Normal view

Received — 18 June 2026 Threat Intelligence Blog | Flashpoint

The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04

Blogs

Blog

The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04

In this post, we examine how CISA BOD 26-04 shifts the industry away from flat CVSS scoring and details how Flashpoint bridges the critical data gaps left by public vulnerability repositories.

SHARE THIS:
Default Author Image
June 15, 2026

With the recent issuance of Binding Operational Directive (BOD) 26-04, CISA has officially shifted federal policy away from static severity scores and flat patching timelines  toward threat-informed prioritization. The move reflects a reality security teams have grappled with for years: not all critical vulnerabilities post the same risk, and not all active vulnerabilities receive the highest CVSS scores. 

Traditional vulnerability management programs have often relied on severity-based patching models that force resource-constrained teams to focus on large volumes of high-scoring vulnerabilities. Yet research consistently shows that threat actors routinely exploit a broader range of weaknesses, including lower-scoring vulnerabilities on internet-facing assets, to gain initial access and move laterally through victim environments. 

While BOD 24-04 represents a significant step forward, there are still hidden challenges organizations will face as they adopt a risk-based approach. The operational reality is that executing a truly risk-based matrix validates what Flashpoint has maintained for years: effective vulnerability prioritization requires deep, contextual threat data. Unfortunately, the needed real-world metadata for this kind of context are simply not supported by public sources of vulnerability intelligence.

Understanding BOD 26-04

BOD 26-04 evaluates the urgency of a vulnerability by cross-referencing a security flaw against four distinct operational variables:

  1. Asset Exposure: Is the asset publicly accessible via the internet?
  2. Known Exploited Status (KEV): Is there verifiable evidence of active exploitation in the wild?
  3. Exploit Automation: Can a threat actor completely automate the weaponization and delivery of the exploit?
  4. Technical Impact: Does a successful exploit result in partial disruption or total compromise of the target system?

By analyzing these variables in tandem, organizations can tier their response and execute clear, defensible SLA metrics.

Risk PriorityReal-World Matrix ConditionsRequired SLA & Operational Action
P1: Immediate RiskIn KEV + Publicly Exposed + Automatable + Total Impact3 Days (Includes Mandatory Forensic Triage)
P2: Urgent RiskIn KEV + Publicly Exposed + (Either Non-Automatable OR Partial Impact)7 Days
P3: Elevated RiskIn KEV + Internal / Non-Publicly Exposed Asset14 Days
P4: Standard RiskNot in KEV + Publicly Exposed + Automatable + Total Impact30 Days
Deferred RiskNot in KEV + Internal Asset OR Lower Technical ImpactNext Scheduled System Upgrade / Maintenance

According to CISA, the pilot testing of this model has shown that fewer than 1% of an organization’s typical vulnerability backlog requires urgent, immediate remediation, while over 60% can be safely deferred to standard system maintenance cycles. However, implementing this framework successfully requires access to granular, real-world data points that public sources of vulnerability intelligence simply do not support. 

“Speaking with security teams in the wake of this directive, it is clear that BOD 26-04 is a major paradigm shift. While the ability to safely defer more than half of your patch backlog is an invaluable efficiency gain for modern organizations, executing that strategy effectively requires ground-truth intelligence on exploit automation and adversary intent that public registries simply cannot deliver.

Josh Lefkowitz, CEO and Co-founder at Flashpoint

The Data Challenge

To operationalize this model successfully, organizations will require a high-fidelity intelligence pipeline that combines comprehensive threat and vulnerability intelligence into clear, context-rich insights that support prioritization and decision making. You cannot confidently defer remediation without verifiable intelligence that proves the vulnerability lacks active exploit history or automation maturity.

Unfortunately, relying on public data feeds like the CVE database or the National Vulnerability Database (NVD) to fuel this matrix creates an immediate operational bottleneck. Public repositories have historically struggled under severe analysis backlogs, leading to processing delays and missing Common Platform Enumeration (CPE) data. Furthermore, public feeds are inherently reactive; they do not monitor illicit communities where exploit code is developed, nor do they track the real-time weaponization metrics needed to meet BOD 26-04’s tight 3-day or 7-day compliance window.

How Flashpoint Solves the Prioritization Gap

Flashpoint Vulnerability Intelligence bridges the gap between public data limitations and the requirements of real-world exposure management. Independently researched and enriched, Flashpoint provides the precise contextual signals required by the CISA BOD 26-04 matrix:

  • Coverage across CVE and non-CVE vulnerabilities
  • Continuous tracking of exploitation activity and adversary usage
  • Context on exploit maturity and remediation
  • Consistent enrichment that can be integrated into operational workflows
  • Over 7,000 known exploited vulnerabilities (KEV)

By integrating Flashpoint’s continuous intelligence into operational workflows, security teams can automatically validate exposure, assess automation potential, and confidently claim the operational relief that risk-based prioritization promises.

“We are convinced by Flashpoint’s superior vulnerability coverage, timeliness in the updates, and long-term monitoring of exploits. We also really appreciate Flashpoint’s proprietary CVSS rating and classifications based on expert knowledge of the standard and practical use in the industry. Having all this curated information at your fingertips is a game changer.”

Vulnerability Manager, Telecommunications

Prioritize Vulnerability Risk Using Flashpoint

CISA’s BOD 26-04 represents a critical shift away from severity-based patching and toward defensive efficiency. However, the effectiveness of this model is entirely dependent on the fidelity of your threat data.

Without best-in-class comprehensive vulnerability intelligence, security teams will be forced back into reactive patching cycles. Request a demo to learn more how Flashpoint helps security teams move beyond the constraints of static scoring and align their vulnerability management workflows with actual risk.

See Flashpoint in Action

The post The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04 appeared first on Flashpoint.

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Blogs

Blog

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Our new guide explores how infostealers are fueling modern identity-based attacks and how organizations can build a proactive defense before stolen access is weaponized.

SHARE THIS:
Default Author Image
June 10, 2026

The New Reality of Identity-Based Threats

A publicly exposed database surfaced in early 2026 containing more than 149 million stolen login credentials. The records were not tied to a single breach or organization. Instead, they had been quietly collected over time from devices infected with information-stealing malware, with each record containing usernames, passwords, session data, and the context needed to use them.

Unlike traditional breach dumps, this data was structured, searchable, and immediately actionable. Credentials were mapped to specific services, session artifacts reflected active logins, and much of the information was recent enough to enable direct access without triggering traditional security controls.

This incident reflects a broader shift in the threat landscape.

More than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets.

11.1 million infected hosts and devices
3.3 billion stolen credentials
Top 5 most prolific infostealers in 2025 (by infected hosts or devices):
Lumma
Acreed
Rhadamanthys
Vidar
StealC
Top 6 countries affected by information-stealing malware, 2025:
India
Brazil
Indonesia
Vietnam
Phillipines
United States

For security teams, the challenge is no longer simply detecting a breach after it occurs. It is understanding when access may already exist — where compromised credentials are circulating, how they are being used, and how quickly they can be weaponized.

That’s why Flashpoint created Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense.

Drawing on Flashpoint’s Primary Source Collection (PSC) and analyst-driven intelligence, this guide helps IT, Threat Intelligence, Fraud, and HUNT teams understand how infostealers operate, how stolen identity data fuels real-world attacks, and how organizations can move from reactive response to proactive defense.

The guide explores:

  • How today’s most active infostealers power modern attack chains
  • How threat actors weaponize stolen credentials, cookies, and session data
  • How organizations can operationalize infostealer intelligence for proactive defense
  • How to evaluate infostealer intelligence providers and detection capabilities

Why Identity Has Become the Preferred Attack Surface

For years, security teams focused on vulnerabilities, malware delivery, and network intrusion as the primary paths to compromise. Increasingly, however, threat actors are taking a different

Modern infostealers such as Lumma, StealC, Vidar, Acreed, and Rhadamanthys provide attackers with something more valuable than initial access: usable identity. These malware families collect credentials, browser artifacts, session cookies, application data, and host metadata that help threat actors understand how a victim authenticates and what systems they can access.

A single infected device can expose credentials, browser artifacts, session cookies, application data, host metadata, and access to enterprise SaaS platforms. Together, these artifacts create a detailed profile of how a user authenticates, what systems they access, and how those systems trust that identity.

This is what makes infostealer data so valuable.

For years, organizations have invested heavily in detecting malware, blocking exploits, and hardening infrastructure. Meanwhile, attackers have increasingly shifted to a simpler strategy: logging in with valid identities.

Infostealers have fundamentally changed the economics of access. Threat actors no longer need to compromise a network directly when billions of credentials, session cookies, and authentication artifacts are already circulating in underground ecosystems. The challenge for defenders has risen from preventing compromise to identifying where access already exists and how quickly it can be weaponized.

Ian Gray, Vice President of Intelligence at Flashpoint

Identity data is inherently reusable. A stolen credential can be tested across multiple services. A session cookie can potentially allow attackers to hijack authenticated sessions. Browser and host metadata can help threat actors recreate a victim’s environment and bypass security controls designed to detect suspicious logins.

What begins as a single infection can quickly evolve into access across multiple systems, applications, and organizations.

What Is an Identity-Based Attack?

Identity-based attacks occur when threat actors use legitimate credentials, session cookies, authentication tokens, or other identity artifacts to gain access to systems and applications. Rather than exploiting a vulnerability or deploying malware inside a target environment, attackers authenticate as trusted users using stolen identity data.

This shift is one of the primary reasons infostealers have become so valuable. Modern infostealer logs often contain far more than usernames and passwords. They may also include browser cookies, session information, host metadata, application data, and other artifacts that help attackers understand how a user authenticates and what systems they can access. When combined, this information enables account takeover, fraud, lateral movement, and other forms of identity-based abuse.

From Credential Theft to Identity Exploitation

The way threat actors operationalize stolen data is evolving just as rapidly as the data itself.

Historically, attackers often had to manually review stolen credentials and determine which accounts were worth pursuing. Today, that process is increasingly automated.

Infostealer logs can be aggregated, tested, and prioritized at scale, allowing threat actors to rapidly identify valid access across enterprise systems, SaaS platforms, VPNs, and cloud environments.

Flashpoint identifies this as a hybrid threat: the convergence of large-scale identity compromise and automated exploitation.

Once valid access is identified, attackers can move quickly. Credentials may be reused across services. Session data can be leveraged for account takeover. Access can be sold to ransomware operators, fraud actors, or other criminal groups. In many cases, exposure itself becomes part of the attack lifecycle rather than merely a precursor to it.

The result is a threat landscape where stolen identity data is not simply stored and sold. It is continuously tested, validated, reused, and operationalized.

Turning Exposure Into Actionable Intelligence

For defenders, prevention remains important. But prevention alone is no longer enough.

Organizations must also be able to identify when credentials, session cookies, and other identity artifacts have already been exposed and are circulating within underground ecosystems.

The earliest opportunity to intervene is often after data has been exfiltrated but before attackers have successfully operationalized it.

Achieving that visibility requires more than traditional breach feeds or aggregated datasets.

Flashpoint’s Primary Source Collection approach provides direct visibility into the forums, marketplaces, Telegram channels, malware repositories, and illicit communities where infostealer activity originates. Rather than relying solely on recycled breach data, Flashpoint continuously collects from the environments where stolen identity data is first shared, sold, and operationalized.

However, collection alone is not enough.

Raw infostealer logs are noisy, fragmented, and difficult to operationalize at scale. Flashpoint transforms these logs into structured intelligence through a multi-stage workflow that includes:

  • Source ingestion from underground ecosystems
  • Normalization and de-duplication of collected data
  • Automated parsing and enrichment of credentials, cookies, host metadata, and malware attribution
  • Structured output that supports alerts, investigations, and integrations across existing security workflows

This process helps defenders understand not only what was exposed, but who may be affected, how exposure occurred, what systems may be at risk, and how quickly action is required.

Building a Proactive Defense Across the Identity Layer

The rise of infostealers has fundamentally changed how organizations should think about attack surface management.

The attack surface is no longer limited to infrastructure, endpoints, or internet-facing applications. It now includes the digital identities of employees, partners, vendors, and customers.

Security teams need visibility into the identity layer itself — understanding where exposure exists, how attackers are leveraging stolen data, and what actions should be taken before access is exploited.

By combining direct visibility into underground ecosystems with structured, actionable intelligence, organizations can identify compromised accounts earlier, uncover infection trends, prioritize response efforts, and reduce the likelihood of downstream compromise.

Download Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense to learn how your organization can build a proactive defense program across the identity layer.

Key Infostealer Statistics

According to Flashpoint research:

  • More than 11.1 million devices were infected with infostealers in the last year.
  • Over 3.3 billion credentials, session cookies, cloud tokens, and identity artifacts are circulating across illicit markets.
  • Flashpoint analysts identified 30+ active infostealer strains being sold across underground ecosystems.
  • Flashpoint’s credential database contains 48+ billion credentials, including more than 1 billion tied to infostealer activity.
  • More than 4.2% of infostealer-exposed credentials include browser cookies that may support session hijacking.
  • Flashpoint can collect and parse some infostealer logs within one to two days of infection.

Frequently Asked Questions (FAQ)

FAQ: Infostealers and Identity-Based Threats

What is an infostealer?

An infostealer is a type of malware designed to collect sensitive information from an infected device. Depending on the strain, this can include usernames and passwords, browser cookies, session tokens, saved payment information, cryptocurrency wallets, system metadata, and other identity-related artifacts.

How do infostealers work?

Infostealers infect a victim’s device and collect information such as credentials, browser data, session cookies, autofill information, cryptocurrency wallet data, and system metadata. The stolen information is packaged into files known as infostealer logs, which can then be sold, shared, or operationalized by threat actors.

What information can infostealers steal?

Depending on the malware family, infostealers can collect usernames and passwords, session cookies, authentication tokens, browser history, saved payment information, cryptocurrency wallet data, system information, installed applications, and other identity-related artifacts. The goal is to provide attackers with enough information to access accounts and impersonate legitimate users.

What are the most common infostealers?

The infostealer ecosystem changes rapidly, but Flashpoint analysts currently track strains such as Lumma (also known as LummaC2/Remus), StealC, Vidar, Acreed, and Rhadamanthys among the most prominent malware families driving credential theft and identity-based attacks.

Why are infostealers so dangerous?

Infostealers provide attackers with more than credentials. Modern infostealer logs often contain the context needed to use stolen data, including session information, browser artifacts, and device metadata. This allows threat actors to perform account takeovers, move laterally within environments, and gain access to business-critical systems. According to Flashpoint’s 2026 Global Threat Intelligence Report, more than 11.1 million devices were infected with infostealers last year, contributing to a pool of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other identity artifacts.

What is an infostealer log?

An infostealer log is a package of data collected from an infected device. Logs may contain credentials, cookies, browser data, application information, host metadata, and other artifacts that help attackers understand how a victim authenticates and what systems they can access.

Can infostealers bypass multi-factor authentication (MFA)?

In some cases, yes. While multifactor authentication remains a critical security control, stolen session cookies and authenticated session data can sometimes allow threat actors to hijack existing sessions without needing to complete the MFA process themselves. Flashpoint found that more than 4.2% of infostealer-exposed credentials in its dataset were associated with browser cookies, highlighting the growing importance of session-based risk.

How do threat actors obtain infostealer logs?

Infostealer logs are frequently bought and sold across illicit marketplaces, forums, Telegram channels, and other underground communities. Many are distributed through Malware-as-a-Service (MaaS) offerings that make infostealer capabilities accessible to a wide range of threat actors. Flashpoint analysts identified more than 30 unique infostealer strains actively offered for sale across underground ecosystems.

How can organizations detect credential exposure from infostealers?

Organizations can monitor underground sources where stolen data is shared and sold, identify exposed credentials associated with their domains, and investigate related artifacts such as cookies, host metadata, and malware attribution. The earlier exposure is identified, the greater the opportunity to remediate before attackers operationalize access. Flashpoint collects and parses some infostealer logs within one to two days of infection, helping organizations detect exposure closer to the point of compromise.

What should organizations do if employee credentials appear in an infostealer log?

Organizations should immediately assess the scope of exposure, reset affected credentials, invalidate active sessions, review authentication activity, investigate the infected device, and determine whether additional accounts or systems may have been impacted.

How is Flashpoint’s approach to infostealer intelligence different from traditional breach monitoring?

Many organizations rely on aggregated breach feeds or credential dumps that may be weeks or months old by the time they are discovered. Flashpoint’s Primary Source Collection (PSC) approach provides direct visibility into the forums, marketplaces, Telegram channels, and underground communities where stolen identity data is first shared, sold, and operationalized.

