploy legitimate remote access tools after gaining an initial foothold. Becaus
How the Iran Conflict Reached Malta's Cyber Perimeter
As military campaigns and geopolitical tensions involving Iran escalate in early 2026, the conflict has rapidly expanded beyond physical battlefields into cyberspace. State-sponsored espionage, disruptive cyber operations, and hacktivist proxy attacks have surged, going outside the lines between national security and private-sector IT infrastructure. How does this affect Maltese companies and their cyber‑risk posture? We extracted some statistics across some of our clients r
The Threat Hunt Framework : Inside the CyberSift Architecture
Beyond the "Red Alert": How We Hunt Threats at CyberSift If you wait for a security alarm to go off, you’re already playing catch-up. In the world of cybersecurity, the most dangerous threats are the ones that don't make a sound. That’s why at CyberSift, we don't just "monitor" your systems. We hunt. What do we mean by "Threat Hunting"? Most security setups are like a burglar alarm: they only ring if someone breaks a window. Threat hunting is more like having a security team
Potentially Unwanted Software on Corporate Endpoints
During a recent proactive threat hunting exercise, we identified the presence of OneLaunch on a workstation within a monitored environment. While not classified as malware, OneLaunch falls into the category of Potentially Unwanted Programs (PUPs) - software that often arrives through bundled installers and can introduce unnecessary risk into corporate environments. At first glance, these applications may appear harmless. However, they frequently modify browser settings, intro
FortiGate Edge Devices Targeted in Recent Intrusions
Recent research published by SentinelOne highlighted a series of intrusions targeting organizations through compromised FortiOS devices. Edge infrastructure has become an increasingly attractive target for attackers. Firewalls, VPN gateways, and other perimeter devices often sit directly exposed to the internet while maintaining deep visibility into internal networks. Compromise of these systems can provide attackers with a strategic foothold that extends far beyond a single
How to Think Like an Investigator Instead of an Alert Reviewer
Security incidents are solved through context and correlation - not alert queues. Most SOC environments are optimized for speed. Analysts are measured by ticket closures, SLA adherence, and alert throughput. On paper, that sounds efficient. In practice, it creates a dangerous habit: reviewing alerts instead of investigating incidents. An alert is not an investigation. It is a signal that something may require attention. Yet many security teams treat alerts as isolated tasks i
From Alerts to Hours: The Hidden Cost of Noise
Over 1 Million Alerts — What’s Behind That Number? Over the last 7 days, this environment generated 1,107,211 alerts. At first glance, that sounds like strong security coverage. But here’s the reality: More alerts don’t mean more protection — they often mean more noise. The real question is not how many alerts were generated, but: How many of these actually matter? Use Case: SMB to Public IP To understand how this pattern behaves across the environment, we zoomed into a speci
Threat actors don't need your password or MFA to compromise your users
Cybersift is observing a modern type of phishing attacks on Office 365 users which deviate from the typical fake login web page, we analysts are typically accustomed to seeing. The new phishing attack utilizes device registration to compromise the victim’s account, meaning that the threat actor does not require to steal your password to gain entry. But this modern phishing attack is smarter than you might think. Case Study We analyzed a phishing email which utilized a device
Deconstructing the Tor Exit Node Attack on Microsoft
Introduction As the digital backbone for millions of enterprises, Microsoft Office 365 has become the primary option for modern identity-based warfare. Today’s attackers don't just "log in" they meticulously craft digital fingerprints to mirror legitimate employees, attempting to slip past automated defense unnoticed. This analysis explores a high-severity incident where a corporate account was compromised through a combination of network anonymization and device metadata man
How to Optimise Incident Response and Streamline SOC Operations
Security Operations Centers (SOCs) are under severe pressure to defend organisations due to evolving cyber threats. However, many SOC teams struggle with alert fatigue, slow response times, and fragmented security tools that makes it challenging to manage incidents effectively. Traditional manual incident response processes are inefficient. They require analysts to examine massive amounts of security alerts, correlate data from multiple sources, and respond to threats manuall
The 2026 Reality Check: Is Your DORA Compliance Hiding a "Resilience Debt"?
