There’s a certain energy you can only find at Recorded Future. Take that energy and bring it to London’s “Silicon Roundabout” and you get the perfect spot for Futurists to build and innovate.
Across the globe, Recorded Future is 1000+ employees working towards the same mission: Securing Our World With Intelligence.
Our London office – one of our most storied hubs – hosts a range of departments supporting both local, regional, and global operations. The office brings together 100+ cross-functional professionals from People & Talent Acquisition, Finance, Sales, Marketing, Global Services, Research, and more!
Looking back: From the Attic to The Bower
Our story in London didn’t start in the high-rise, but in a converted attic with just a handful of people and a big mission.
When I first joined, we were in the attic of a 3-story building.It was full of great people and energy; the immediate feeling I got was that everyone was building something great together.”
Joe Rooke
Director Risk Insights, Insikt Group
This passion for building something great fueled incredible growth. Sam Pullen, Director of Intelligence Services, remembers when the entire EMEA team was just about 20 people. Since 2018, we’ve gone from service a few dozen customers in the region to ~700 now.
On the left: First Recorded Future office in London. On the right: Recorded Future's newest office
On the left: First Recorded Future office in London. On the right: Recorded Future's newest office
Inside the Office
This modern high-rise building’s open-plan layout offers quite a few collaboration spaces across our office, where the team likes to have small team meetings, breaks, or even lunch.
Like all Recorded Future offices, our meeting rooms follow a unique naming convention. While Boston uses countries, and Sweden volcanoes - London chose islands. Rumors say we picked islands following a 95-day rain streak – we can neither confirm nor deny. So, in our London office, you’ll find Futurists collaborating in rooms like Bora Bora, Crete, and even San Andres.
Our Culture
What truly defines our London office is the sense of camaraderie – whether that’s competing in a friendly team padel game, testing your dartboard skills, or truly memorable summer & end of year celebrations.
The culture at the London office has always been welcoming and inclusive. The BDRs are the soul of the office, and you can always rely on them for a good conversation over a cup of tea.
Sam Pullen
Whether over summer picnics and pedalos in Hyde Park years, playing 5-a-side football in the pouring rain, or at the most recent Christmas party at the Savoy - our Futurists celebrate wins together.
Friendly Team Padel Game at Canary Wharf
Onwards & Upwards: Why Recorded Future
We asked Sam and Joe what has been the highlight of their long tenure at Recorded Future: the opportunity to build. For Sam, it has been the opportunity to build great relationships with clients over nearly a decade. For Joe, it has been the opportunity to build new solutions and new ways to work towards our mission.
The company offers opportunities to builders. If you are willing to take the initiative to make something better, you are not stopped. That is rare.
Cybersecurity is a cornerstone of our modern world, but its roots stretch back long before the internet. Far from a recent phenomenon, the field began in university labs and evolved through decades of innovation and conflict. For professionals and everyday users alike, tracing this history reveals why today's defenses exist and why vigilance remains our most critical tool.
The 1940s: Theoretical Seeds and Massive Machines
Long before the first hack, pioneers were already contemplating the risks of digital intelligence. In 1945, the Electronic Numerical Integrator and Computer (ENIAC) - the first general-purpose electronic computer - showcased the power of computing, though it was a room-sized giant reserved for military use. While the idea of a "cybercriminal" was still science fiction, the theoretical groundwork for future threats was being laid.
Mathematician John von Neumann began developing his "Theory of Self-Reproducing Automata" during this era. He proposed that a machine-based organism could replicate itself across systems - the conceptual birth of the computer virus.
Key Characteristics of This Era:
Physical Isolation: Security meant locking the door to a room-sized machine.
Government Monopoly: Computers were exclusive to the military and the academic elite.
Conceptual Threats: Risks were purely mathematical theories rather than practical realities.
The Virus Blueprint: The foundational logic for self-replicating code was established.
By understanding these early foundations, we can appreciate how a field born in the realm of theory has become the frontline of global stability.