In addition to collecting raw infostealer logs, Flashpoint parses and enriches the data with context such as malware attribution, session cookies, host metadata, browser artifacts, and affected identities. Today, Flashpoint’s credential database contains more than 48 billion credentials, including over 1 billion tied to infostealer activity, providing organizations with actionable intelligence rather than raw exposure data.

Request a demo today.

The post Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk appeared first on Flashpoint.

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

Blogs

Blog

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

As part of our ongoing series, we focus on the shared infrastructure that fuels threat actors; the intersection of mainstream social media, open-source messaging platforms, and gaming communities.

SHARE THIS:

Threat actors and their illicit communities do not exist in a vacuum. To scale their operations, coordinate financial fraud, deploy malware, and recruit new talent, threat actors must interface with the broader digital world. This means leveraging everyday, public digital spaces to facilitate illicit activity, effectively hiding in plain sight.

The Clearnet Threat Landscape: Hiding in Plain Sight

When conceptualizing the cybercriminal underground, it is easy to focus exclusively on Tor-based onion sites or restricted-access dark web forums and marketplaces. However, a massive portion of modern illicit activity thrives on the clearnet. Threat actors heavily utilize commercial social media and public messaging networks to coordinate fraud, deploy malware, and run public relations campaigns for their operations.

At first glance, conducting illicit operations on highly monitored, mainstream platforms seems counterintuitive. However, the massive, continuous volume of legitimate traffic on the clearnet provides a form of operational security. By blending into the noise, threat actors can maintain a highly accessible digital presence. This visibility is crucial for their business models: it allows them to maintain a low barrier to entry for potential recruits and targets who know exactly what markers to look for, or who are systematically funneled into these spaces.

How Threat Actors Weaponize Consumer Platforms

The misuse of mainstream communication tools has changed how threat actors interact. Rather than waiting for users to seek out the dark web, cybercriminals are actively meeting their targets or co-conspirators on platforms designed for daily socialization.

Discord

Originally built to connect gaming communities, Discord’s rapid growth and robust infrastructure have inadvertently made it a target for malicious activity. Cybercriminals treat the platform as a multi-functional tool for both technical infrastructure, social engineering, and radicalization.

On a technical level, advanced persistent threats (APTs) and other threat actors exploit Discord’s content delivery network (CDN) to host and distribute malware. Because traffic to Discord domains is generally trusted by corporate networks, threat actors can potentially use it to deliver payloads—such as infostealers and remote access trojans (RATs)—bypassing standard security perimeters.

Beyond hosting malware, extremist groups across various ideological spectrums often target the platform’s demographic, which skews heavily towards younger tech-savvy users. This group provides an impressionable pool of adolescents who may be susceptible to grooming, indoctrination, and recruitment into illicit operations.

Case Study: The Targeting and Recruitment Mechanics of “The Com”

While monitoring The Com, Flashpoint analysts have observed the systematic use of platforms like Discord, Roblox, and Minecraft to run predatory extortion pipelines. The mechanics of this ecosystem takes place through a multi-phase methodology:

  1. Platform Scouting: Recruiters patrol servers on popular youth-centric gaming platforms, such as Discord, Roblox, and Minecraft. They look for minors showing signs of social isolation, depression, disordered eating, or a desire to belong.
  2. Building Trust and “Love Bombing”: Initial engagements are seemingly harmless. However, trust is built quickly to establish a sense of indebtedness. Recruiters offer gifts such as in-game perks/currency, premium subscriptions, or other digital items. In some cases, a romantic facade is used to establish a connection. In either scenario, “love bombing” creates an immediate feeling of psychological obligation in the target.
  3. Platform Migration: Once rapport is established, the recruiter moves the target away from the game and into an encrypted app or private Discord server, following a public-to-private strategy. By moving the interaction away from the original platform’s safety controls, the recruiter can isolate the target in a more controlled environment.

Once isolated, perpetrators coerce victims into sending sensitive imagery or CSAM. This material is immediately compiled and weaponized as leverage for blackmail via doxxing. This creates a severe psychological trap in which the victim feels compelled to partake in escalating illegal activity to keep their previous actions hidden. This drives the victim to transition from a victim into an aggressor to escape their own abuse.

Telegram

While many social media and messaging platforms can serve as an initial funnel for engagement, Telegram has been known to be used from time to time as an operational hub for the broader illicit ecosystem. Since the arrest of Pavel Durov, Telegram has begun working more closely with law enforcement, leading to several key arrests and major disruptions due to their cooperation. 

The platform occupies a unique space in threat intelligence and open source intelligence (OSINT). While the vast majority of its user base is entirely benign, its minimal moderation policy and robust channel architecture have made it vital to public and private intelligence gathering.

Telegram functions as an open marketplace and real-time coordination center for a vast spectrum of threat actors. Flashpoint has observed it being used by:

  1. State-sponsored APT groups and hacktivists
  2. Geopolitical actors and mercenary groups distributing battlefield intelligence and propaganda
  3. Cybercriminal syndicates coordinating financial fraud schemes, check fraud, and the sale of compromised data.

Furthermore, threat actors routinely use other public-facing platforms like X (formerly Twitter) alongside Telegram to amplify their impact. They leverage the broad reach of social media to broadcast proof of their compromises, hype up ransomware leaks, and exert public pressure on corporate victims during extortion cycles. Concurrently, Telegram often acts as the backend repository where the stolen data is hosted, discussed, and monetized.

Monitor the Clearnet Using Flashpoint

The evolution of illicit ecosystems demonstrates that the lines between the dark web and the clearnet have intersected. Whether analyzing the activities of extremist and threat actor groups or tracking the predatory pipelines of The Com, defenders must look beyond traditional intelligence sources.

Because malicious actors rely heavily on consumer messaging apps and social platforms to coordinate attacks, leak data, and target people, monitoring these public-to-private pipelines is an essential component of threat intelligence. Uncovering these physical and cyber threats requires best-in-class threat intelligence and OSINT investigations capable of parsing the massive noise of the clearnet to find the signals of illicit coordination.

Request a demo to see how Flashpoint empowers security teams to monitor these decentralized threat landscapes to proactively protect their critical assets.

Check out the rest of our “Understanding Illicit Ecosystems” series:
Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”
Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

See Flashpoint in Action

The post Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure appeared first on Flashpoint.

Received — 8 June 2026 Threat Intelligence Blog | Flashpoint

Connecting Vulnerability Intelligence to Real-World Exposure With Flashpoint EASM

Blogs

Blog

Connecting Vulnerability Intelligence to Real-World Exposure With Flashpoint EASM

In this post, we explore how Flashpoint’s External Attack Surface Management (EASM) capability helps organizations continuously discover internet-facing assets, identify exposure to critical vulnerabilities, and prioritize remediation efforts based on real-world risk.

SHARE THIS:
Default Author Image
June 5, 2026

The volume of vulnerability disclosures is higher than ever, yet most security teams are still struggling to act.

From vulnerability scanners to public sources and AI-accelerated discovery, organizations are often drowning in findings, but lack the context to prioritize what affects their perimeter and is actively being exploited. 

Compounding this challenge is the growing issue of unknown and forgotten assets. Up to 95% of a company’s assets change each year, creating critical external blind spots and leaving them vulnerable to attacks on unmonitored infrastructure.

As attack surfaces expand due to cloud adoption, shadow IT, acquisitions, and distributed environments, many organizations struggle to maintain control over what assets they own, what software is running on those assets, and therefore, where exposures exist. You can’t patch what you don’t know is there.

These are the challenges Flashpoint External Attack Surface Management (EASM) is designed to address. With the introduction of EASM in Flashpoint Ignite, organizations can continuously discover internet-facing assets, map them to Flashpoint Vulnerability Intelligence, and prioritize remediation efforts based on actual risk rather than vulnerability volume and severity alone.

“The most effective vulnerability management programs are built on more than vulnerability awareness alone,” said Josh Lefkowitz, Co-Founder and CEO of Flashpoint. “Organizations need to understand where exposure exists within their environment and focus remediation efforts where they will have the greatest impact. Flashpoint EASM helps connect vulnerability intelligence directly to exposed assets, giving security teams a clear path from identification to remediation.”

Understanding the Exposure Gap

For many organizations, vulnerability intelligence is no longer the limiting factor.

Security teams have access to more vulnerability data than ever before. They can track newly disclosed vulnerabilities, monitor exploit activity, review KEV catalogs, and identify emerging threats often within hours of disclosure. And Flashpoint customers get the added advantage of learning about vulnerabilities up to 2 weeks faster than NVD, as well as the growing 105K+ vulnerabilities that never make it to public sources.

But understanding whether those vulnerabilities affect assets the organization actually owns remains a challenge. And that challenge exists because asset visibility and vulnerability intelligence often live in separate workflows.

  • Asset inventories become outdated. 
  • Cloud infrastructure changes constantly. 
  • New internet-facing services appear without centralized oversight. 
  • Acquisitions introduce unfamiliar infrastructure. 
  • Shadow IT creates blind spots that security teams may not discover until after exposure is identified.

As environments become more dynamic, validating exposure often requires analysts to pivot between scanners, spreadsheets, asset inventories, cloud consoles, and vulnerability intelligence sources.

As a result, organizations must face a growing disconnect between understanding which vulnerabilities are out there vs. whether the organization is actually at risk.

Connecting Asset Discovery to Vulnerability Intelligence

Flashpoint EASM begins by discovering internet-facing assets associated with an organization, giving security teams an attacker’s-eye view of their external perimeter. Using seed domains and IP addresses, it initiates ongoing discovery across the external environment, uncovering infrastructure that often evades internal tracking, including:

  • Shadow IT and untracked cloud resources
  • Forgotten infrastructure and legacy internet-facing assets
  • Newly exposed services and subdomains

Once assets are validated, they are surfaced within Ignite and automatically correlated with Flashpoint Vulnerability Intelligence, including pre-NVD findings, KEV intelligence, and proprietary vulnerability coverage beyond public sources. Teams receive alerts when new assets are discovered and when newly identified vulnerabilities affect monitored assets. For a full walkthrough of the workflow, see the Flashpoint EASM product update.

Prioritizing What Actually Requires Action

Not every vulnerability on your attack surface demands the same response. Flashpoint EASM helps teams cut through the noise by combining asset exposure with intelligence on what attackers are actively exploiting, so remediation efforts focus on the vulnerabilities that create meaningful risk.

Rather than focusing on vulnerability severity alone, security teams can now prioritize based on actual exploit activity targeting their attack surface. Flashpoint EASM provides the clarity needed to make that shift.

Building a Continuously Monitored, De-Risked Perimeter

As attack surfaces continue to evolve, organizations need full attack surface visibility, intelligence on what attackers are exploiting, and an efficient path to remediation.

By connecting Flashpoint Vulnerability Intelligence directly to their exposed assets, organizations can move from reactive investigation to having confidence that their external perimeter is continuously monitored and de-risked.

Learn more about Flashpoint External Attack Surface Management and request a demo.

Frequently Asked Questions (FAQ)

What is External Attack Surface Management (EASM)?

External Attack Surface Management (EASM) helps organizations discover, monitor, and assess internet-facing assets that could be exposed to attackers.

This includes domains, subdomains, IP addresses, cloud infrastructure, internet-accessible services, and other externally exposed assets that may introduce security risk.

By continuously monitoring these assets, organizations can better understand their external attack surface and identify exposures that require remediation.

How is Flashpoint EASM different from traditional asset inventories?

Traditional asset inventories, CMDBs, and internal scanners often depend on manual updates and may not reflect the full scope of an organization’s internet-facing environment.

Flashpoint EASM continuously discovers external assets and maps them to Flashpoint Vulnerability Intelligence, helping organizations identify exposures that may otherwise remain difficult to track through static inventories alone.

Why is attack surface visibility important?

As organizations adopt cloud services, acquire new businesses, deploy new applications, and support distributed environments, external attack surfaces change constantly.

Without continuous visibility, security teams may struggle to identify unknown assets, shadow IT, forgotten infrastructure, or newly exposed services that increase organizational risk.

How does Flashpoint EASM help prioritize remediation?

Knowing a vulnerability is severe is only half the picture. Flashpoint EASM correlates discovered assets with our proprietary vulnerability intelligence, including KEV data and pre-NVD findings, so teams can prioritize based on the severity of vulnerabilities present on their actual attack surface.

What vulnerability intelligence is included?

Flashpoint EASM integrates directly with Flashpoint Vulnerability Intelligence, including:

  • Proprietary vulnerability coverage beyond public sources
  • Pre-NVD vulnerability findings
  • Known Exploited Vulnerability (KEV) intelligence
  • Vulnerability enrichment and contextual risk information

This allows organizations to understand both exposure and vulnerability relevance within a single workflow.

Does Flashpoint EASM support continuous monitoring?

Yes. Once assets are discovered and validated, Flashpoint EASM continuously monitors the external attack surface for newly identified assets, vulnerable software, exposed services, and relevant vulnerability findings.

Teams can receive alerts when new exposure risks are identified.

How does Flashpoint EASM reduce alert fatigue?

Traditional vulnerability programs generate large volumes of findings without clarity on whether those assets are actually owned or exposed. Flashpoint EASM’s triage inbox lets teams accept true assets and reject noise, ensuring alerts are scoped only to infrastructure the organization actually owns.

Who should use Flashpoint EASM?

Flashpoint EASM is designed for security teams responsible for:

  • Vulnerability management
  • Attack surface management
  • Exposure management
  • Threat intelligence
  • Security operations
  • Risk management

It is particularly valuable for organizations seeking to connect vulnerability intelligence to real-world asset exposure and remediation priorities.

How does Flashpoint EASM work with Flashpoint Vulnerability Intelligence?

Flashpoint EASM extends the value of Flashpoint Vulnerability Intelligence by helping organizations understand where vulnerable assets exist within their external environment.

Rather than viewing vulnerability intelligence and attack surface visibility separately, organizations can use both capabilities together to identify exposure, prioritize remediation, and reduce risk more effectively.

Request a demo today.

The post Connecting Vulnerability Intelligence to Real-World Exposure With Flashpoint EASM appeared first on Flashpoint.

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

Blogs

Blog

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

In this post, we explore XSS’ shift from a unified forum to a scattered community spread across several competing factions.

SHARE THIS:

What is XSS?

For more than two decades, XSS was the gathering ground for the Russian-speaking cybercriminal underground. Evolving from its former name, DaMaGeLaB, XSS evolved from a mid-tier message board into a top-tier hacking forum.

XSS is home to vendors of various crime types, including loaders, phishing, scamming, carding, malware development, distributed denial-of-service (DDoS) bots, and related services. It also facilitates the trade of illicit goods and services, while simultaneously serving as a networking and recruitment hub for threat actors.

XSS forum content falls within the following main sections:

  • “Underground”: Includes most noncommercial content, such as sharing information on malware, vulnerabilities, and exploits, phishing, fraud, open source intelligence, artificial intelligence, and machine learning.
  • “Programming, Development”: Includes posts and articles about programming languages and administration.
  • “Library”: Includes news articles, databases, and discussions around software and tools. Users also post about vulnerabilities and exploits.
  • “Business Decisions”: Users discuss different investments, the sale of digital goods, trading, start-ups of fraudulent businesses, and news about cryptocurrencies.
  • “Lounge Zone, Resting”: Content involves lifestyle discussions, hobbies, and cybercriminal community rumors and scandals.
  • “Trading Platform”: Users sell and look to buy network access, malware, counterfeit documents, and advertise their services. This is where users hire and look for work or partners.
  • “People’s Court”: Used for complaints and arbitration and contains lists of phishing forums and scammers.
  • “Ours”: Contains information about the XSS project, discussions on issues, suggestions, and initiatives for forum improvement.
  • “Private: Underground”: Closed section for only forum members.
XSS forum main sections (Source: XSS)

XSS Disruption: July 2025 Takedown

On July 23, 2025, law enforcement organizations reportedly seized XSS as part of a multinational operation with Ukrainian authorities, French police, and Europol. Alongside the domain seizure, French authorities reported the arrest of XSS’s longtime administrator in Ukraine.

This arrest triggered an immediate chain reaction that has had lasting effects on the Russian-speaking underground—with the XSS ecosystem splintering into several competing factions.

The Current State of the Russian-Speaking Underground

While the original XSS architecture was severely disrupted, the surrounding Russian-speaking cybercriminal ecosystem remains intensely active. However, instead of a centralized hub, the XSS ecosystem is spread out through competing environments that emerged directly from the fallout of the takedown.

