Stanislav Stoychev

The visibility problem we keep running into Most SIEM deployments follow a familiar pattern: collect logs, apply rules, generate alerts. That approach works, but it starts to break down in one area we regularly see during investigations - telling the difference between legitimate activity and attacker behavior when both look the same. Attackers are no longer relying on obviously malicious tools. They use valid credentials, built-in admin utilities, and approved access paths. From a logging...

There is a recurring assumption in many environments: if the SIEM is properly configured, detection is “solved.” In reality, SIEMs don’t detect threats - they execute logic. And that logic is only as good as the assumptions behind it. What we consistently observe in real-world incidents is not a lack of SIEM coverage, but a lack of detection engineering discipline. At CyberSift, this is one of the core areas we continuously invest in: expanding, validating, and maintaining detection rules as...

Recent research from Atos described a new variant of the ClickFix social engineering technique, where attackers trick users into executing malicious commands through the Windows Run dialog (Win + R). Instead of delivering traditional malware, attackers rely on user interaction with built-in Windows tools. Victims are instructed to copy and run commands that appear to resolve an issue - such as fixing a browser problem or completing a verification step. In reality, these commands execute...