Home Services Solutions Case Studies Insights About Contact
// Insights

Research, threat intel, and field notes from the operators.

Long-form analysis from our research team. No marketing fluff — only material we'd want to read ourselves.

All Threat Intelligence Vulnerability Research Cloud Security Red Team Incident Response Engineering
FEATURED · THREAT INTELLIGENCE · MAY 2026

Inside Operation HOLLOWGRAPH: a year of tracking a modular implant family across financial-sector targets.

Our threat intel team spent twelve months tracking a previously-unattributed implant family used in narrowly-targeted campaigns against tier-1 banks in three regions. This report documents the loader chain, command-and-control evolution, and the operational tradecraft we attribute with high confidence to a single actor cluster.

Read the full report →
42 pages
technical analysis & iocs
// Recent

Recent articles

VULN RESEARCH APR 2026

Bypassing token-binding on a major SSO product

We found that a popular enterprise SSO platform's token-binding implementation could be defeated under specific TLS conditions. CVE-2026-XXXX, fixed in v8.4.

Read → 12 min read
CLOUD APR 2026

IAM blast radius: when a single role compromises the org

How an over-permissioned automation role in a typical AWS organization can be turned into a tenant-wide compromise — and the SCP patterns that prevent it.

Read → 9 min read
RED TEAM MAR 2026

Living-off-the-land in 2026: what still works

Five years after LoLBins entered the mainstream lexicon, defenders have caught up on most of them. Here's what we still rely on, and the detection content to stop us.

Read → 15 min read
INCIDENT RESPONSE MAR 2026

The first 60 minutes: a structured triage protocol

The decision tree we run on every IR engagement, distilled from 200+ incidents — including the questions that most often save the most time.

Read → 11 min read
ENGINEERING FEB 2026

Detection-as-code: lessons from rolling it out at scale

We helped a Fortune 100 migrate 1,400 detections from a SIEM UI to git. Here are the patterns that worked and the ones we abandoned.

Read → 13 min read
THREAT INTEL FEB 2026

Initial-access broker pricing: a 2026 market snapshot

Annual review of the underground market for corporate access. Average prices, trending sectors, and what the data tells us about adversary investment.

Read → 8 min read
VULN RESEARCH JAN 2026

A familiar deserialization flaw in an unfamiliar place

How a port of a well-known Java library to a different runtime carried the original vulnerability with it — and the audit pattern that finds these.

Read → 7 min read
CLOUD JAN 2026

Kubernetes admission controllers: the patterns we see attacked

From mutating webhooks used as persistence to validating controllers used as a covert exec channel. What to harden and what to monitor.

Read → 14 min read
ENGINEERING DEC 2025

The pentest report we wished existed

We rewrote our reporting template after asking 50 customers what they actually used. Here's what made the cut and what we deleted.

Read → 6 min read
// Stay sharp

Subscribe to The Cipher.

A monthly briefing for security leaders. Original research, distilled threat intelligence, and engagement field notes — written by operators, sent on the first Tuesday of every month. No sponsorships, no resold content, no marketing emails in between.

// One email a month. Unsubscribe anytime. We never sell or share addresses.