DamageLib

Launched by the legacy moderators of XSS, DamageLib represents a structural pivot away from standard illicit forums. Concluding that the old XSS site was compromised by law enforcement, the moderators launched a new model that completely abandons commerce—shutting down all buying, selling, and auctions entirely—-to eliminate user tracking and surveillance. Instead, it focuses strictly on technical materials and tutorials.

Rehub

Recognizing that displaced cybercriminals still required a commercial venue to trade, a former XSS moderator launched Rehub quickly after the emergence of DamageLib. Rehub immediately integrated a commercial platform, successfully recruiting prominent threat actors into its moderation team to establish underground credibility.

The forum is still in its development stage, with its content being populated, and an active member base being built.

XSS[.pro]

In early August 2025, an unknown entity launched an alleged resurrection of the forum on a new domain [.pro], utilizing old backups that preserved legacy user data, threads, and forum deposits. However, this new version has been met with significant distrust from Exploit and DamageLib, believing the [.pro] domain to be a honeypot controlled by law enforcement.

XSSF Forum

Started by a pro-Russian Telegram hacking group, this community actively targets EU and Ukrainian digital infrastructure. According to user discussions on DamageLib, this forum is not related to XSS. In addition, Flashpoint analysts note that targeting Ukrainian infrastructure directly contradicts its original community rules. The authenticity of this forum and its ownership has not been verified.

Monitor a Fractured Underground Using Flashpoint

While law enforcement achieved a significant victory over XSS, they did not eliminate the Russian-speaking cybercriminal underground. Instead, they broke the foundational trust mechanics that had kept it centralized for twenty years.

This has left the Russian-speaking underground in a deeply fractured state that is still intensely active and highly adaptive. For defenders and analysts, this threat has not diminished—it has diversified. Tracking this ecosystem no longer means watching a single centralized community, but rather actively mapping out the live migrations, shifting rules, and behavioral patterns across these splintered groups.

Request a demo to learn how Flashpoint helps security teams aggregate intelligence from these scattered factions into a single source of truth, empowering your organization to proactively monitor and intercept emerging threats.

Request a demo today.

The post Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground appeared first on Flashpoint.

How to Align and Measure Threat Intelligence Operations: Flashpoint Priority Intelligence Requirements

Blogs

Blog

How to Align and Measure Threat Intelligence Operations: Flashpoint Priority Intelligence Requirements

In this post, we explore how Flashpoint’s new Intelligence Requirements capability helps organizations define, manage, and operationalize PIRs directly within Ignite by connecting intelligence priorities, monitoring activity, investigations, and measurable operational outcomes into a more unified workflow.

SHARE THIS:
Default Author Image
May 29, 2026

For many intelligence teams, the hardest part of the intelligence lifecycle is no longer collection. It is operationalization.

Analysts are flooded with incoming activity every day, from credential exposures and actor chatter to vulnerability reporting and operational alerts. But without a structured way to connect those signals to business priorities and operational risk, many organizations still struggle to translate intelligence activity into actionable decisions and measurable outcomes.

That is exactly the problem Intelligence Requirements (IRs) are designed to solve.

With the introduction of Intelligence Requirements in Flashpoint Ignite, organizations can define, manage, and operationalize both General Intelligence Requirements (GIRs) and Priority Intelligence Requirements (PIRs) directly within their day-to-day intelligence workflows. By bringing intelligence priorities, monitoring activity, investigations, and reporting into a more unified operational model, teams can create clearer alignment between intelligence operations and organizational risk.

With Intelligence Requirements, organizations can:

  • Centralize and structure General Intelligence Requirements and Priority Intelligence Requirements (PIRs) directly within Ignite to create clearer alignment across intelligence operations.
  • Connect alerts and monitoring activity to business priorities and organizational risk to improve focus and prioritization.
  • Tie intelligence findings directly to Investigations workflows to support faster triage, collaboration, and response.
  • Accelerate adoption with pre-built PIR templates or create custom intelligence requirements tailored to organizational priorities.
  • Gain measurable visibility into intelligence activity, investigative trends, and how CTI supports operational and business outcomes.

“The most effective threat intelligence programs are the ones aligned directly to the priorities that matter most to an organization — from reducing operational risk to enhancing executive and mission-level decision-making,” said Josh Lefkowitz, Co-Founder and CEO of Flashpoint. “With Intelligence Requirements, Flashpoint is helping organizations with the critical effort to define and operationalize those priorities across intelligence workflows — creating a clearer connection between threat intelligence programs and outcomes.”

Turning Intelligence Priorities Into Operational Workflows

At its core, a Priority Intelligence Requirement represents a question an organization needs answered.

Examples might include:

  • Are credentials tied to our organization appearing in underground communities?
  • Is a ransomware group targeting organizations in our industry?
  • Are discussions about our executives increasing across threat actor forums?
  • Is new malware infrastructure emerging that overlaps with our environment?

Historically, PIRs have existed outside operational workflows entirely — tracked through spreadsheets, slide decks, ticketing systems, or institutional knowledge spread across analyst teams. Meanwhile, alerting, investigations, and reporting frequently operated across disconnected processes, making it difficult to maintain clear alignment between intelligence activity and organizational priorities.

The challenge is, as intelligence programs scale, that fragmentation creates operational friction. Analysts spend more time organizing workflows, managing signals, and explaining priorities instead of focusing on the intelligence questions that matter most.

Inside Ignite, Intelligence Requirements provide a more structured operational framework that connects:

  • Intelligence priorities
  • Monitoring activity
  • Investigations
  • Triage workflows
  • Collaboration
  • Operational outcomes

Building Signals Around Intelligence Questions

Once an Intelligence Requirement is defined, teams can begin building the signals designed to answer that requirement.

This transforms the role alerting plays within intelligence operations.

Rather than creating isolated alerts with little context, analysts can associate alerts directly to specific Intelligence Requirements. Those alerts become observable signals tied to the intelligence questions the organization is trying to answer.

For example:

  • A credential exposure alert may support an identity-focused PIR
  • Ransomware reporting alerts may support an executive risk PIR
  • Actor chatter or malware discussions may support a geopolitical monitoring PIR

This creates significantly more clarity for analysts:

  • Why does this alert exist?
  • What intelligence priority does it support?
  • Which signals are actually producing meaningful operational value?

As intelligence programs mature, that visibility becomes increasingly important beyond the analyst team itself. Security leaders are under growing pressure to explain how intelligence activity supports operational priorities, business risk reduction, and executive decision-making.

By organizing alerts around intelligence requirements instead of individual datasets alone, organizations gain a more operational view of intelligence activity and its relevance to broader business objectives.

Creating a Stronger Feedback Loop Between Monitoring and Prioritization

One of the biggest challenges intelligence teams face today is alert fatigue.

Large volumes of alerts can overwhelm analysts and obscure the signals most relevant to operational risk. Over time, this makes it harder to prioritize analyst attention, refine monitoring strategies, and understand which intelligence activity is actually producing operational value.

Intelligence Requirements help bring more structure and context to monitoring workflows by connecting incoming activity directly to defined intelligence priorities.

Instead of reviewing alerts in isolation, analysts can evaluate activity within the context of the PIRs it supports. This gives teams clearer visibility into:

  • Which signals consistently produce meaningful intelligence
  • Where noisy monitoring workflows are slowing analysts down
  • Which intelligence priorities are driving the most operational activity
  • How analyst effort aligns to organizational risk

Over time, this creates a stronger operational feedback loop. Monitoring workflows can be refined based on investigative outcomes, low-value signals become easier to identify, and teams gain a clearer understanding of which intelligence activity deserves the most attention.

The result is a more intentional and measurable approach to intelligence monitoring that helps analysts spend less time managing noise and more time focusing on operationally relevant signals.

Connecting Intelligence Activity to Collaborative Investigations

Prioritizing signals is only part of the workflow.

When activity warrants deeper analysis, analysts can move directly from alert triage into Investigations within Ignite. This is where Intelligence Requirements begin connecting monitoring activity to collaborative operational response.

Investigations provide a centralized environment where teams can organize findings, preserve investigative context, track evolving activity, coordinate across stakeholders, and develop operational reporting around emerging threats.

Importantly, investigations remain connected back to the original Intelligence Requirement, helping preserve the broader operational context behind the work and maintain alignment between investigative activity and organizational priorities.

This creates a more continuous operational process:

  1. Define the intelligence question
  2. Build monitoring workflows around relevant signals
  3. Prioritize incoming intelligence
  4. Escalate meaningful findings into investigations
  5. Collaborate, analyze, and report on operational activity
  6. Refine monitoring workflows based on outcomes

Within Ignite, analysts can also leverage AI Workspace capabilities to accelerate analysis, summarize investigative findings, and support downstream reporting workflows.

By connecting monitoring, investigations, collaboration, and analysis within the same operational framework, organizations gain a clearer understanding of how intelligence activity supports operational decision-making and business risk management.

Supporting More Mature Intelligence Operations

As threat environments become more complex, operational maturity increasingly depends on an organization’s ability to connect priorities, monitoring activity, investigations, and outcomes within the same framework.

That challenge extends beyond the analyst team itself. Intelligence leaders are increasingly expected to demonstrate how intelligence activity supports operational priorities, informs risk decisions, and contributes to broader business objectives.

Intelligence Requirements help organizations create a more structured and measurable operational model by connecting intelligence priorities directly to monitoring workflows and investigations inside Ignite.

Over time, this gives organizations clearer visibility into:

  • which priorities are generating operational activity
  • where analysts are spending investigative effort
  • how intelligence supports organizational risk management
  • how CTI workflows contribute to operational and business outcomes

By reducing fragmentation across workflows and maintaining stronger alignment between intelligence activity and organizational priorities, teams can spend less time managing process and more time focusing on the intelligence questions most relevant to the business.

Learn more about Flashpoint Intelligence Requirements and request a demo.

Request a demo today.

The post How to Align and Measure Threat Intelligence Operations: Flashpoint Priority Intelligence Requirements appeared first on Flashpoint.

The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation

Blogs

Blog

The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation

In this post we break down the technical mechanics of TeamPCP’s recent campaign, the impact on the developer ecosystem, and the urgent steps needed to secure software supply chains.

SHARE THIS:
Default Author Image
May 28, 2026

The developer ecosystem recently faced one of its most significant architectural threats to date, with the threat actor group TeamPCP unleashing Mini Shai-Hulud—a self propagating worm and multi-ecosystem threat. Potentially affecting millions of developers and thousands of companies, Mini Shai-Hulud has fundamentally compromised the trust layer of modern CI/CD pipelines.

The operational tempo of Mini Shai-Hulud has accelerated with every campaign. What began as opportunistic credential theft has now evolved into a high-speed, automated operation that can compromise hundreds of packages in under thirty minutes. From the exfiltration of approximately 3,800 internal GitHub repositories to the poisoning of critical libraries like TanStack and AntV, TeamPCP’s campaign has been incredibly effective in exploiting developer tooling and identity infrastructure.

What is Mini Shai-Hulud?

Mini Shai-Hulud is deployed as a 498 KB obfuscated script executed using the Bun JavaScript runtime. The deliberate choice of Bun, rather than Node.js, is a tactical evasion technique as most endpoint detection and response (EDR) platforms and security information and event management (SIEM) solutions have behavioral rules tuned to Node.js execution patterns.

How Mini Shai-Hulud Works

The worm propagates by stealing npm and GitHub authentication (OIDC) tokens from developer environments, then using those credentials to publish malicious versions of packages the compromised user maintains. To accomplish this, the worm scrapes runner process memory to extract short-lived identity tokens, which it then exchanges for per-package npm trusted-publisher tokens without requiring any long-lived npm secrets.

Credential Exfiltration and Command-and-Control

Mini Shai-Hulud targets credentials across 130 file paths, including npm tokens, GitHub personal access tokens, AWS, GCP, and Azure configuration files, Kubernetes kubeconfig files, Docker credentials, HashiCorp Vault tokens, 1Password and Bitwarden CLI vaults, SSH private keys, and Bitcoin wallet files. 

Exfiltration occurs across multiple channels: the Session Protocol network, the GitHub Git Data API using dynamically created Dune-themed repositories on victim accounts, HTTPS to the threat actor-controlled domain, and an api for GitHub Actions workflow exfiltration.

The worm uses a dead-drop command-and-control (C2) architecture via GitHub’s public commit search API. An installed daemon (kitty-monitor, deployed as a systemd service on Linux or a LaunchAgent on macOS) polls GitHub for commits containing the string “firedalazer,” parses RSA-PSS-signed command payloads from matching commits, and executes them. This technique leverages GitHub as a trusted relay, making C2 traffic difficult to block without disrupting legitimate GitHub usage.

The worm then uses a persistence mechanism as a dead-man’s switch: a GitHub personal access token named “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner” is created on compromised developer machines. If an operator revokes this token without first disabling the persistence mechanism, the worm destroys all home directory data on the compromised device.

AI Agent Hijacking

Beyond standard persistence mechanisms, Mini Shai-Hulud targets AI coding agents. The SafeDep analysis documents that the worm modifies Claude Code’s settings .json to insert a SessionStart hook, enabling the worm to be reinstated with full LLM API privileges even if the infected npm packages are later removed, or the npm cache is cleared. A similar technique targets Visual Studio Code’s tasks.json file using the “runOn”: “folderOpen” trigger, and Codex configuration files are also targeted.

These AI agent hijacking techniques represent a novel attack surface: by persisting within trusted AI tool configurations, the malware can exfiltrate all code and secrets processed by those tools during future development sessions.

Four Waves of Supply Chain Attacks

Flashpoint has observed at least four documented waves of TeamPCP npm and PyPI supply chain attacks in 2026, leveraging Mini Shai-Hulud to compromise developer tooling ecosystems and steal credentials, cloud keys, and source code across tens of thousands of organizations. 

The following timeline tracks the escalation of TeamPCP and the Mini Shai-Hulud waves throughout 2026:

Wave 1: Initial SAP Packages (April 2026)

The first documented wave of Mini Shai-Hulud attacks targeted a small number of SAP-ecosystem npm packages in April 2026. While TeamPCP had already proven their CI/CD attack capabilities in March 2026 by compromising Aqua Security’s Trivy scanner and Checkmarx KICS via GitHub Actions, this initial wave served primarily as a proof-of-concept for the self-propagation mechanism and a reconnaissance phase for TeamPCP’s access broker network. Further, these attacks demonstrated the group’s ability to compromise widely used security tooling—a development that significantly undermines defenders’ ability to trust automated CI/CD pipeline scanning results.

Wave 2: TanStack, Mistral AI, and Guardrails AI (May 2026)

Leveraging a GitHub Actions cache-poisoning technique, TeamPCP published malicious versions of 42 TanStack packages across 84 releases, impacting a project with over 518 million cumulative downloads. 

The attack also compromised Mistral AI and Guardrails AI, extending the attack surface to the AI developer tools ecosystem. Forged commit authorship was used to blend the attacker’s commits into AI-assisted development environments where Claude Code is commonly deployed.

TeamPCP simultaneously listed Mistral AI source code for sale on BreachForums, claiming possession of approximately 5 GB of data across 450 internal Mistral repositories.

TeamPCP BreachForums posts advertising Mistral AI internal source code and repositories for sale, May 2026. (Source: Flashpoint)

Wave 3: AntV Ecosystem (May 2026)

Targeting AntV enterprise data visualization ecosystem, TeamPCP compromised the atool npm account, which held publishing rights across a broad catalog of AntV packages. In 22 minutes, 637 malicious versions were published across 323 packages—a scale and speed that overwhelmed standard security monitoring pipelines.

Each infected package contained the Mini Shai-Hulud worm, which, upon execution, created up to 2,500 compromised repositories on victim accounts within hours.

Wave 4: Co-Ownership of BreachForums and GitHub Breach

In the most recent wave, TeamPCP announced its assumption of co-ownership of BreachForums, the largest English-language cybercriminal forum currently active. This development significantly elevates TeamPCP’s standing and operational reach. As co-owners, the group stated it would manage platform operations, handle dispute resolution, staff and vet moderation personnel, and host monetary contests for the community. The announcement positions TeamPCP as both an active threat actor and a platform-level infrastructure operator, with the ability to shape forum policies, curate the availability of criminal tooling, and influence the broader access broker and ransomware ecosystem.