A blunt reality check for financial institutions transitioning from checklist compliance to operational maturity. It’s been over a year since the Digital Operational Resilience Act (DORA) became fully applicable. For many financial institutions, 2025 was a year of frantic patching, manual spreadsheet mapping, and "checking the box" to meet the deadline. But as we settle into 2026, a new crisis is emerging: Resilience Debt. What is Resilience Debt? Just like "Technical Debt" i
Your Biggest Risk Isn’t Compliance. It’s Fragmentation.
In our previous article , we explored why compliance alone does not constitute a security strategy. Regulatory alignment establishes structure, but structure does not automatically translate into operational protection. The next question is where the real vulnerability lies. For many RegTech and payment institutions, it is not insufficient controls – but disconnected ones. RegTech and payment infrastructures are API-driven, cloud-dependent and transaction-intensive. They con
Compliance Is Not a Security Strategy
A Reality Check for EU RegTech & Payment Companies The European financial ecosystem - especially RegTech providers and payment institutions - lives under constant regulatory scrutiny. Between PSD2, DORA, NIS2 Directive, GDPR and PCI DSS, security is rarely ignored. Controls are mapped. Documentation is structured. Audit trails are maintained. Reports are submitted. On paper, everything looks robust. But here is the uncomfortable truth: Passing regulation does not mean you are
Shadow AI: The Security Risk of the Productivity Shortcut
A pragmatic guide to turning employee-driven telemetry blind spots into manageable, secure visibility. In the past, "Shadow IT" meant an employee bringing their own laptop to the office or installing an unauthorized piece of software to get their work done. Today, that trend has evolved into something much faster and more difficult to track: Shadow AI. At CyberSift, one of our motto is "you can't protect what you can't see." Shadow AI isn't just a policy violation; it's a ma
The Token is the Perimeter: Why OAuth is the New Frontier
The recent supply chain breach at Vercel highlights a critical blind spot: once an attacker hijacks a valid OAuth token, they don’t need to crack your password, they simply inherit your trust and walk right past your MFA No password is needed No MFA challenge is triggered No anomalous login event is created while the user is accepted Once a session token is issued, access is governed by the token alone, completely detached from the factors that created it. This is what an OAu
Data Poisoning: The Risk of Corrupted AI Training
The most significant vulnerability in the age of Artificial Intelligence isn't necessarily a flaw in the code, it’s a flaw in the information. Because AI models are built on vast amounts of data, their reliability depends entirely on the integrity of that input. This has given rise to a calculated method of attack known as data poisoning, where adversaries subtly subvert an AI’s learning process to control its outcomes. Unlike a traditional hack, data poisoning doesn't requir
What Happens If an Attacker Never Makes a Mistake?
The most dangerous attacks do not look like attacks We like to believe attacks are loud. Failed logins, SIEM alerts, and malware detections are what most analysts are trained to look for. But the most dangerous attackers generate none of that. There are no failed logins, no alerts, and no obvious anomalies. From the system’s perspective, everything is working exactly as expected. The broken assumption Most detection strategies rely on one core idea: malicious activity will lo
The Rise of Vibe Coding Risks
The Rise of Vibe Coding Risks Welcome to the latest dispatch from the front lines of Vibe Coding . If you haven't heard, "vibe coding" is the 2026 trend where we stop wrestling with boring syntax and start "vibing" apps into existence using natural language. It’s fast, it’s magical, and if you aren't careful it's a total security dumpster fire. Think of vibe coding like hiring a brilliant, caffeinated intern who works at 10,000 mph but has absolutely no concept of what a "lo
The Dark Side of Autonomy: Who is Watching Your AI Agents?
We have officially entered the era of the Agentic Workforce . Companies are no longer just using AI to write emails; they are deploying AI "agents" to actually do things: manage databases, connect to APIs, and automate entire business workflows. Agentic Workforce is a massive leap in productivity. But it’s also a massive security blind spot. The Problem: When Good AI Goes "Rogue" The very thing that makes an AI agent powerful is its agencies - its ability to take a goal and
The Hidden Costs of Cyber Blind Spots
David Vassallo, CTO, CyberSift August, 2025 According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a data breach reached a record US$4.88 million – up from US$4.45 million in 2023. Strikingly, around 95% of breaches stemmed from unknown or poorly managed digital assets, also known as shadow or unmanaged IT . The Missing Piece: Accurate IT Asset Inventory A modern security strategy begins with visibility. Risk.net ’s analysis of the 2023 Citrix Bleed inciden
bottom of page