Software Analyst Cyber Research

In a field full of noise, thoughtful voices matter. This Thanksgiving, we’re thankful for the CISOs, founders, operators, and practitioners who consistently elevate SACR with real insight and real discussion. We appreciate you. Wishing you a joyful, restful, and (tech-free, if possible) Thanksgiving! 🧡🥧

Last year, phishing surged more than 600% during Black Friday week, and ransomware attacks rose nearly 60%! Black Friday isn’t just peak shopping season. It’s peak attacker season. For security leaders, the risk isn’t just fraud. It’s infrastructure stress, third-party dependencies, AI-generated phishing, and a wave of mobile-wallet exploits that reshape how attackers operate at scale. We broke down the five threat trends that matter most for enterprise security teams, the ones that directly impact resilience, uptime, and revenue. Swipe through to see what should be on your radar this shopping season, and how our latest report can help you prepare for it! *** How is your organization preparing for the Black Friday & Cyber Monday attack wave this year? Let us know your thoughts in the comments. #Cybersecurity #IdentitySecurity #AIThreats #Phishing #BlackFriday

A major shift is underway in security, and it’s happening in the data pipeline layer. As SIEM, XDR, and observability vendors accelerate acquisitions across the Security Data Pipeline Platform (SDPP) market, one message is clear: security outcomes now depend on the quality of telemetry, not just detection or response. This year, several pipeline vendors have been acquired: Tarsal (acquired by Monad) by Monad (July 2025), Onum by CrowdStrike (~US$290M), Observo AI – a SentinelOne Company AI by SentinelOne (~US$225M cash + stock), Datable by Panther Labs (undisclosed), and Chronosphere by Palo Alto Networks for $3.3B. Each move reflects the same priority, bringing pipeline technology in-house to strengthen data quality, normalization, enrichment, and routing. For CISOs, this matters: A strong pipeline improves performance, reduces noise, lowers storage costs, and ensures analytics and AI operate on well-prepared data. The pipeline layer is becoming the heart of the SOC, shaping how every downstream tool performs. But consolidation also raises neutrality concerns. Many organizations adopted independent SDPPs for flexibility. As platforms are absorbed, questions emerge around portability, multi-destination routing, and future innovation. The takeaway: whoever controls the pipeline layer will influence the intelligence, cost, and efficiency of the modern SOC. ➜ Read our full analysis here: https://lnkd.in/gefSXFSA

Last week, our very own Lawrence Pingree had an incredible time at the #MSIgnite 2025 event in San Francisco, representing Software Analyst Cyber Research. 🎉🎉 We’re also sharing a few photos from the event, and an inside look at the conversations, energy, and insights shaping where enterprise security is heading next. Microsoft made one thing clear: the future of security is AI-first and agent-centric. Here are our notable highlights from the event, aimed at addressing contemporary security and infrastructure challenges: 1️⃣ Shadow AI emerged as the biggest new enterprise risk, with unguarded agents introducing data exposure, prompt injection paths, and unintended automated actions at scale. 2️⃣ Agent 365 was introduced as the new AI Security Control Plane, unifying Entra ID, Purview, and governance across all AI agents while also expanding Microsoft’s own attack surface. It also includes a “Task Adherence” metric that will help organizations build trust with Agents and use them in various use cases, but more is needed to enhance the visibility into the functionality provided by each agent in the Agent 365 repository. 3️⃣ Security Copilot gained automated defence capabilities across Microsoft 365 environments, including predictive threat detection through Microsoft Defender. 4️⃣ Security Copilot is now included with E5 licensing, enabling enterprises and SMBs to access advanced automated defence without additional subscription costs. 5️⃣ Foundational security updates focused on Post Quantum Cryptography (PQC) and Zero Trust DNS, signalling Microsoft’s push to address quantum era risks and widespread DNS tampering. Stay tuned for more updates and photos from the event!✌ #MicrosoftIgnite #AISecurity #Cybersecurity #CloudSecurity #SecOps

Scattered Spider has forced a fundamental rethink of which security tools actually matter. Across LUCR-3 investigations, one pattern is consistently observed: the tools that help most are those that strengthen identity visibility, reduce misconfigurations, and validate human interactions. Organizations must use new identity visibility intelligence platforms and identity threat detection and response technologies to enhance security outcomes. Our analysis highlights several markets now central to defending against this threat: ✔️ Identity-focused technologies are becoming foundational ▪️ Identity Visibility and Intelligence Platforms ▪️ Identity Threat Detection and Response ▪️ Automated Identity Verification ✔️ SaaS and cloud posture tools are essential for reducing exposure ▪️ Continuous Threat and Exposure Management ▪️ SaaS Security Posture Management ✔️ Human verification capabilities are expanding quickly ▪️ Passkeys for phishing-resistant authentication ▪️ Automated Impersonation and Deepfake Detection Together, these markets reflect how defence is shifting toward identity-centric visibility combined with posture management and verification controls across cloud and SaaS ecosystems. To ground this landscape in real-world capabilities, the report also includes solution profiles from Silverfort, Permiso Security and CrowdStrike. our full analysis here: https://lnkd.in/gYK6NFd5 We hope the attack analysis in this report provides practical value. If you find this style of research helpful, we welcome your feedback! #CyberSecurity #IdentitySecurity #CISO #ThreatDetection #ScatteredSpider #SecurityStrategy