Additionally, by poisoning a GitHub employee’s development environment, TeamPCP exfiltrated approximately 3,800 internal GitHub repositories. Within the stolen data were highly sensitive codebases such as:

  • copilot-api and copilot-token-service
  • actions-runtime
  • billing-platform
  • enterprise-crypto
  • authentication
  • codeql-core
  • detection-engineering
  • csirt
  • azure-config
TeamPCP BreachForums posts advertising GitHub internal source code for sale. (Source: Flashpoint)

Recommended Immediate Actions

Critically, the theft of internal source code from one of the world’s most widely used code hosting platforms creates incredible downstream risk for organizations that depend on GitHub Copilot and GitHub Actions for their own software development pipelines. Organizations running AI coding agents such as Claude Code and VS Code with extensions in their CI/CD pipelines face heightened exposure. Security teams should treat AI agent configuration files as sensitive assets subject to integrity monitoring and change-control policies.

If your organization uses npm, PyPi, or AI-assisted development tools, Flashpoint recommends the following immediate steps:

  1. Audit and remove: Immediately audit CI/CD environments and remove all infected versions of AntV, TanStack, Mistral AI, and Bitwarden CLI packages.
  2. Rotate credentials: Rotate all cloud credentials (AWS, GCP, Azure) and npm tokens.
  3. Disable persistence first: Before revoking suspicious GitHub tokens, ensure the kitty-monitor daemon is disabled to avoid triggering the “dead-man’s switch” wiper.
  4. Lock down IDEs: Restrict the installation of VS Code extensions to an approved allow-list and monitor for unauthorized changes to settings.json or tasks.json.
  5. Block C2 infrastructure: Block all traffic to identified TeamPCP C2 domains.

Track TeamPCP and Defend against Mini Shai-Hulud Using Flashpoint

Flashpoint assesses with high confidence that TeamPCP will continue to scale its supply-chain attacks against npm, PyPI, and developer tooling ecosystems. The group’s shift from direct execution to orchestrating a broader ecosystem via BreachForums signals a maturation into a platform-layer criminal operation. While TeamPCP has hinted that the group may be approaching “retirement” due to law enforcement pressure, this should be treated with caution. Whether a misdirection or a genuine exit plan, the open-sourcing of Shai-Hulud means the tradecraft is available to the wider cybercriminal community.

Organizations should reference the OpenSSF npm Best Practices guidance for a practical baseline in hardening their package consumption posture. Flashpoint customers can gain access to known Indicators of Compromise (IOCs) and MITRE ATT&CK Mapping for Mini Shai-Hulud by logging into Flashpoint Ignite. To learn more about how Flashpoint tracks threat actor groups like TeamPCP and protects the software supply chain, request a demo.

Request a demo today.

The post The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation appeared first on Flashpoint.

Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”

Blogs

Blog

Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”

In this post, we dive into the decentralized architecture of “The Com,” exposing its hybrid ecosystem of hacking, extortion, and real-life violence—and how it fuels a ruthless pipeline of cyber-fraud cycles and adolescent exploitation.

SHARE THIS:
Default Author Image
May 26, 2026

What is “The Com”?

The Community, more widely known as “The Com” is a sophisticated hybrid threat ecosystem in which cybercrime serves as the venture capital for domestic terrorism. Existing since the early 2010s, it operates in the “edgesphere”, a grey area where mainstream social media overlaps with underground criminal networks, blending nihilistic violent extremism (NVE) with high-level financial fraud. In The Com, cybercrime against Fortune 500 companies is the primary revenue stream used by members to fund a domestic terror network that aims to radicalize youth and encourage real-world violence.

However, The Com poses more than just financial risk, it is a self-serving victim-to-perpetrator pipeline. It uses stolen capital to recruit adolescents, who they view as a disposable workforce, turning them from a victim to a perpetrator. Despite being a decentralized web of individuals rather than a traditional threat actor organization, The Com has managed to grow by hiding in the gaps between corporate security, parental oversight, and law enforcement.

How The Com is Structured

The Com is often mischaracterized as a single, formal organization. In reality, its ecosystem is unstructured and lacks a shared culture or leadership. However, the various factions within the ecosystem are extremely organized, supporting three broad categories of criminal activity: cybercrime, exploitation of minors, and real-world physical violence.

Federal investigations have shown that The Com includes a mix of adults and minors, men and women. While the exact number of members is difficult to determine, Flashpoint estimates that the broader ecosystem of The Com is in the thousands. While being a global threat, its most active core members are concentrated in Western English-speaking countries: the United Kingdom, the United States, and Canada.

Understanding the Key Pillars of The Com

While The Com is a decentralized ecosystem, its internal structure is defined by a high degree of operational alignment. Individual crews and networks within each pillar exhibit a shared psychology and standardized tradecraft that ensures their criminal activities remain effective and repeatable.

However, Flashpoint notes that members of these pillars do not operate alone. Their interaction with members of other pillars (extortion and real-world violence) amplifies the intended threat.

HACKER Com: The Economic Engine of The Com

Hacker Com acts as the ecosystem’s economic engine and primary technical arm. Its primary function is to hack major corporations and commit financial fraud to fund the broader community’s activities and lifestyle.
Seeing themselves as the elite technical tier of The Com, Hacker Com members are motivated primarily by financial gain and the thrill of outsmarting corporate security infrastructures. Notable crews within this pillar include Scattered Spider, LAPSUS$, ShinyHunters, and DragonForce.

TTPs Used by HACKER Com

The following tactics, tools, and procedures (TTPs) have been observed by HACKER COM groups:

Social Engineering (Vishing)

Hacker Com members capitalize on TTPs that target human vulnerabilities instead of relying solely on software and other exploits. Vishing is a signature move of the Scattered Spider crew, whose native English-speaking members call corporate IT helpdesks impersonating employees of that company. 

Analysts note these threat actors are likely Gen Z who socially engineer older support staff by mimicking the impatient attitudes and vernacular of young tech executives, essentially hacking the generation gap. They leverage this form of social engineering to convince support staff to reset passwords or even re-enroll new multifactor authentication (MFA) devices, which grants them access to the victims’ networks.

Supply Chain Targeting

Crews in this pillar have also successfully breached major targets by attacking their trusted vendors. For instance, Lapsus$ compromised Okta by targeting its third-party contractor, Sykes, while Scattered Spider has repeatedly targeted Okta’s identity services to pivot into their clients’ networks.

Living-off-the-land (LOTL)

Once inside a network, threat actors avoid detection by using legitimate, preexisting software and other remote admin tools such as AnyDesk, Ngrok, and Teleport to maintain persistence and move laterally. They often gamify this access, mocking victims for allowing them to simply “log in” using standard admin tools rather than having to hack their way in via complex exploits. They treat the ease of access as a testament to the victim’s incompetence.

SIM Swapping

A SIM swap attack is a foundational TTP used by financially motivated actors that involves social engineering mobile carriers to hijack a target’s phone number, usually resulting in the takeover of high-value cryptocurrency accounts.

EXTORT Com: The Ideological Engine of The Com

The Extort Com pillar functions as a machine designed for psychological control, coercion, and sexual exploitation of minors. Its goals intersect squarely with NVE ideologies, resulting in a marketplace and production center for CSAM and extreme violence, where members often trade these materials as a form of social currency.

Targets are migrated from public channels, which include social media and video games such as Roblox and Minecraft, to private ones maintained by The Com. Once moved, the dynamic shifts from recruitment to active exploitation, which is done to ensure the victim’s compliance.

IRL Com: The Enforcement Engine of The COM

The “In Real Life” (IRL) pillar serves as the physical enforcement arm of the ecosystem, effectively bridging the gap between virtual threats and reality. Sometimes referred to by law enforcement as “IRL Terror,” members often turn online animosity and disputes into real-world harm against people and their property.

Protect Against Converging Threats Using Flashpoint

The evolution of The Com represents a fundamental shift in the global threat landscape. It is not enough to view cybercrime as a purely financial risk or domestic extremism as a purely ideological one, the two have merged into a self-sustaining engine where stolen corporate capital fuels the radicalization and exploitation of the next generation.

As The Com continues to professionalize its tradecraft and expand its reach, the boundary between our digital and physical worlds will only continue to thin. To protect against this decentralized threat, organizations will require a mutli-layered defense strategy that is powered by intelligence that is sourced at the heart of these groups. Request a demo to learn more.

Request a demo today.

The post Understanding Illicit Ecosystems: The Hybrid Threat of “The Com” appeared first on Flashpoint.

Received — 20 May 2026 Threat Intelligence Blog | Flashpoint

AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

Blogs

Blog

AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

A monthly analysis of how artificial intelligence is used in illicit communities, based on Flashpoint proprietary intelligence and direct visibility into real threat actor environments.

SHARE THIS:

A finance employee joins a video call with their CFO and several colleagues. The request is routine. The faces match. The voices sound authentic. Minutes later, $25 million is transferred—only to be discovered later that every participant on the call, except one, was AI-generated.

Techniques behind incidents like this—synthetic video, voice cloning, scripted interactions—are now being discussed openly in the same environments where threat actors exchange tools and methods. In April 2026 alone, Flashpoint analysts identified 2,328,958 posts discussing artificial intelligence in the context of illicit activity.

This volume reflects a larger shift: artificial intelligence is now deeply embedded across cybercrime ecosystems, influencing fraud, impersonation, social engineering, and access operations at scale. It shows up in how content is generated, how identities are replicated, and how workflows are executed and refined over time.

That’s why we created the monthly AI Threat Report to examine how threat actors are using artificial intelligence in real-world illicit environments. Drawing on Flashpoint proprietary intelligence and direct visibility into primary source communities across forums, marketplaces, and chat services, the report analyzes the tactics, tools, and operational patterns shaping malicious AI use. Analysis of April’s activity shows a focus on prompt-sharing, jailbreak methods, and alternative models that support fewer safeguards or moderation controls.

AI Activity Volume and What It Represents

In April 2026, Flashpoint analysts identified 2,328,958 posts discussing artificial intelligence in the context of illicit activity across forums, marketplaces, and chat services.

Mentions of AI in conjunction with illicit advertisements and discussions in April 2026. (Source: Flashpoint)

The underlying activity was concentrated around a familiar set of use cases and workflows:

  • identity verification bypass
  • fraud enablement and scripting
  • impersonation through synthetic media
  • prompt-sharing and jailbreak workflows

However, the emphasis within those discussions shifted in several places in April.

  • Posts tied to custom malicious LLM development appeared less frequently than discussions centered on usability: how to bypass safeguards, generate more reliable outputs, or move activity onto platforms perceived as less restrictive. 
  • References to alternative models and prompt collections appeared more often throughout the month, alongside requests for jailbreak methods and phishing-oriented outputs.

This activity points to a more mature stage of adoption. The focus is less on building entirely new tooling and more on improving reliability, portability, and ease of use within workflows that already exist.

That pattern shows up repeatedly across monitored sources. Users exchange prompts, repost working methods, and refine outputs through direct feedback. In many cases, the same underlying techniques continue circulating with only minor changes between platforms or communities.Looking across April activity helps identify which methods continue to generate demand, where threat actors are adapting around platform restrictions, and which workflows remain active across multiple environments.

Where AI Activity Is Concentrated

AI-related activity in April remained concentrated on a small number of platforms, though the distribution shifted noticeably compared to March.

Telegram accounted for the majority of observed activity, with 1,395,075 posts tied to AI services and discussions. Reddit, GitHub Gist, Pastebin, Discord, and smaller forums accounted for significantly lower volumes.

Posts selling AI services (in red) and posts seeking to purchase AI services (in blue) on Telegram in April 2026. (Source: Flashpoint)

The lower Telegram volume does not indicate reduced interest in AI-enabled activity. The platform continues to function as a primary distribution layer for prompts, jailbreak methods, fraud tooling, and service advertisements.

Across April, the same prompts, offers, and workflows appeared repeatedly across channels, often reposted with only minor adjustments. Sellers updated listings based on user feedback, while buyers requested revisions tied to specific outputs or platforms.

Other platforms served more targeted roles:

  • GitHub Gist and paste sites hosted scripts or supporting material
  • forums supported reputation building and longer technical discussions
  • Discord communities centered around specific models, prompt collections, or jailbreak workflows

The activity remains connected across environments. Methods introduced in one community frequently reappear elsewhere, particularly when they produce reliable outputs or help users work around moderation controls.Tracking how these discussions move between sources helps identify which workflows continue to gain traction and which techniques are becoming more broadly operationalized.

AI-Enabled Fraud and Identity Verification Bypass

Across April, Flashpoint analysts observed 63,763 posts advertising or discussing KYC bypass methods using artificial intelligence, including deepfake-enabled verification workflows.

The methods were active across Telegram channels dedicated to identity verification bypass services.

Posts continued to advertise:

  • synthetic video generation designed to mimic live verification behavior
  • voice cloning and scripted interaction prompts
  • bundled “KYC bypass kits” tailored to onboarding and verification workflows

Some offerings included guidance on how to adapt responses for specific platforms or verification requirements. Others promoted combinations of synthetic video, matching fake documentation, and AI-generated scripts designed to support impersonation attempts from start to finish.

The broader workflow remains consistent. AI supports how identities are replicated, how verification checks are navigated, and how fraud operations are scaled across different services.

This activity connects directly to the wider access ecosystem already observed across illicit communities. Stolen credentials, session tokens, phishing infrastructure, and AI-enabled impersonation methods increasingly operate alongside one another within the same workflows.

Across April, posts tied to these methods continued to show active refinement through user feedback, reposting, and platform-specific variations.

For security teams, this activity remains relevant at the control layer. Verification systems, onboarding workflows, and account recovery processes continue to be tested in the same environments where these methods are exchanged and improved.

Malicious LLM Usage and Prompt-Based Workflows

Across April, discussions tied to malicious or unrestricted LLM usage focused heavily on jailbreak methods, prompt-sharing workflows, and access to alternative models perceived as less restricted than mainstream platforms.

The top observed malicious LLMs mentioned within Flashpoint Collections in April 2026. (Source: Flashpoint)

Flashpoint analysts observed a significant increase in discussions related to VeniceAI, driven in part by newly created Reddit and Discord communities dedicated to the platform. The increase highlights continued interest in models that users believe operate with fewer safeguards or moderation controls than services like ChatGPT or Gemini.

The activity centers on usability and output reliability.

Posts reference:

  • jailbreak prompts designed to bypass safeguards
  • phishing and fraud-oriented prompt collections
  • step-by-step instructions for generating specific outputs
  • requests for prompts tailored to impersonation or social engineering workflows

Many of these prompts are shared in collections that include updates, revisions, or support channels. Users exchange feedback when prompts stop working, outputs degrade, or platforms introduce new restrictions. Updated versions frequently follow within short timeframes.

This type of activity reinforces how prompt engineering has developed into its own service layer across illicit communities. The focus is not limited to the underlying model itself, but to the ability to generate repeatable outputs that can be applied directly within fraud, phishing, or impersonation workflows.

Across April, the same prompt structures and jailbreak methods appeared repeatedly across multiple sources, often with only small adjustments tied to platform or target.

The emphasis remains on accessibility, portability, and ease of use rather than custom model development.

Operational Patterns and What Holds Across Sources

Across April, the same behaviors continued to appear across different environments with only minor variation.

Prompt libraries, jailbreak methods, phishing workflows, and identity verification bypass techniques circulated across Telegram channels, forums, Discord communities, and paste sites. The wording changed slightly between platforms, though the underlying structure and outputs remained consistent.

This reuse is visible in how content moves between sources. A jailbreak prompt shared in one channel appears elsewhere with revised wording or additional instructions. A phishing workflow posted to a forum is copied into a paste site and redistributed through Telegram. Users request modifications, test outputs, and repost updated versions when restrictions change or methods stop working.

That cycle appeared repeatedly throughout April.

The activity also showed strong feedback loops tied to usability. Discussions focused heavily on which prompts generated reliable outputs, which models produced fewer restrictions, and which workflows required the least adjustment before use.

Across monitored sources, the same operational priorities appeared consistently:

  • reliability of outputs
  • ease of reuse
  • ability to bypass safeguards
  • compatibility with existing fraud and impersonation workflows

Looking across April activity reinforces how AI-enabled methods continue to mature through repetition, iteration, and distribution across connected communities.

What Security Teams Should Take Away

The activity tracked in this report shows how artificial intelligence is being used in environments where techniques are developed, tested, and shared before they surface elsewhere.

Across these communities, methods tied to fraud, impersonation, and access are reused, adjusted, and circulated in forms that others can apply directly. That process does not require significant change to move from discussion into use.

For security teams, the priority is maintaining visibility into how these methods are evolving and where they are being applied. That visibility supports earlier detection, more focused response, and a clearer understanding of which techniques are actively in circulation.

Monitoring these sources provides that context. It connects observed activity to the methods behind it and helps teams track how those methods develop over time.

If you want to see how this activity maps to your environment, request a demo.