The 1950s: Mainframes, Physical Security, and Phone Phreaking
Governments, universities, and major businesses started using large, centralized machines known as mainframes. As these computers grew more powerful, the definition of "security" still remained grounded in the physical world. During this era, data protection simply meant controlling access to the room where the hardware sat. However, a new kind of technical subculture was beginning to emerge on the fringes of the telecommunications industry.
The 1950s saw the rise of phone phreaking, where enthusiasts exploited telephone signaling frequencies to make unauthorized long-distance calls. While not yet digital hacking, this movement introduced the concept of manipulating infrastructure for unintended purposes. This culture of curiosity and boundary-pushing would eventually produce industry titans; notably, both Steve Jobs and Steve Wozniak experimented with phreaking technology before the birth of Apple.
Key Characteristics of This Era:
Physical Perimeter: Security was defined by locks and restricted personnel access.
Phone Phreaking: The first widespread exploitation of a technological network.
Nascent Authentication: Password-based systems began to appear in informal, non-standardized forms.
Fragmented Protocols: Without a connected internet, every institution developed its own isolated security rules.
These early exploits proved that even the most robust physical defenses could be bypassed by those who understood the hidden language of the systems within.
The 1960s: The First Hackers and Growing Vulnerabilities
While known primarily for its social shifts, the 1960s also marked the birth of "hacking" as a technical practice. As computers became more prevalent in universities and large institutions, a new generation of users began exploring the limits of these systems. This era shifted the focus from purely physical security to the inherent vulnerabilities within the software itself.
In 1967, IBM invited students to test a new system, only to be surprised that their probing caused system crashes and revealed weaknesses. This informal "penetration test" proved that any system accessible to users was inherently open to exploitation. It was a wake-up call that sparked the transition of cybersecurity from a passive state to an active, intellectual discipline.
Key Characteristics of This Era:
Intentional Probing: The birth of deliberate vulnerability testing and "white hat" exploration.
Curiosity-Driven Hacking: Hacking emerged as a way to explore system boundaries, generally motivated by academic interest rather than malice.
Access vs. Security: Institutions realized that providing user access created inevitable security risks.
Beyond the Lock: The realization that cybersecurity required ongoing digital strategy, not just physical barriers.
This decade transformed the computer from a mysterious black box into a challenge to be solved, proving that human ingenuity would always be the greatest threat - and defense - to any system.
The 1970s transformed cybersecurity from a localized concern into a networked reality. The launch of ARPANET, the precursor to the modern internet, enabled researchers to share resources across distances but also opened a doorway for autonomous software to travel between systems.
In 1971, this potential was realized with Creeper, the world's first self-replicating network program. While harmless, its ability to move across the network and display messages was a revolutionary proof of concept. In response, programmer Ray Tomlinson created Reaper - the first antivirus program - specifically designed to hunt and delete Creeper. This decade also saw the rise of Kevin Mitnick, whose exploits in the 1980s showed that psychological manipulation, or social engineering, could bypass even the strongest technical barriers.
Key Characteristics of This Era:
Network Connectivity: ARPANET's birth created the first interconnected digital landscape.
The First Worm: Creeper demonstrated that programs could self-propagate autonomously.
The First Antivirus: Reaper established the "detect and delete" model of digital defense.
Social Engineering: Early hacks highlighted that human error is often the weakest link in the security chain.
This era proved that once computers started talking to each other, the "locked door" was no longer enough to keep an intruder out.
The 1980s: Personal Computers and the Birth of an Industry
The 1980s shifted computing from sterile labs to homes and offices. This explosion of connectivity via modems and floppy disks turned theoretical threats into a global reality, giving rise to the first commercial antivirus software and formal incident response teams like CERT.
Key Characteristics of This Era:
Wild Malware: Viruses like Elk Cloner and the Brain Virus moved beyond labs to infect personal computers worldwide.