✨It’s that time of year again. Prediction season is officially here ✨ Our analysis of Palo Alto Networks’ latest 2026 Predictions report shows a decisive shift underway: the global economy is moving from “AI-assisted” to AI-native, fundamentally altering the assumptions security teams depend on. Below are the shifts CISOs and security leaders should prioritize: 1️⃣ Identity Becomes the New Battleground Identity is now the primary attack surface. ▪ AI-generated CEO “doppelgängers” and forged machine identities are creating an authenticity crisis ▪ A single synthetic identity can trigger automated actions ▪ Static access models can’t keep up 2️⃣ AI Agents Become the New Insider Threat Organizations are rapidly deploying autonomous AI agents. ▪ They function like privileged, always-on digital employees ▪ A prompt injection or misuse can quietly convert an agent into an insider ▪ Their continuous operation increases potential impact 3️⃣ Data Poisoning Becomes a Cloud-Native Threat Attackers are shifting tactics from data theft to data corruption. ▪ The goal is to poison training data that AI models rely on ▪ Security and data teams still work in silos ▪ DSPM, AI-SPM, and cloud runtime controls are essential for trustworthy AI 4️⃣ AI Risk Moves Into the Boardroom AI adoption is outpacing AI security. ▪ This gap raises executive accountability ▪ Governance needs to be unified and verifiable ▪ New leadership roles focused on AI risk may emerge 5️⃣ Quantum Readiness Becomes Urgent Quantum progress is accelerating. ▪ Government mandates increase pressure on enterprises ▪ Post-quantum cryptography migration must start sooner ▪ Crypto-agility becomes essential 6️⃣ The Browser Becomes the New OS Browser-first workflows are becoming standard. ▪ GenAI-driven activity is surging ▪ The browser becomes the new control plane ▪ For SMBs in BYOD environments, this shift increases risk without a modern security layer The report ends with a clear signal: 2026 is shaping up to be "𝘛𝘩𝘦 𝘠𝘦𝘢𝘳 𝘰𝘧 𝘵𝘩𝘦 𝘋𝘦𝘧𝘦𝘯𝘥𝘦𝘳." Which prediction will shape your 2026 roadmap the most? Share your thoughts below.

Cloud attacks aren’t slowing down, but most SOCs are still built for a world that no longer exists. That’s why, for our upcoming CISO webinar on December 15th at 9 AM PST, we’re spotlighting leaders who are actively reshaping how cloud security and SOC operations converge in the real world. Today, we’re excited to introduce one of our featured speakers, Puneet Thapliyal, Chief Information Security Officer at Pomelo Care. He is a seasoned Information Technology, Cloud, and AI Security executive with over 25 years of experience driving global IT strategies, major transformations, and resilient enterprise security solutions. Puneet will join our live panel of CISOs to break down the challenges every security leader is navigating right now, including: ✔️ How cloud security is redefining traditional SOC workflows ✔️ The biggest visibility gaps across hybrid and multi-cloud environments ✔️ Practical playbooks for cloud threat defense ✔️ Where AI meaningfully accelerates detection and response ✔️ Real-world lessons learned from large-scale transformations If you’re responsible for cloud, identity, or SOC modernization, this is a session worth joining. 👉 Save your seat for the LIVE webinar here: https://lnkd.in/gJ6Aukif #CISOLivePanel #SecurityWebinar #Cybersecurity #EnterpriseSecurity