Request a demo today.

The post AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities appeared first on Flashpoint.

Received — 19 May 2026 Threat Intelligence Blog | Flashpoint

How Mergers and Acquisitions Expand Your Attack Surface Overnight

Blogs

Blog

How Mergers and Acquisitions Expand Your Attack Surface Overnight

This post details how M&A activity can turn an acquisition target into an entry point into your environment and how to identify and reduce that exposure before it’s leveraged by threat actors.

SHARE THIS:
Default Author Image
May 14, 2026

M&A activity introduces immediate external exposure.

As soon as a deal is announced, the target’s infrastructure, access points, and identity footprint become relevant to a larger organization. Threat actors track acquisition activity and begin probing newly relevant environments quickly, often before integration planning is complete.

In one recent case, an external assessment of an acquisition target identified a publicly accessible VPN management interface tied to known exploited vulnerabilities. The configuration allowed session hijacking without credentials and had not been identified during internal reviews or due diligence. It was remediated within 24 hours of discovery.

The issue was reachable from the internet and aligned with active exploitation.

What Changes During an Acquisition

From a security perspective, the environment does not change at announcement. The context around it does.

The same systems, credentials, and configurations now sit within:

  • A higher-value organization
  • A broader identity and access ecosystem
  • A timeline where ownership and responsibility are shifting

That shift is enough to change how the environment is targeted.

Threat actors monitor acquisition activity because it helps them prioritize. A smaller organization with uneven controls becomes more valuable once it is tied to a larger parent. Access pathways that previously led to a limited environment may now provide a stepping stone into something much larger.

How Adversaries Approach M&A Activity

Observed behavior around acquisitions is consistent across sectors.

Actors look for environments that:

  • Expose remote access infrastructure (VPN, RDP, administrative interfaces)
  • Contain credentials already circulating from infostealer infections
  • Run edge devices tied to known exploited vulnerabilities
  • Maintain assets that are reachable but not actively monitored

They do not need full network visibility. They work from what can be discovered externally and validated quickly.

In several cases, ransomware operators and access brokers have been observed scanning for specific device types or software versions shortly after acquisition announcements, aligning targeting with known exposure patterns.

Why Traditional Due Diligence Doesn’t Surface This

Due diligence produces a structured view of security posture. External exposure requires a different lens.

Most diligence processes rely on:

  • Self-reported controls
  • Point-in-time vulnerability data
  • Documentation of architecture and policy

They rarely include:

  • Direct validation of internet-facing systems
  • Mapping of externally reachable assets
  • Alignment with current exploitation activity

This creates a gap between what is documented and what is accessible.

The exposure that matters most during this phase tends to sit outside formal reporting: edge infrastructure, unmanaged assets, and access points that have not been recently validated.

The Role of Identity in M&A Risk

Identity expands alongside infrastructure. Employee credentials tied to the target organization may already be compromised through infostealer infections. Those credentials often include:

  • Corporate email and password combinations
  • Session cookies tied to SaaS platforms
  • Autofill data and device metadata

Once an acquisition is announced, those credentials become more valuable. They are tested against:

  • VPN gateways
  • Cloud platforms
  • Internal applications exposed through remote access

Where Exposure Persists

Across M&A activity, a few categories show up consistently when environments are assessed externally.

Remote access remains one of the most reliable entry points. VPN gateways and administrative interfaces are frequently exposed and often lag behind patch cycles tied to active exploitation.

Edge devices introduce additional risk. Firewalls, load balancers, and network appliances are commonly targeted when they run software associated with known exploited vulnerabilities.

Untracked infrastructure also plays a role. Smaller organizations often maintain systems outside formal asset inventories. These systems remain reachable and are rarely monitored closely.

These conditions are present before integration begins and remain in place until they are actively addressed.

Timing and Execution

The period immediately following an announcement carries the highest concentration of unknowns.

  • Security ownership is in transition.
  • Monitoring coverage may not extend across the target environment.
  • External exposure remains unchanged.

At the same time, the environment is receiving more attention.

In the earlier example, remediation occurred within a day of discovery. Without that visibility, the same exposure would have remained available during a period of increased interest.

What This Looks Like in Practice

The teams that manage M&A risk effectively start from the outside and move inward.

The first step is establishing visibility into the target’s external footprint as soon as a deal becomes public. This includes identifying internet-facing infrastructure, exposed services, and access points that can be validated directly.

From there, the focus shifts to prioritization. Exposure is evaluated based on exploitability and alignment with current attacker behavior. Systems tied to known exploited vulnerabilities, remotely accessible services, and credential-based access paths rise to the top quickly.

Validation follows. Exposed systems are confirmed, configurations are reviewed, and access pathways are tested to determine what is actually reachable.

Once confirmed, response is immediate. High-risk exposure is remediated or restricted without waiting for integration milestones or broader security alignment.

This sequence is consistent across environments:

  • Establish visibility into internet-facing assets early
  • Validate exposed services and access points directly
  • Prioritize based on exploitability and active targeting
  • Act on confirmed exposure as soon as it is identified

Teams are at an advantage when they start this work while the environment is still limited in scope and before external attention translates into access.

See It in Your Environment

M&A activity introduces risk on a compressed timeline. External exposure does not wait for integration plans, and neither do attackers. If you’re supporting acquisitions, the first step is understanding what is already visible and reachable from the outside.

Flashpoint helps security and threat intelligence teams map internet-facing assets, identify exposed access points, and prioritize risk based on real-world exploitation and adversary activity.

Request a demo to see how Flashpoint supports acquisition-driven risk assessments, so you can identify and reduce exposure before it becomes an incident.

Request a demo today.

The post How Mergers and Acquisitions Expand Your Attack Surface Overnight appeared first on Flashpoint.

The Evolution of the Geotag: How AI is Bridging the Gap in Location-Based OSINT

Blogs

Blog

The Evolution of the Geotag: How AI is Bridging the Gap in Location-Based OSINT

In this post, we explore how the decline of geotagged data is reshaping location-based OSINT, the intelligence gaps it creates for analysts, and how AI-driven keyword generation and geofencing are restoring visibility into real-world events.

SHARE THIS:
Default Author Image
May 12, 2026

For years, location-based open-source intelligence (OSINT) has relied heavily on a steady stream of user-generated geographic data. Geotagged social media posts with embedded latitude and longitude coordinates have long been a goldmine for tracking regional trends, monitoring real-time events, and understanding on-the-ground public sentiment. Intelligence professionals and data scientists have historically used this passively-generated location-based data to aggregate real-time insights for everything from tracking public sentiment to monitoring natural disasters.

However, the era of effortless geographic tracking is coming to an end. Geotagged social media data is becoming increasingly scarce, making it significantly harder for security teams to gather a complete picture of location-based intelligence.

The Decline of Location Sharing

The primary driver behind the diminishing use of geotags is a massive shift in digital privacy standards. For instance, major platform-level policy interventions, such as Apple’s November 2021 iOS privacy update, changed the default consent model for device tracking. Instead of requiring users to actively opt out of location tracking, iPhone users must now explicitly opt in.

As a result of these strengthened privacy controls, a massive behavioral shift occurred: within a year of the iOS update, 62% of affected users chose to opt out of location tracking entirely. This platform-mediated behavioral barrier has drastically reduced the availability and visibility of granular location traces, creating complex new blind spots for researchers and intelligence analysts.

The Intelligence Gap

With precise coordinates disappearing from social feeds, security practitioners and OSINT investigators are left facing a major data void. Relying purely on traditional keyword or hashtag searches to find location-specific events is highly inefficient. In fact, as little as 7% of social media posts actually contain hashtags. If an analyst is scanning 10,000 posts a day looking for a specific hashtag, they could be missing up to 9,300 posts that hold critical intelligence.

To compensate for missing geotags, security practitioners have traditionally had to spend valuable time performing manual, tedious searches for specific local details like street names, landmarks, and local businesses to figure out where an event is taking place.

Bridging the Gap with AI

To overcome the increasing scarcity of explicit location data, the intelligence industry is leveraging artificial intelligence and spatial technologies.

AI-powered keyword optimization tools like Echosec’s new AI-powered “Optimize” feature are designed specifically to bridge this data gap. Instead of relying on users to share their precise coordinates, AI automatically generates hyper-relevant, location-based keywords for an investigator’s search. If an analyst is looking into a specific neighborhood, the AI will suggest relevant landmarks, tourist attractions, schools, government buildings, and businesses to monitor. This instantly converts manual, time-consuming research into an automated process, significantly increasing the volume and relevance of the data collected.

Geo-Based OSINT 2.0

Geo-based search combined with AI keyword generation is taking OSINT to the next level. Geofencing allows teams to draw virtual perimeters around physical sites, such as corporate offices, foreign meeting sites, or public gatherings, to monitor digital activity strictly within those areas. This means you don’t need to know what keywords or hashtags you are looking for; you only need to know where to look. This is incredibly valuable for real-time executive protection and monitoring civil unrest, as it surfaces visual intelligence and early warnings directly from the scene, cutting out irrelevant noise.

The Future of OSINT for Situational Awareness

The decline of the geotag is a victory for consumer privacy, but it isn’t the end of location-based intelligence. By leveraging AI-driven keywords and hyper-local geofencing, security teams can move beyond broad geographic searches. These smart tools alleviate research bottlenecks, allowing analysts to redirect their expertise away from exhaustive data hunting and toward the critical analysis needed to respond to threats before they escalate. The geotag may be fading, but our situational awareness remains sharper than ever.

Don’t let the intelligence gap compromise your situational awareness. Ready to move from tedious manual searches to immediate, actionable insights? Book your Echosec demo today and empower your team with the next generation of location-based insight.

Request a demo today.

The post The Evolution of the Geotag: How AI is Bridging the Gap in Location-Based OSINT appeared first on Flashpoint.

Navigating the Threat Landscape of the 2026 FIFA World Cup

Blogs

Blog

Navigating the Threat Landscape of the 2026 FIFA World Cup

In this blog, we break down emerging threat activity, protest movements, cyber risks, and operational challenges shaping the security environment for the 2026 FIFA World Cup.

SHARE THIS:
Default Author Image
May 11, 2026

Updated June 2026

The 2026 FIFA World Cup will be unlike any tournament before it.

Set to run starting next month from June 11th to July 19th across the United States, Canada, and Mexico, this will be the first World Cup co-hosted by three nations and expanded to 48 teams across 16 host cities. More than five million fans are expected to attend matches in person, with billions more engaging globally.

That scale introduces a different class of risk. The World Cup is a distributed, high-visibility global operation spanning stadiums, transit systems, hotels, fan festivals, and digital infrastructure.

At the time of writing, Flashpoint analysts have not identified any specific, credible threats targeting the tournament. However, recent extremist propaganda and geopolitical tensions continue to reinforce the need for heightened vigilance across host nations.

A Converging Threat Environment

The risks surrounding the 2026 World Cup intersect across multiple domains.

Physical security, cyber activity, geopolitical tensions, and social movements all operate against the same infrastructure and audiences. Activity in one area can quickly affect another.

Flashpoint assesses that the most persistent risks across all host nations include:

  • Crimes of opportunity targeting visitors unfamiliar with local environments
  • Lone-actor attacks, including those driven by extremist ideologies
  • Overcrowding, fan conflicts, and unmanaged gatherings

These risks are amplified by the tournament’s scale and geographic distribution.

Civil Unrest and Protest Activity

World Cup tournaments routinely become platforms for protest.

For 2026, multiple movements are already organizing around the event:

  • “Boycott USA 2026” campaigns and groups like CODEPINK are calling for relocation of matches
  • The “50501 Movement” has signaled intent to leverage the tournament’s visibility for national demonstrations
  • Coalitions of civil society organizations have raised concerns around immigration enforcement, surveillance, and civil rights

Recent organizing activity has expanded beyond traditional anti-FIFA campaigns. Civil rights organizations, labor groups, anti-ICE coalitions, and community organizations in multiple host cities have announced or promoted demonstrations tied to immigration enforcement, displacement concerns, labor issues, and the broader social impacts of the tournament.

In the United States, Flashpoint analysts assess with high confidence that protests will occur across all host cities, with messaging tied to immigration policy, labor issues, and geopolitical tensions.

In Canada and Mexico, protests tied to environmental concerns, infrastructure impact, and global conflicts are also expected.

At this stage, most campaigns remain organizational rather than operational. But the scale of the event means even localized demonstrations can escalate quickly, especially around stadiums, transit hubs, and fan zones.

Physical Security and Crowd Risk

No specific terrorist plots have been identified. But that does not reduce the risk.

Large gatherings remain attractive targets for:

  • Lone actors seeking high visibility
  • Opportunistic criminals
  • Disruptive fan groups

Online chatter continues to reference potential attacks, including decentralized calls for violence from extremist-linked media outlets. Recently, a pro-ISIS media outlet released World Cup-themed propaganda that appeared designed to portray major football venues and international sporting events as symbolic targets, underscoring the continued threat posed by lone actors and extremist-inspired violence.

Beyond intentional threats, crowd dynamics pose a persistent risk. Past sporting events have shown how quickly panic, overcrowding, or pyrotechnics can trigger dangerous conditions, including crowd crush incidents.

Fan culture adds another layer. Organized groups such as Ultras and hooligan firms increasingly operate with coordination, using encrypted messaging, reconnaissance (“spotting”), and off-site meetups to avoid security controls.

Security concerns extend beyond traditional supporter culture. Some organized fan groups have evolved increasingly sophisticated tactics, including coordinated reconnaissance, plain-clothes scouting, encrypted communications, and deliberate efforts to move confrontations away from stadium security zones and into “soft zones” like bars, transit hubs, and other gathering locations.

Geopolitical Tensions and High-Risk Matches

Geopolitics will shape the security environment throughout the tournament.

The ongoing tensions involving the United States, Israel, and Iran are expected to influence both protest activity and threat perceptions. Iran’s participation—particularly matches held in U.S. cities—has already sparked debate, travel concerns, and increased security planning.

The issue extends beyond match security. Visa policies, travel restrictions, diaspora activism, and ongoing debate surrounding Iranian participation have already generated significant discussion among supporters, advocacy groups, and government stakeholders.

Certain matches carry elevated risk due to:

  • Historical rivalries
  • National identity tensions
  • Known fan group activity

These matches require heightened monitoring not just inside stadiums, but across surrounding areas where supporters gather.

The Expanding Cyber Threat Surface

The World Cup is also a large-scale digital event.

Even without identified active campaigns, Flashpoint analysts expect the tournament to function as a stress test for global infrastructure.

Key cyber risks include:

  • Ticketing fraud: Fake domains impersonating official FIFA platforms
  • Phishing and social engineering: Targeting fans, vendors, and staff
  • Ransomware and DDoS attacks: Disrupting transit systems, stadium operations, and hospitality networks
  • Infrastructure targeting: Exploiting vulnerabilities in public-facing systems

Researchers have already identified thousands of fraudulent domains impersonating FIFA-related services, alongside phishing campaigns designed to harvest credentials, hijack accounts, and resell legitimate tickets purchased by victims.

Threat actors are also expected to monetize the event through:

  • Fraudulent housing and rental listings
  • Rideshare and transportation scams
  • Sports betting manipulation and extortion

Even minor disruptions to digital infrastructure can have cascading effects on physical operations that cause delayed transportation, overwhelming venues, or other safety concerns.

Operational Security Gaps

Some of the most overlooked risks are also the simplest.

Attendees, staff, and media frequently post images of credentials like press passes, security badges, and access tokens on public social media. These images can be used to replicate credentials and bypass controls.

Similarly, fans often attempt to:

  • Access team hotels
  • Enter restricted areas
  • Interact directly with players

These behaviors create additional pressure on venue and hospitality security teams, particularly in high-profile locations.

Beyond the Stadium: Distributed Risk

The World Cup extends far beyond match venues. Security teams must account for:

  • Team base camps and training facilities
  • Fan festivals and unofficial gatherings
  • Hotels, tourist destinations, and transit systems
  • Cross-border travel between host nations
  • Increased human trafficking and exploitation risks associated with large-scale international travel and temporary workforces

Unauthorized fan festivals and spontaneous gatherings remain a persistent concern, often drawing large crowds without coordinated security planning.

At the same time, environmental factors including extreme heat, severe storms, flooding, air quality concerns from wildfires, and other weather-related disruptions may affect operations, travel, and crowd safety across host regions.

Getting Ready for the Tournament

The absence of identified threats should not be misinterpreted as low risk.