The Morris Worm (1988): The first major network-wide disruption, leading to the first conviction under the Computer Fraud and Abuse Act (Robert Tappan Morris).
Cyber Espionage: Marcus Hess's breach of military systems for Soviet intelligence proved that digital networks had massive geopolitical stakes.
Ransomware Roots: The AIDS Trojan introduced the world to the concept of holding digital files hostage for payment.
The 1980s proved that as computers became personal, the threats against them became universal.
The 1990s: The Public Internet and Exploding Threats
As the World Wide Web went mainstream, the attack surface grew exponentially. This was the era of the "Macro Virus," where malicious code hid in everyday documents, and the dominance of Windows made it a universal target for hackers.
Key Characteristics of This Era:
Mass-Mailers: The Melissa virus demonstrated how email could be weaponized to clog global servers in hours.
The Encryption Standard: Netscape's SSL (1995) laid the foundation for secure online commerce and HTTPS.
Network Fortification: Firewalls became standard equipment as businesses scrambled to block external intrusions.
Legal Frameworks: Organizations like the EFF began fighting for digital privacy and standardized cybercrime laws.
This decade transformed cybersecurity services from a technical niche into a vital pillar of global commerce and law.
The 2000s: Professionalized Crime and Mature Defenses
The 2000s saw cybercrime scale into a high-profit industry. High-speed broadband and the rise of e-commerce meant that a single breach could compromise tens of millions of records, forcing the industry to develop more sophisticated authentication and monitoring tools.
Key Characteristics of This Era:
Massive DDoS Attacks: "Mafiaboy" proved that even giants like Amazon and eBay could be paralyzed by flooded traffic.
Social Engineering at Scale: The ILOVEYOU virus infected millions by exploiting human curiosity and trust.
Data Breach Epidemics: The TJX breach accelerated the adoption of strict data security standards like PCI DSS.
Encrypted Ransomware: In 2006, ransomware began using RSA encryption, making it nearly impossible to recover files without a key.
As attacks became more lucrative, the defensive industry responded with the first generation of modern security standards and behavioral analysis.
The 2010s shifted the focus from criminal profit to national security. Cybersecurity became a theater of war, with governments deploying digital weapons to destroy physical infrastructure and influence global politics.
Key Characteristics of This Era:
The Stuxnet Worm: The first acknowledged cyberweapon designed to cause physical destruction to industrial equipment.
The Snowden Leaks: Exposed the massive scale of global surveillance, sparking a decade-long debate on privacy.
Automation and AI: Machine learning began appearing on both sides - defenders used it for detection, while attackers used it to find flaws.
Global Ransomware: WannaCry and NotPetya showed how automated exploits could cripple hospitals and shipping lines across 150 countries.
By the end of the decade, it was clear that a line of code could be just as impactful as a physical weapon.
The 2020s: AI Threats and Modern Threat Intelligence
Today, the line between the physical and digital worlds has vanished. With remote work and cloud-native businesses, security is now a proactive game of "Threat Intelligence", which involves predicting and neutralizing an adversary's move before they even make it.
Key Characteristics of This Era:
Targeting Infrastructure: Attacks on power grids and water systems have raised the stakes from financial loss to public safety.
AI-Powered Attacks: Adversaries use AI to create deepfakes and hyper-personalized phishing at speeds humans can't match.
Predictive Defense: Modern strategy relies on Threat Intelligence, using AI to analyze patterns and stop attacks in their tracks.
Cloud & Remote Security: The shift away from traditional offices has forced a move toward "Zero Trust" security models.
The ongoing battle between human ingenuity and artificial intelligence now defines the frontlines of our digital existence.
Payment fraud is growing in scale and sophistication, affecting businesses across every industry, and as digital payments expand, so do the opportunities for bad actors to exploit vulnerabilities. Understanding how fraud works and how to prevent it is essential for protecting revenue, maintaining trust, and staying resilient in an increasingly complex threat landscape.