What makes threat actors like Scattered Spider so hard to defeat? Scattered Spider’s strategy combines social engineering, credential abuse, MFA compromise, and large-scale data exfiltration to fuel extortion and high-tier ransomware operations. Below is a simple breakdown of the key takeaways from our latest report on how Scattered Spider operates across identity, cloud, SaaS, and on-prem environments, and why defenders often have less than 48 hours to respond. ⬜ 𝗘𝘃𝗼𝗹𝘃𝗶𝗻𝗴 𝗔𝘁𝘁𝗮𝗰𝗸 𝗩𝗲𝗰𝘁𝗼𝗿𝘀 Scattered Spider (UNC3944 / Roasted 0ktapus / STORM-0875 / Octo Tempest) uses SIM swapping, MFA push fatigue, credential harvesting via infostealers, and extortion-driven data breaches across IaaS and SaaS. Recent campaigns show increased focus on cloud environments and VMware ESXi. Their playbook blends social engineering, MFA compromise, credential abuse, and high-tier ransomware operations. ⬜ 𝗥𝗮𝗽𝗶𝗱 𝗢𝗻-𝗣𝗿𝗲𝗺𝗶𝘀𝗲 𝗣𝗶𝘃𝗼𝘁𝗶𝗻𝗴 One of the most important insights: speed. Once inside, attacks move fast, often under 48 hours before encryption. The group rapidly pivots across tactics, shifts away from phishing pages to full vishing-based social engineering, impersonates IT or CFO roles, and even monitors internal corporate chats to tweak their intrusion in real time. They increasingly exploit MSPs as single points of entry to reach multiple victim networks. ⬜ 𝗖𝗹𝗼𝘂𝗱-𝗙𝗼𝗰𝘂𝘀𝗲𝗱 𝗔𝘁𝘁𝗮𝗰𝗸𝘀 The group frequently rotates infrastructure and domains every 1–2 months, switching alliances between ransomware affiliates like ALPHV/BlackCat, Qilin, and DragonForce. In AWS environments, they leverage the Management Console, S3 Browser, and CloudShell for enumeration, credential harvesting, instance profile replacement, and disabling GuardDuty and S3 logging before exfiltration. ⬜ 𝗦𝗼𝗰𝗶𝗮𝗹 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝗶𝗻𝗴 𝗮𝘀 𝗙𝗶𝗿𝘀𝘁 𝗔𝗰𝗰𝗲𝘀𝘀 Scattered Spider now relies almost entirely on vishing for initial compromise. Attackers impersonate privileged IT or executive roles and adapt their methods in real time based on what they observe inside victim communication channels. They specifically target IT help desks, aiming to engineer MFA resets and privileged account access socially. ⬜ 𝗥𝗲𝗰𝗼𝗻𝗻𝗮𝗶𝘀𝘀𝗮𝗻𝗰𝗲 𝗶𝗻 𝗦𝗮𝗮𝗦 The group performs deep recon across SaaS applications to map environments, hunt for credentials, and stage lateral movement. Their SaaS reconnaissance is a core enabler for identity abuse and rapid escalation. This report includes insights informed by vendor case studies from CrowdStrike, Silverfort, and Permiso Security, illustrating how the market is approaching identity visibility, posture hardening, and threat detection. Curious how these behaviours shape modern identity and cloud defence, read the full report here: https://lnkd.in/eupADZ93 #ThreatActors #Cybersecurity #HolidaySeason #CyberAttack

Security Data Pipelines are often misunderstood as just data brokers. Our new analysis shows why they are so much more - they have become the 𝗰𝗼𝗻𝘁𝗿𝗼𝗹 𝗽𝗹𝗮𝗻𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗦𝗢𝗖 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲. Today, we’re releasing our updated Security Data Pipeline Platforms report, outlining how these platforms now anchor the modern SOC. Here are the key insights CISOs should focus on: 1️⃣ Major Acquisitions and Practitioner Perspectives The security data pipeline market is consolidating quickly as major vendors purchase pipeline platforms to strengthen their data foundations. Recent moves from CrowdStrike (Onum), SentinelOne (Observo AI (acquired by SentinelOne) AI), Panther (Datable.io), and Palo Alto Networks, with its 3.3 billion dollar acquisition of Chronosphere, underscore this trend. Large providers are choosing to buy pipeline technology to address long-standing ingestion, normalization, and cost challenges. 2️⃣ Pipelines as the SOC Control Plane Data ownership defines the control plane. Pipeline platforms now manage ingestion, normalization, enrichment, routing, and telemetry health, enabling downstream systems to operate efficiently. 3️⃣ AI’s Role in What Comes Next Teams are using practical, assistive AI to reduce engineering work, correct schema drift, build pipeline flows, and surface anomalies. The report also highlights why telemetry health has become a priority as teams worry more about missing data than noisy data. ➕ Why This Matters Right Now ➕ The report brings together practitioner insights, emerging trends, and in-depth evaluations of market leaders. It also gives a look into how these platforms are positioning themselves, either deepening their capabilities or expanding across adjacent areas. For security leaders seeking clarity on where the market is heading and how these changes may shape their programs, this guide offers a grounded, practical perspective. Vendors covered in this report include: Abstract Security, Axoflow, Beacon Security, Brava Security, CeTu, Cribl, Databahn.ai, Datadog, OP, Onum, Observo AI (acquired by SentinelOne), Realm.Security, Inc., Tenzir, VirtualMetric A special thank you to our chief analyst, Aqsa Taylor and co-author, Chi A., for leading and shaping this report. 🔗 Read the full report here: https://lnkd.in/gWDJNwgP #SDPP #SecurityDataReport #Cybersecurity

The identity stack is breaking under today’s threat patterns, and the industry knows it. Our founder, Francis Odum, joined Okta’s team to unpack why session abuse, AI agents, and NHI growth are forcing a full re-think of modern identity security. This is the shift every CISO needs to prepare for. Watch the full webinar replay with the link shared below ⬇️