Events of this scale require continuous monitoring across physical, cyber, and social domains. Threat indicators often emerge early in:

  • Online forums and messaging platforms
  • Local protest planning
  • Fraudulent domain registrations
  • Changes in adversary behavior

Effective preparation depends on:

  • Broad, multilingual monitoring across open and closed sources
  • Correlation between physical and cyber indicators
  • Visibility into both high-profile targets and “soft zones”
  • Close coordination between public and private sector partners

Flashpoint recommends monitoring key terms such as “World Cup,” “FIFA,” “Fan Festival,” and related hashtags across intelligence platforms to maintain situational awareness.

Preparing for the Whistle

Building a robust threat monitoring architecture is a continuous process. Host cities and law enforcement often use smaller-scale international competitions as test runs to prepare for the scale and complexity of events like the FIFA World Cup.

By leveraging Flashpoint’s advanced search capabilities—including broad keyword coverage, wildcard operators, and visibility into deep and dark web communities—organizations can maintain awareness of emerging risks tied to large-scale events. From stadium infrastructure to digital ticketing platforms, actionable intelligence supports more informed, timely decisions.

To see how Flashpoint enables this level of visibility and monitoring in practice, request a demo.

Request a demo today.

The post Navigating the Threat Landscape of the 2026 FIFA World Cup appeared first on Flashpoint.

Received — 11 May 2026 Threat Intelligence Blog | Flashpoint

Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

Blogs

Blog

Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

In Flashpoint’s recent webinar, we examine the defining shifts shaping the 2026 threat landscape, from AI-driven attack automation to the growing role of identity in initial access. We analyze how infostealers, vulnerabilities, and ransomware activity are evolving, and where security teams should focus now.

SHARE THIS:
Default Author Image
May 8, 2026

In 2026, the threat landscape operates as a single, connected system. Identity, malware, and infrastructure are now part of the same attack chain, executed at a speed that compresses the time between access and impact.

What once required multiple stages and specialized tooling is now streamlined and automated.

Flashpoint recently hosted an on-demand webinar, “Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities,” where our intelligence team broke down the trends driving this shift. Drawing from primary source intelligence across forums, marketplaces, and closed communities, the session examined how modern attack chains are forming and evolving, as well as where defenders still have opportunities to intervene.

Here are the key takeaways you need to know to prioritize threats and protect your organization.

AI Is Being Operationalized Across the Attack Lifecycle

Artificial intelligence is now embedded across multiple stages of attacker workflows.

Flashpoint tracked more than 1.5 billion mentions of AI in illicit communities in 2025, with activity accelerating sharply toward the end of the year. These discussions center on how AI can be applied to real operations, including phishing, malware development, and fraud.

As Ian Gray, Vice President of Intelligence at Flashpoint, noted during the session, “Adversaries are extremely adept, and they’re constantly looking at how they can use the newest state-of-the-art tools—whether that’s commercial models or their own implementations—and how they can jailbreak them or adapt them to their workflows.”

One of the most notable developments is the use of agentic AI systems to automate tasks that were previously manual. These systems are being used to:

  • Test stolen credentials across VPNs, SaaS platforms, and cloud environments
  • Rotate infrastructure during active operations
  • Generate and refine attack inputs based on previous outcomes

Alongside this, threat actors are actively exploring ways to bypass safeguards in commercial AI tools, including:

  • Jailbreaking model restrictions
  • Embedding hidden instructions through prompt injection
  • Manipulating AI-powered features within enterprise applications

This activity reflects a sustained effort to integrate AI directly into attack execution rather than treating it as a standalone capability.

Identity Is Driving Initial Access

The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

As Gray explained, “Threat actors are finding a variety of ways to get into enterprise networks, and typically it’s through the human element. While humans can be trained or educated, it’s not something that can be patched in the traditional sense.”

This dynamic is already visible at scale.

Flashpoint observed 11.1 million infected devices and 3.3 billion stolen credentials in 2025. These credentials are extracted through infostealers and circulated across marketplaces, enabling direct access into enterprise environments.

In many cases, attackers are using:

  • Session cookies and tokens to bypass authentication flows
  • Browser fingerprints and system metadata to replicate legitimate user behavior
  • Valid credentials to access SaaS platforms, VPNs, and internal systems

Once access is established, activity often blends into normal user behavior, making detection more difficult. Compromised identities are also reused across multiple services, expanding the scope of potential exposure.

This pattern continues to appear in intrusion activity tied to SaaS platforms and third-party integrations, where access to one system can provide visibility into multiple environments.

Infostealers Are Enabling Scalable Access

Infostealers remain a primary driver of credential exposure.

Logs containing credentials, cookies, and system data are continuously harvested and made available through criminal marketplaces and subscription-based services. These logs are used directly or integrated into automated workflows that test and validate access at scale.

Gray pointed to how this plays out in practice: “Infostealers have really commoditized access. They harvest credentials, identify which ones are useful, and then test them at scale across VPNs, SaaS platforms, and cloud environments.”

The ecosystem continues to shift as law enforcement activity disrupts established players and new variants gain traction. Families such as Vidar, Lumma, and others maintain a strong presence due to accessibility and ongoing development.

In parallel, credential harvesting is feeding downstream activity, including:

  • Account takeover
  • Fraud operations
  • Data exfiltration and extortion

This linkage between initial access and follow-on activity is consistent across multiple reporting streams.

Vulnerability Exploitation Is Moving Faster

Vulnerability volume continues to increase alongside exploitation speed.

Flashpoint recorded more than 44,000 disclosed vulnerabilities in 2025, with over 14,000 tied to publicly available exploits. In several cases, exploitation activity followed disclosure within a day.

As Gray put it, “With vulnerabilities, it can feel like you’re trying to boil the ocean. There’s such a high volume of disclosures, but in reality, there’s a smaller set—those that are remotely exploitable, have proof-of-concept code, and are being actively used—that you need to focus on.”

Attacker focus is concentrated in areas that provide broad access or downstream impact, including:

  • Software supply chains and CI/CD environments
  • Open-source dependencies
  • Widely used enterprise platforms

Given the volume of disclosures, prioritization remains critical. Vulnerabilities that are remotely exploitable and paired with public exploit code present immediate risk, particularly when active discussion or exploitation is observed.

Ransomware Activity Continues to Shift

Ransomware activity increased by 53%, with continued changes in how operations are carried out.

Gray framed the shift this way: “Why even bother to develop ransomware? That takes time, resources, and overhead—when you can gain access through a compromised account or third-party platform and immediately move to extortion.”

In addition to traditional ransomware deployment, there is sustained activity centered on:

  • Data exfiltration followed by extortion
  • Use of compromised credentials for direct access
  • Targeting of third-party providers and SaaS platforms

Intrusions tied to help desks, identity workflows, and federated applications continue to appear in reporting, often involving social engineering or unauthorized access provisioning.

There is also ongoing activity related to insider recruitment, with threat actors seeking individuals who can provide direct access or privileged information.

Industries with higher operational dependencies, including manufacturing, technology, and healthcare, continue to be targeted due to the potential impact of disruption.

Translating Intelligence Into Action

The trends shaping 2026 are grounded in how attackers are currently operating across multiple domains.

As Gray emphasized, “You have to take into account vulnerabilities, exposures, infostealers, and identity compromise all at the same time. These aren’t separate problems anymore—they’re all part of the same attack chain.”

Security teams should focus on:

  • Identifying exposures with a high likelihood of exploitation
  • Monitoring for compromised credentials tied to organizational domains
  • Reviewing identity access and third-party integrations
  • Prioritizing vulnerabilities with active exploit availability
  • Tracking attacker activity across forums, marketplaces, and communication channels

These actions align with observed attacker behavior and provide a clearer path to prioritization.

Watch the Full Webinar and Explore the Data

The trends shaping 2026 are grounded in how attackers are already operating.

Flashpoint’s full webinar provides a deeper look at the data, along with practical guidance on how to translate intelligence into action.

Watch the on-demand session to see the full breakdown of these trends, or download the 2026 Global Threat Intelligence Report to explore the underlying data and analysis in more detail.

Request a demo today.

The post Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities appeared first on Flashpoint.

Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows

Blogs

Blog

Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows

In this post, we outline how cyber threat intelligence is evolving to support agentic AI-driven security operations, why MCP is emerging as a foundational standard, and how Flashpoint is operationalizing data for this new model.

SHARE THIS:
Default Author Image
May 7, 2026

Security teams are under more pressure than ever to move faster, see more, and act with confidence.

At the same time, the way cybersecurity investigations happen is evolving. The “human-in-the-loop” model is expanding: analysts increasingly direct AI agents that gather context, correlate signals across sources, and handle repetitive triage.

While AI is rapidly becoming a staple of modern security operations, a significant gap remains: most intelligence sources were originally designed for human consumption, not AI agents. Historically, threat intelligence platforms were built for analysts to log in and piece together disparate insights. While that model remains the gold standard for deep research, it can become a bottleneck in a high-velocity, agent-led workflow where AI assistants and automation pipelines are the primary investigators.

At Flashpoint, our Ignite threat intelligence platform was built to support deep investigative workflows, enabling analysts to search and connect intelligence across primary-source datasets and build a complete picture of emerging threats. That foundation remains critical.

But as workflows evolve, customers are increasingly looking to extend that same intelligence beyond the platform—into AI assistants, automation pipelines, and other environments where work is actively happening.

That raises an important question: How do you make high-value intelligence as usable for an AI agent as it is for a human analyst?

Today, we are outlining our approach to building the Flashpoint Model Context Protocol (MCP) Server, a strategic initiative that makes Flashpoint’s best-in-class intelligence accessible not only via our award-winning platform but also natively “AI-callable” within the agentic workflows of today and tomorrow.

What Is an MCP Server and Why Does It Matter in Cyber Threat Intelligence?

Model Context Protocol (MCP) is the standard for connecting AI systems to external data sources and tools. 

In practical terms, an MCP server provides a structured way for AI systems, like agents, assistants, copilots, and automation frameworks, to access and interact with data in real time.

For cyber threat intelligence, this represents a fundamental shift in how teams operate:

  • Faster investigations: AI agents can query and correlate data across disparate datasets in seconds.
  • Comprehensive coverage: By searching across all primary sources in parallel, teams eliminate the risk of missing critical intelligence. 
  • More seamless workflows: Analysts can stay within their agentic workflow without constant context switching.
  • Reduced integration overhead: Less need for custom engineering to connect intelligence into new environments.

Flashpoint MCP Server: A Foundation for AI-Native Threat Intelligence

Flashpoint has always differentiated itself on the quality and depth of our data, sourced directly from where threats emerge. Our goal is to ensure this intelligence is available wherever your analysts are working.

Currently, teams experimenting with AI assistants face significant friction: copying and pasting, relying on third-party bridges, or maintaining custom integrations.

We are building the Flashpoint MCP Server as a foundational access layer, the architectural connector that will power both external integrations and future AI experiences within the Flashpoint platform.

With this new layer, teams can:

  • Query intelligence in one workflow: Access intelligence reports, ransomware, vulnerabilities, communities, and Deep Dark Web, and technical indicators in a single research task rather than hopping tool-to-tool.
  • Ground AI agents in truth: Provide a direct, authenticated bridge to real-time, verified Flashpoint intelligence, ensuring AI responses are based on evidence rather than static training data or hallucinations.
  • Scale expert analysis: Use guided prompts and workflow templates to teach the AI exactly how to use our tools to conduct expert-level investigations across our datasets.

The threat intelligence industry is adopting MCP as the standard for how AI systems connect to data.

We’re building the Flashpoint MCP Server to ensure our intelligence is a foundational component of that ecosystem and usable wherever AI-driven workflows occur.

What to Expect from Flashpoint MCP Server

The initial release of the Flashpoint MCP Server in Spring 2026 is intentionally read-only and query-focused. This creates the production-grade foundation required to bring intelligence into the workflows customers are already building. It aligns with customer guidance about using agentic AI to solve the most pressing challenges they face today.

What Comes Next

Later this year, we will move from information retrieval to Action-Oriented Intelligence. This expansion will allow users not only to access data but also to act on it directly within their AI-driven workflows. As this ecosystem evolves, we plan to deliver:

  • Natural Language Orchestration: We are empowering analysts to interact with our data more intuitively. Through the MCP server, complex actions such as updating an investigation or identifying new threat sources are handled via natural-language orchestration. This ensures that the speed of an investigation is limited only by an analyst’s questions, not their mastery of a specific query syntax.
  • Flashpoint-Native Agents and Skills: We are developing specialized Flashpoint Agents and “skills” built on top of this server. These will be purpose-built to address specific workflows, such as ransomware monitoring or vulnerability triage, allowing teams to deploy out-of-the-box expertise without building their own agentic logic
  • Fusion of External and Internal Data: A critical advantage of the MCP framework is the ability to combine Flashpoint’s external threat intelligence with a customer’s internal environment data (SIEM, Cloud, IAM, Endpoint, etc.). This allows an agent to correlate global threat signals with your specific footprint to provide instant, individualized risk context. 
  • Embedded AI within Flashpoint Ignite: This same MCP infrastructure will serve as the shared engine for new, embedded AI experiences within Flashpoint Ignite. This ensures that the same natural-language power and automated data correlation fueling external agents are also natively available within our platform UI, creating a seamless investigative experience regardless of where an analyst chooses to work.

Built and Validated in Real Workflows

We believe in the power of this new architecture because we are already using it. The MCP Server is currently embedded in our own Flashpoint Intelligence Team’s workflow, helping our analysts research and respond to complex client RFIs. 

By applying this capability to our own high-stakes research first, we ensure that what we bring to market is grounded in real investigative needs, not just technical potential. 

Operationalizing the Best Data

The future of security operations won’t be defined solely by who has access to the most data or even the most AI agents; it will be defined by who can operationalize the best data directly within the workflows where decisions are made.

The Flashpoint MCP Server is our strategic commitment to that future—making the world’s best intelligence natively accessible, usable, and aligned with the way modern security teams work.

The Flashpoint MCP Server is currently in active development, with customer availability planned for late Spring 2026. 

Subscribe to the Flashpoint blog for more updates on Flashpoint MCP Server and the latest insights from the front lines of threat intelligence.  

Frequently Asked Questions

What is the Flashpoint MCP Server? 

The Flashpoint MCP Server enables Flashpoint’s threat intelligence to be directly callable by AI agents. It implements the Model Context Protocol (MCP), an open standard for connecting AI systems to external data, so any MCP-compatible agent, including Claude, Gemini, and Cursor, can query our datasets without bespoke API integration work.

Who is the MCP Server designed for?

The MCP Server is designed for technical, forward-leaning security teams and AI-native organizations. This includes SOC analysts, CTI practitioners, and security engineers who are already building or experimenting with AI agent workflows using tools like Gemini, Claude Code, or custom LLM-based assistants.

Which Flashpoint datasets are accessible via MCP?

The initial rollout (Spring 2026) provides access to Flashpoint’s core intelligence collections, including:

  • Intelligence Reports
  • Communities (Online forums, messaging platforms, closed digital communities)
  • Technical Indicators (IOCs)
  • Vulnerability Intelligence (CVEs)
  • Ransomware
  • Compromised Credentials and Infected Hosts
  • Strategic Entity Data

How does this differ from Flashpoint’s standard APIs?

While our standard APIs are designed for direct programmatic consumption, the MCP Server is optimized specifically for AI agents. It exposes intelligence as composable tools and guided prompts that AI agents can understand and use to perform complex, multi-step research tasks. 

How does this differ from the Flashpoint Ignite platform?

The Flashpoint MCP Server is not a replacement for Flashpoint’s award-winning Ignite platform; rather, it is a complementary access layer designed for a different type of user and workflow. While Ignite is a destination for deep research, the MCP server provides the infrastructure that enables that same intelligence to live in AI-native environments.

To learn more about Flashpoint’s MCP Server, schedule a demo today.

See Flashpoint in Action

The post Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows appeared first on Flashpoint.

2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders

Blogs

Blog

2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders

SHARE THIS:
Default Author Image
May 6, 2026

We are proud to share that Flashpoint has been named a Challenger in the inaugural 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence Technologies. 

“We see this recognition as a testament to Flashpoint’s ability to execute at the highest levels for the world’s most discerning threat intelligence customers, with our unique combination of primary source collection and human analysis at the core,” — Josh Lefkowitz, CEO at Flashpoint.

The Gartner Magic Quadrant provides organizations with a wide-angle view of vendors in the cyber threat intelligence market. By applying a graphical treatment and a uniform set of evaluation criteria, the Magic Quadrant helps organizations assess how well technology providers are executing their stated visions and performing against Gartner’s market view. Vendors are evaluated based on their Ability to Execute and Completeness of Vision:

  • Ability to Execute reflects the Gartner assessment of the vendor’s product and/or service, overall viability, sales execution and pricing, market responsiveness and record, marketing execution, customer experience, as well as operations.
  • Completeness of Vision comprises the Gartner view of the vendor’s overall market understanding, marketing strategy, sales strategy, offering (product) strategy, business model, vertical/industry strategy, innovation, and geographic strategy.

“We believe, and our customers consistently validate, that the future of threat intelligence lies at the critical intersection of intelligence depth and application,” says Lefkowitz. “That’s why Flashpoint pairs unmatched access to primary-source environments with the ability to operationalize that intelligence across security workflows, enabling organizations to make faster, more informed decisions.”

A complimentary copy of the Gartner® Magic Quadrant™ for Cyber Threat Intelligence Technologies is available to download here.

Market Dynamics and Growth of the Threat Intelligence Market

The threat intelligence market has expanded in both scope and strategic importance as organizations contend with a broader and more complex threat environment. What was once a supporting function within security operations is now expected to inform decisions across vulnerability management, fraud prevention, and enterprise risk. This shift has raised the bar for how intelligence is collected, analyzed, and applied.

Gartner describes this evolution as a move toward unified cyber risk intelligence (UCRI) — an approach that brings together diverse internal and external data sources with advanced analytical capabilities to improve decision-making. As noted in The Evolution of Threat Intelligence Is Unified Cyber Risk Intelligence, “the future of threat intelligence is unified cyber risk intelligence (UCRI)… defined by the convergence of multisignal collection and advanced analytical capabilities.” In our opinion, this model reflects the reality that no single source provides sufficient visibility, and that intelligence must be corroborated across environments to be actionable. 

At the same time, the scale of available data continues to increase, introducing new challenges around prioritization and context. Gartner notes that organizations “receive vast amounts of threat data, and filtering out false positives, redundant information and irrelevant alerts to extract actionable intelligence remains a significant challenge. This “noise” can overwhelm security teams and lead to important threats being missed.” This is where AI plays a growing role. Techniques such as machine learning and natural language processing are increasingly used to correlate signals, identify patterns, and surface relevant risks faster. As intelligence becomes more integrated across the enterprise, the ability to combine multisource collection with AI-driven analysis is shaping how organizations evaluate platforms and build modern threat intelligence programs.

How Security Teams Are Evaluating Threat Intelligence

From Flashpoint’s experience working with the most discerning security and intelligence teams, the value of a threat intelligence platform is measured in how it performs in practice — how quickly it surfaces relevant activity, how much context it provides, and how easily it supports decision-making across workflows.

We see three areas consistently shape how intelligence is evaluated, supported by a combination of human expertise and AI-driven analysis:

  • Access to high-signal environments: Intelligence is most useful when it reflects activity at its source. Access to closed forums, encrypted messaging platforms, and illicit marketplaces provides the context needed to understand how threats develop and move.
  • Context that supports prioritization: Vulnerability and threat data require context to be actionable. Understanding how activity is discussed and operationalized in real environments allows teams to focus on what requires attention.
  • Integration into operational workflows: Intelligence must fit into the systems and processes teams already rely on. Integration across SIEM, SOAR, and internal workflows allows intelligence to be applied consistently at scale.

These areas are closely tied to how Flashpoint has built its platform and how it supports organizations operating in complex threat environments.

Where Intelligence Comes From Matters

A large part of how intelligence performs in practice comes back to the source of the data itself.

We believe, and our customers continue to validate, that Flashpoint’s approach is centered on primary-source collection. That means accessing environments where threat activity is actively discussed, coordinated, and developed, including closed forums, encrypted messaging platforms, and illicit marketplaces. These environments require sustained access and ongoing validation, but they provide a level of visibility that is difficult to achieve through surface-level collection alone.

From our experience, working from these sources changes how intelligence is used. Activity can be observed earlier and understood with more context, with discussions, relationships, and intent preserved.

In practice, this allows teams to:

  • Identify emerging activity before it becomes widely visible
  • Maintain context across conversations, actors, and environments
  • Reduce time spent investigating low-value or unverified signals

Intelligence Has to Fit Into How Teams Actually Operate

Collection alone doesn’t determine whether intelligence is useful. We believe it also has to be delivered in a way that aligns with how teams work.

In our experience, most security teams already have established workflows tied to SIEMs, SOAR platforms, and internal processes. Intelligence that integrates into those workflows can be applied consistently across investigation and response.

In practice, we see this support:

  • Delivery of intelligence directly into existing systems
  • Consistent application across automated and analyst-driven workflows
  • Reduced friction between intelligence, investigation, and response

Over time, this consistency allows teams to build repeatable processes around intelligence rather than treating it as a separate function.

Context Drives Prioritization

The same dynamics apply to vulnerability intelligence.

From our experience, understanding which vulnerabilities exist is only one part of the problem. Determining which ones require attention in a given environment depends on context — how those vulnerabilities are being discussed, shared, or used in active threat activity.

We have seen first-hand that when vulnerability data is connected to real-world activity, teams can:

  • Prioritize remediation based on active threat relevance
  • Align vulnerability management with observed adversary behavior
  • Reduce reliance on static scoring as the sole decision driver

Applying This in Practice

For organizations evaluating providers, challenge intelligence sources, challenge collection agility, challenge exploit prioritization and above all ask yourself is this a partner with a long-term track record of navigating the world’s most complex threat environments?

To see how Flashpoint, the world’s largest private provider of threat intelligence can help you make better decisions, faster and with confidence, schedule a demo.

Gartner Disclaimer

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Flashpoint.

Gartner, Magic Quadrant for Cyber Threat Intelligence Technologies, Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, May 4, 2026.

Gartner, The Evolution of Threat Intelligence Is Unified Cyber Risk Intelligence, By Jonathan Nunez, 15 September 2025.

Gartner and Magic Quadrant are trademarks of Gartner, Inc., and/or its affiliates.

Begin your free trial today.

The post 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders appeared first on Flashpoint.

How to Build and Operationalize Priority Intelligence Requirements

Blogs

Blog

How to Build and Operationalize Priority Intelligence Requirements

In this post, we break down how to define, structure, and operationalize Priority Intelligence Requirements (PIRs) to improve focus, reduce noise, and drive more effective intelligence outcomes, with a companion starter kit to help apply these concepts in practice.

SHARE THIS:
Default Author Image
April 30, 2026

Security teams are inundated with data. Alerts, feeds, reports, and signals continue to grow in volume, but without clear direction, much of that information fails to translate into meaningful action.

Flashpoint recently hosted a webinar, “How to Build and Operationalize Priority Intelligence Requirements,” where our intelligence team walked through how organizations can bring structure to their intelligence programs. The session focused on how to define Priority Intelligence Requirements (PIRs), align them to business needs, and operationalize them across workflows. If you missed it, you can catch the on-demand recording here.

In this blog, we’ll recap the key takeaways from the webinar that you need to know to build, structure, and operationalize Priority Intelligence Requirements within your organization.

Priority Intelligence Requirements Create Focus

Priority Intelligence Requirements (PIRs) define what matters most to an organization’s intelligence function.

They serve as a framework for identifying the threats, risks, and questions that intelligence teams are responsible for answering. Without that structure, teams often default to reactive workflows—chasing alerts and producing reporting without clear alignment to business priorities.

PIRs establish that alignment by grounding intelligence work in specific, decision-driven questions.

These questions are typically tied to areas such as:

  • Threat actor activity targeting the organization or its sector
  • Exposure of sensitive data, credentials, or infrastructure
  • Risks tied to third-party vendors or supply chain dependencies
  • Emerging trends that may impact operations or security posture

When defined correctly, PIRs act as a filter that helps teams determine what to collect, analyze, and escalate.

Effective PIRs Start With the Business

One of the most common challenges highlighted in the webinar is that PIRs are often defined in isolation.

When intelligence requirements are not tied to business priorities, they tend to drift toward generic threat monitoring. This leads to reporting that is technically accurate, but operationally disconnected.

Effective PIR development starts with first understanding:

  • What decisions need to be made
  • Who is responsible for making them
  • What information is required to support those decisions

This requires direct engagement with stakeholders across security, risk, and business teams. In practice, that often includes leadership, legal, fraud, and operational teams.

The goal is to translate business concerns into intelligence questions that can be consistently answered over time.

Structuring PIRs for Actionability

Clear structure is essential to making PIRs usable.

Well-defined PIRs are specific enough to guide collection and analysis, but flexible enough to evolve as threats change. They are typically framed as direct questions that intelligence teams can answer with available data.

Examples of structured PIRs include:

  • Are threat actors actively targeting our organization or industry?
  • Has our data appeared in criminal marketplaces or forums?
  • Are our third-party vendors experiencing security incidents that could impact us?

This approach ensures that intelligence outputs remain focused on answering defined questions rather than producing general reporting.

It also enables consistency across teams, making it easier to track trends and measure changes over time.

Operationalizing PIRs Across Workflows

Defining PIRs is only the starting point. Their value comes from how they are integrated into day-to-day operations.

In the webinar, Flashpoint emphasized the importance of embedding PIRs across the intelligence lifecycle, including:

  • Collection: Prioritizing sources and datasets that align with defined requirements
  • Analysis: Structuring outputs around PIR-driven questions
  • Dissemination: Delivering intelligence to the stakeholders tied to each requirement
  • Feedback: Continuously refining PIRs based on evolving needs

This integration ensures that intelligence efforts remain consistent and aligned, even as threat conditions change.

It also reduces duplication of effort and helps teams avoid producing intelligence that does not support decision-making.

Measuring the Impact of Intelligence

PIRs provide a foundation for evaluating whether intelligence efforts are effective.

Without defined requirements, it is difficult to determine whether outputs are relevant or useful. PIRs create a benchmark against which teams can assess:

  • Whether key questions are being answered
  • Whether intelligence is reaching the right stakeholders
  • Whether outputs are informing real decisions

This shifts intelligence from a reporting function to a decision-support capability.

Over time, this approach helps organizations refine both their requirements and their workflows, improving efficiency and impact.

Dive Deeper | Watch the Full Webinar

Building and operationalizing Priority Intelligence Requirements is a foundational step toward a more focused and effective intelligence program.

Flashpoint’s on-demand webinar walks through this process in detail, including practical examples and guidance for implementation.

For teams looking to move from theory to implementation, the Priority Intelligence Requirements (PIR) Starter Kit provides a practical extension of this approach. The resource includes a structured framework for defining requirements, a catalog of adaptable PIR examples across key intelligence drivers, and a template to support documentation and governance.

Watch the full session and download the starter kit to begin building requirements that directly support decision-making and risk reduction.

Begin your free trial today.

The post How to Build and Operationalize Priority Intelligence Requirements appeared first on Flashpoint.

Received — 23 April 2026 Threat Intelligence Blog | Flashpoint

National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges

Blogs

Blog

National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges

In this post, we examine what NVD’s shift to selective enrichment means for vulnerability workflows and how security teams can maintain visibility and prioritization at scale.

SHARE THIS:
Default Author Image
April 17, 2026

The National Vulnerability Database (NVD) is changing how it processes and enriches vulnerability data in response to sustained growth in CVE submissions.

Under a new model announced by the National Institute of Standards and Technology, NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical.

All other CVEs will remain in the database without additional context unless specifically requested.

Rising disclosure volumes are placing pressure on public vulnerability infrastructure, and it has direct implications for how security teams consume and act on vulnerability data.

What Changed in NVD’s Operating Model

For years, NVD aimed to provide consistent enrichment across all CVEs, including severity scoring, affected product data, and supporting context for prioritization.

That approach has not been sustainable since late 2023.

In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, 14,593 of which had publicly available exploits (and 1,944 more with proof-of-concepts). 

CVE submissions increased by 263% between 2020 and 2025, with 2026 already tracking higher year-over-year. Even with increased throughput, NVD has not been able to keep pace.

Under the updated model:

  • CVEs meeting prioritization criteria will be enriched on an accelerated timeline
  • CVEs outside those criteria will be labeled and left without enrichment
  • Re-analysis of modified CVEs will occur selectively
  • Separate NVD severity scoring will no longer be applied by default

This introduces a significant structural change in how vulnerability data is published and maintained.

The Impact on Vulnerability Workflows

Many security programs rely on NVD enrichment to operationalize CVE data. That enrichment provides the context needed to evaluate risk and determine remediation priorities.

With enrichment applied selectively, teams will encounter a growing number of CVEs that include:

  • Limited or no severity scoring
  • Incomplete product and version data
  • Minimal context on exploitability or impact
  • No CPE strings that allow for programmatic consumption of data

At the same time, disclosure volume continues to rise, and exploitation timelines remain compressed. This creates a gap between what is disclosed and what can be acted on efficiently.

Security teams will need to account for:

  • Larger backlogs of CVEs without actionable context
  • Increased manual effort to evaluate relevance and risk
  • Greater variability in data quality across sources

These changes affect vulnerability management, threat intelligence, and security operations workflows simultaneously.

Prioritization Criteria Will Not Capture the Full Risk Landscape

NVD’s updated model focuses enrichment on a defined set of criteria, including known exploited vulnerabilities and software relevant to federal systems.

These categories represent important segments of risk, but they do not encompass the full set of vulnerabilities that organizations encounter in practice.

Modern environments include:

  • Open-source dependencies
  • SaaS platforms and APIs
  • Cloud infrastructure and services
  • Third-party and partner integrations

Many vulnerabilities affecting these environments fall outside formal prioritization frameworks or lack immediate classification within public datasets. As a result, security teams will continue to face exposure from vulnerabilities that are:

  • Actively exploited but not yet included in prioritized lists
  • Missing complete metadata or enrichment
  • Relevant to their environment but not captured by federal-centric criteria

Vulnerability Intelligence Requires Broader Coverage and Deeper Context

As public enrichment becomes more selective, organizations will rely more heavily on alternative sources to maintain visibility and context.

Effective vulnerability intelligence requires:

  • Coverage across CVE and non-CVE vulnerabilities
  • Continuous tracking of exploitation activity and adversary usage
  • Context on exploit maturity, and remediation
  • Consistent enrichment that can be integrated into operational workflows

This level of detail supports faster and more accurate decision-making in environments where both volume and speed are increasing.

Flashpoint’s vulnerability intelligence model is built to address these requirements, with a dataset that includes over 7,000 known exploited vulnerabilities and ongoing analyst-driven enrichment across global sources.

What Security Teams Should Do Next

This shift in NVD operations does not change the need to track CVEs. It changes how that data can be used. Security teams should evaluate how their current workflows depend on:

  • NVD enrichment for prioritization
  • CVSS scoring as a primary decision input
  • Completeness of public vulnerability data

From there, teams can take steps to strengthen resilience:

  • Incorporate sources of vulnerability intelligence that cover CVE and more
  • Align prioritization to exploitation activity and environmental relevance
  • Validate coverage across software, cloud, and third-party dependencies
  • Ensure that enrichment gaps do not delay remediation decisions

A Structural Shift in Vulnerability Data

For many teams, NVD has been a default source of vulnerability context. This change makes clear that its role is narrowing at a time when disclosure volume and prioritization demands are increasing.

At the same time, the role of vulnerability intelligence is expanding.

Security teams need access to data that supports prioritization, not just identification. They need consistent enrichment, faster turnaround, broader coverage, and context tied to real-world activity. As disclosure volumes continue to grow, those requirements become more central to how organizations manage risk.

Flashpoint’s Vulnerability Intelligence provides this level of coverage and context, with analyst-driven enrichment, global visibility across CVE and non-CVE vulnerabilities, and a dataset that includes over 7,000 known exploited vulnerabilities.

Request a demo to see how Flashpoint helps security teams prioritize and act on vulnerability risk with greater precision and confidence.

Begin your free trial today.

The post National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges appeared first on Flashpoint.

Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates

Blogs

Blog

Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates

In this post we explore Flashpoint’s latest milestone of surpassing cataloging 7,000 known exploited vulnerabilities and what this means for security teams.

SHARE THIS:
Default Author Image
April 15, 2026

Flashpoint Vulnerability Intelligence has surpassed cataloging 7,000 known exploited vulnerabilities, surpassing another major milestone as vulnerability disclosures accelerate across the global attack surface.

In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, a pace that continues to accelerate into 2026. Of those, 14,593 had publicly available exploits (1,944 more with proof-of-concepts), giving threat actors immediate pathways to weaponization.

This pace is shaping how exploitation unfolds, with high-impact vulnerabilities being operationalized within hours or days, particularly when they affect widely deployed technologies or core infrastructure.

Security teams are operating within this compressed environment every day. They are reviewing more findings across open-source software, commercial applications, cloud environments, and third-party dependencies, while working within tighter timelines to assess impact and take action.

Flashpoint’s latest milestone of surpassing 7,000 known exploited vulnerabilities (KEVs) cataloged reflects that reality. It highlights how vulnerability management programs are evolving toward prioritization as a core capability, with a focus on vulnerabilities tied to active exploitation and real-world risk.

What The 7,000+ KEV Milestone Means for You

Security teams are operating in a high-volume environment. Vulnerabilities are disclosed continuously across open-source software, commercial applications, cloud environments, and third-party dependencies. At the same time, advancements in automation and code analysis are increasing the rate at which new findings are surfaced.

Each of these findings enters an already crowded workflow. Teams are expected to determine relevance, urgency, and impact quickly, often with limited context. This is where risk-based decision making becomes essential.

Flashpoint tracks hundreds of thousands of vulnerabilities across thousands of sources. Within that dataset, a much smaller percentage shows confirmed exploitation activity. That concentration of risk informs how effective programs allocate time and resources.

Crossing the 7,000+ KEV milestone goes beyond scale to provide greater precision, deeper context, and stronger confidence in how teams prioritize and act on the most critical vulnerabilities.

  • Validated threats: Each KEV entry reflects observed exploitation in the wild by threat actors, including APT groups, cybercriminal operations, ransomware presence, and automated botnets.
  • Exploit-aware prioritization: In reality, only a small percentage of tracked vulnerabilities drive real-world incidents. FP KEV provides visibility into that subset so teams can focus remediation efforts where they have immediate impact.
  • Human-curated intelligence: Every entry is reviewed, validated, and enriched by analysts, with context on exploit maturity, adversary usage, and remediation pathways when available.

This level of clarity allows teams to move faster without sacrificing accuracy. It supports vulnerability management programs that are built around real-world attacker behavior and aligned to current risk.

How Public Vulnerability Data Fits Into the Picture

Public vulnerability catalogs remain useful reference points for tracking disclosures and confirmed exploitation. The CISA Known Exploited Vulnerabilities catalog, for example, gives security teams a curated view into a limited set of vulnerabilities that have been exploited in the wild that impact U.S. government stakeholders.

For many organizations, though, that level of visibility is not enough.

Public catalogs capture only part of the picture. They tend to reflect a narrower slice of exploitation activity, with less detail on how vulnerabilities are being used, which actors are leveraging them, and what defenders should do next. They also rely heavily on CVE-based tracking, leaving gaps around non-CVE exposures and other vulnerabilities that still carry operational risk.

Flashpoint’s FP KEV and Vulnerability Intelligence provide a broader and more actionable view. The advantage is visible in both scale and depth. Of the 7,000 known exploited vulnerabilities in FP KEV, over 800 are missing from CVE. That expanded coverage is paired with the context security teams need to prioritize effectively, including exploit maturity, adversary mapping, affected product detail, and remediation guidance.

DimensionPublic KEV CatalogsFlashpoint FP KEV
ScopeVaries by provider, with coverage dependent on available sources and methodologyGlobal, cross-industry coverage
CoverageCVE-based trackingCVE and non-CVE vulnerabilities
ContextLimited enrichmentExploit maturity, adversary mapping, remediation
Update ModelPeriodic updatesContinuously updated with analyst input

This is what separates a reference list from an operational dataset. Teams need vulnerability intelligence that supports triage, remediation, reporting, and broader risk reduction efforts. Wider visibility and deeper context make that possible.

The Critical Role of Human-Curated Intelligence

Vulnerability data originates from a wide range of sources with varying levels of completeness and accuracy.

Flashpoint’s intelligence model includes analyst validation to ensure consistency and depth across the dataset.

This process includes:

  • Reviewing disclosures across public and private sources
  • Validating exploit availability and usage
  • Enriching entries with technical and operational context

Analyst input supports:

  • Accurate classification of vulnerabilities
  • Clear understanding of exploitation pathways
  • Timely updates as activity evolves

Supporting Decision-Making Across Teams

Vulnerability intelligence feeds multiple functions across an organization. Teams use this data to align technical actions with current threat activity.

Common use cases include:

  • Vulnerability management: Align patching priorities with active exploitation trends.
  • Threat intelligence: Map vulnerabilities to threat actor campaigns and observed behaviors.
  • Security operations: Tune detection based on known exploit techniques.
  • Executive reporting: Communicate risk posture using data tied to real-world activity.

Each of these functions relies on consistent, enriched intelligence to maintain alignment.

Proactively Address Vulnerability Risk

Vulnerability discovery continues to expand across software ecosystems, infrastructure, and identity layers.

Security teams require a clear understanding of which issues are relevant to their environment at any given time.

Flashpoint provides primary source intelligence that supports this need through:

  • Continuous monitoring of vulnerability disclosures and exploitation
  • Analyst-driven validation and enrichment
  • Integration-ready data for operational workflows

This approach enables teams to maintain focus, allocate resources effectively, and respond to risk based on current threat activity. Request a demo and learn more today.

Begin your free trial today.

The post Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates appeared first on Flashpoint.

Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework

Blogs

Blog

Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework

In this post, we examine why intelligence requirements often fail to drive decisions and how to operationalize Priority Intelligence Requirements to align collection, analysis, and action.

SHARE THIS:
Default Author Image
April 13, 2026

In modern security operations, the “more is better” approach to threat intelligence has failed. Teams are drowning in alerts, not because the tools aren’t working, but because they lack a defined “North Star” to tell them which signals actually matter. 

To move from reactive monitoring to proactive defense, you need Priority Intelligence Requirements (PIRs). 

What is a Priority Intelligence Requirement (PIR)?
Definition: A Priority Intelligence Requirement is a decision-support question that identifies a critical knowledge gap. It defines what an organization needs to know, why it matters, and which specific business decision the information will support.

What Are the Biggest Challenges in Implementing PIRs?

Most teams buy intelligence tools, connect their sources, and immediately hit a wall: What should we actually be looking for?

Without a requirements-driven intelligence model, programs typically suffer from three critical points of friction that teams face every day: 

  1. Alert Parity: A low-level credential leak on a forum is treated with the same urgency as a targeted ransomware threat.
  2. The “So What?” Gap: Analysts produce reports that leadership finds “interesting” but not “actionable”.
  3. Analyst Burnout: Teams spend the majority of their time chasing “exploratory” data rather than defending the business. 

Requirements-driven intelligence changes the starting point. It moves the focus from “What data can we get?” to “What decisions do we need to make?”

The 3-Tier Intelligence Requirements Model: GIR, PIR, and SIR

To operationalize intelligence, you must understand its hierarchy. A PIR is the bridge between executive strategy and technical execution. We recommend structuring requirements across these three tiers:

  1. General Intelligence Requirements (GIRs): The “Why”)

These are the big-picture risks that keep your CISO or Board up at night. They focus on trends and long-term posture.

Example: “How is the ransomware landscape evolving for the healthcare sector in 2026?”

Outcome: Informs budgeting and annual security priorities.

  1. Priority Intelligence Requirements (PIRs): The “What”

This is the operational heart of your program. PIRs turn strategic concerns into specific, high-impact scenarios.

Example: “Which ransomware groups are actively targeting our specific supply chain partners?”

Outcome: Defines daily monitoring and escalation triggers.

  1. Specific Intelligence Requirements (SIRs): The “How”

SIRs are the tactical “boots on the ground” that power your PIRs with granular data.

Example: “Monitor for [Specific Malware Family] indicators or [Specific Actor] infrastructure associated with Group X.”Outcome: Drives threat hunting and automated detection logic.

Why Should You Focus on Building at the PIR Level?

While you need the full hierarchy, your primary effort should live at the PIR layer.

General IRs are often too high-level to automate, and SIRs (technical indicators) change too quickly to manage manually. PIRs are the “Stable Middle.” They are broad enough to capture business risk but specific enough to map to a workflow. By building your program around a library of PIRs, you create a system that is:

  • Machine-Readable: Easy to translate into platform automation.
  • Stakeholder-Aligned: Written in language that leadership understands.

Action-Oriented: Designed to trigger a specific response every time they are “answered.”

How To Audit Your PIRs (The Stress Test)

Before you commit resources to monitoring, run each requirement through this three-point filter:

  1. Is it tied to a decision? If we learn the answer today, what specifically changes in our defense?
  2. Does it have an owner? Which specific stakeholder is accountable for acting on this information?
  3. Is it time-bound? Is this requirement evergreen, or active during a defined risk window?

For a more comprehensive view of your full threat intelligence picture, take the Threat Intelligence Capability Assessment.

Frequently Asked Questions About Priority Intelligence Requirements

What is the difference between PIRs and general monitoring goals?
PIRs are decision-driven requirements tied to specific risks. Monitoring goals (like “watch the dark web”) describe activities without defining a clear outcome.

How often should PIRs be updated?
PIRs should be revisited when decisions are made, risks shift, incidents occur, or strategic priorities change.

Can small security teams implement PIR frameworks?
Yes. In fact, smaller teams often benefit most because requirements help prioritize limited resources.

How do you measure PIR effectiveness?
Indicators include reduced alert noise, clearer reporting alignment, faster investigations, and improved stakeholder satisfaction.

Join the Webinar: How to Build and Operationalize Priority Intelligence Requirements

Register to learn how to define actionable PIRs that stakeholders actually care about and align intelligence to real business decisions.

Register now for the webinar.

Note: Attendees will receive our exclusive “Priority Intelligence Requirements Starter Kit,” which features a practical workbook and a PIR library.

Begin your free trial today.

The post Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework appeared first on Flashpoint.

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

Blogs

Blog

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

In this post, we examine how phishing-as-a-service (PhaaS) has evolved into a structured cybercrime ecosystem, how threat actors collaborate across infrastructure, delivery, and monetization layers, and why this model continues to drive large-scale financial fraud targeting global organizations.

SHARE THIS:
Default Author Image
April 10, 2026

Phishing is no longer a standalone tactic. It has matured into a service-based ecosystem where specialized actors provide each component of an attack lifecycle, from infrastructure and delivery to credential harvesting and cash-out.

Flashpoint analysts, working with partner financial institutions, have observed a growing number of PhaaS operations operating with a level of coordination and specialization more commonly associated with legitimate software platforms. These ecosystems bring together phishing kit developers, infrastructure providers, spam delivery services, and financially motivated actors into a single, scalable pipeline for fraud.

This shift has significantly lowered the barrier to entry for cybercriminals while increasing the scale, efficiency, and success rate of phishing campaigns.

From Phishing Kits to a Service-Based Fraud Economy

PhaaS emerged from early phishing kits into a full cybercrime-as-a-service model built on commercialization, modular tooling, and operational scalability.

Early phishing activity relied on standalone kits — basic login pages and scripts that allowed attackers to collect credentials. Over time, operators began centralizing these capabilities into subscription-based platforms offering hosting, domain management, campaign tooling, and ongoing support.

Modern PhaaS platforms now operate similarly to legitimate SaaS providers:

  • Subscription-based pricing models
  • Prebuilt templates for major brands and services
  • Integrated delivery mechanisms (email, SMS, QR phishing)
  • Real-time dashboards for campaign tracking and credential harvesting

This model has made sophisticated phishing accessible to low-skill actors. Kits can cost as little as US$10, while full platforms enable large-scale campaigns for relatively modest monthly fees.

MFA Bypass and AI Are Reshaping Phishing Capabilities

As organizations adopted multifactor authentication (MFA), PhaaS operators adapted.

Modern platforms increasingly rely on adversary-in-the-middle (AiTM) techniques, using reverse proxy infrastructure to intercept login sessions in real time. This allows attackers to capture not only credentials, but also MFA tokens and session cookies, effectively bypassing traditional authentication controls.

At the same time, AI is accelerating the scale and effectiveness of phishing campaigns.

Threat actors are using AI to:

  • Generate convincing, localized phishing lures
  • Clone brand interfaces with high fidelity
  • Optimize campaigns through automated testing and iteration

This combination of MFA bypass and AI-driven automation has transformed phishing from a volume-based tactic into a precision-driven access vector.

The PhaaS Pipeline: How the Ecosystem Operates

What distinguishes modern phishing operations is not just tooling, but coordination.

A typical PhaaS campaign follows a structured lifecycle:

This pipeline is supported by a network of specialized providers, each responsible for a different stage of the attack lifecycle.

Infrastructure, Delivery, and Exfiltration Are Increasingly Specialized

Flashpoint analysis highlights how different actors focus on distinct parts of the ecosystem.

Infrastructure and Kit Development

Phishing kit developers provide increasingly sophisticated tooling, including:

  • Reverse proxy (AiTM) capabilities for MFA bypass
  • Anti-bot protections to evade researchers
  • “Live panels” enabling real-time interaction with victims

Platforms such as GhostFrame, Rapid Pages, and MUH Pro Admin illustrate how these tools are being productized and distributed at scale.

SMS Delivery and Spoofing

Smishing has become a critical delivery vector.

Threat actors operate dedicated SMS gateway services capable of sending large volumes of messages via APIs or bulk uploads. Others actively seek advanced spoofing capabilities to bypass authentication controls such as SPF, DKIM, and DMARC, enabling phishing messages to appear legitimate at the protocol level.

Credential Exfiltration and Telegram Integration

Credential collection is increasingly automated and centralized.

Many campaigns exfiltrate stolen credentials directly to Telegram bots or channels, enabling real-time access to victim data. This infrastructure also allows for rapid scaling and coordination across actors participating in the same campaign or ecosystem.

From Credential Theft to Financial Monetization

The ultimate goal of PhaaS operations is monetization.

Stolen credentials are used to enable account takeover (ATO), which allows attackers to:

  • Access financial accounts
  • Lock out legitimate users
  • Initiate fraudulent transactions
  • Launch follow-on scams

Flashpoint analysis of actors such as “JUN JUN,” associated with the Squirtle group, illustrates how these operations extend into structured financial fraud and laundering.

Observed activity shows a progression from acquiring phishing logs (“fish material”) to targeting high-value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds.

This highlights how phishing is only the entry point into a broader fraud pipeline.

A Distributed Ecosystem of Threat Actors

The PhaaS landscape is not controlled by a single group, but by a network of loosely connected actors and clusters.

Examples include:

  • Fluffy Spider: Focused on large-scale infrastructure deployment and domain generation
  • IVAN: A more exclusive, high-tier operation leveraging SEO poisoning and advanced evasion techniques
  • Smishing Triad: A highly coordinated group conducting global SMS phishing campaigns
  • System Bot: A modular phishing toolkit with credential harvesting and OTP bypass capabilities

These actors operate across different regions and languages but demonstrate comparable levels of technical capability and operational maturity.

Many of these groups function with enterprise-like structures, including support teams, affiliate models, and performance-based operations, further reinforcing the industrialization of phishing-driven fraud.

Law Enforcement Pressure Is Increasing, but the Model Persists

Recent takedowns, including operations targeting platforms such as Tycoon 2FA, demonstrate growing coordination between public and private sector defenders.

These efforts have:

  • Disrupted infrastructure
  • Increased operational costs for threat actors
  • Accelerated collaboration between intelligence providers and law enforcement

However, the underlying PhaaS model remains resilient.

Even as major platforms are dismantled, operators frequently rebrand, migrate infrastructure, or fragment into smaller services. The demand for scalable, low-cost phishing capabilities continues to sustain the ecosystem.

What This Means for Security Teams

Phishing-as-a-service has evolved from a tactic to an ecosystem that industrializes fraud.

Flashpoint assesses that the increasing coordination between phishing kit developers, infrastructure providers, and financial fraud actors will continue to drive large-scale credential harvesting and account takeover activity targeting global organizations.

For defenders, this means that effective mitigation requires more than user awareness and traditional controls. Organizations must account for:

  • MFA bypass techniques such as AiTM
  • Rapid infrastructure rotation and evasion
  • The integration of phishing into broader fraud and access broker pipelines

Protecting Your Organization from the PhaaS Ecosystem

Understanding how phishing ecosystems operate — from infrastructure and delivery to monetization — is critical for disrupting attacks before they result in fraud.

Flashpoint provides intelligence that helps organizations track phishing campaigns, identify emerging threat actors, and detect compromised credentials in real time. By correlating activity across the full attack lifecycle, security teams can better anticipate threats and respond before they escalate.

To learn how Flashpoint can support your team with actionable intelligence on phishing and fraud ecosystems, schedule a demo.

Begin your free trial today.

The post The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks appeared first on Flashpoint.

❌