What Is Payment Fraud?
Payment fraud refers to the theft of money from businesses or individuals through unauthorized transactions or deceptive purchases. Fraudsters may act using their own accounts or by gaining unauthorized access to someone else's account.
While payment fraud can happen in person, online transactions are especially vulnerable. According to Juniper Research, global business losses from online payment fraud are projected to surpass $362 billion between 2023 and 2028. A business's fraud risk depends largely on its industry, the sensitivity of the data it handles, and the payment methods it accepts. The more ways customers can interact with accounts and complete purchases, the more entry points exist for bad actors to exploit.
Different Types of Payment Fraud
Fraudsters use many tactics, and below we list 14 of the most common. Given the large number of threats, businesses must prepare their teams to recognize a variety of warning signs. Strong internal communication policies, clear escalation procedures, and knowledge of the landscape are foundational to any fraud prevention strategy.
1. Phishing
Phishing is a social engineering tactic in which criminals attempt to trick people into revealing sensitive information such as account credentials or payment details. These attacks often come in the form of malicious links sent via email or text, but they can also occur over the phone. Attackers may pose as trusted figures - a friend, a bank representative, or a government official - to manipulate victims.
Prevention tips:
Let customers know exactly how your business will contact them, including phone numbers and email addresses.
Be transparent about what information your staff will and will not ask for.
Alert customers to any known phishing attempts targeting your brand.
Train employees on information security protocols and how to identify suspicious communications.
2. Credit and Debit Card Fraud
This type of fraud involves obtaining card information - either physically or digitally - and using it to make unauthorized purchases. Cards may be stolen directly, or details may be harvested through card skimming devices installed on ATMs or point-of-sale terminals. Attackers also acquire card data through phishing schemes or by purchasing stolen credentials on the dark web.
Prevention tips:
Restrict POS system access to authorized personnel and regularly inspect payment hardware for tampering.
Build secure, encrypted payment pages that comply with data protection standards.
Offer customers multiple notification options for purchases and account activity.
Warn customers never to share account or confirmation numbers with unverified sources.
3. Wire Transfer Fraud
In wire transfer fraud, criminals convince victims to send money directly to them. Because wire transfers are difficult to reverse, they are a preferred method among scammers. Attackers commonly impersonate someone the victim trusts - a family member, a company executive, or a business vendor. The use of a convincing back-story is often referred to as "social engineering." For example, an attacker may text employees pretending to be their CEO, claiming an emergency and requesting an urgent fund transfer.
Prevention tips:
Train employees to spot the signs of social engineering and impersonation.
Establish official communication channels and avoid conducting financial business over easily spoofed channels like text messages.
Report and share all phishing attempts with the entire team.
4. Check Fraud
Check fraud involves using counterfeit or altered checks to make payments or writing checks from accounts that lack sufficient funds. Fake checks may be digitally printed or modified versions of real checks. In some cases, the check is genuine but drawn from a closed account.
Prevention tips:
Implement software that verifies the authenticity of checks.
Train staff to recognize the visual and physical signs of fraudulent checks.
5. Chargeback and Refund Fraud
Also known as "friendly fraud," chargeback fraud occurs when a customer makes a legitimate purchase and then falsely claims a refund - either directly from the business or through their credit card company. This type of fraud is particularly tricky because it can be hard to distinguish from genuine disputes, especially when delivery or service quality is involved.
Prevention tips:
Validate customer information, including billing addresses and card security codes.
Use payment platforms that include fraud protection and dispute automation tools.
Respond to refund and chargeback requests quickly.
Minimize legitimate chargebacks by fulfilling orders accurately and on time.
6. Identity Theft
Identity theft happens when a criminal obtains someone's personal information and uses it for financial gain or to make purchases in someone else's name. For businesses, a common result is having to deal with chargebacks after customers discover fraudulent charges on their accounts. Although the primary victim is the customer, businesses have a responsibility to prevent data breaches that expose customer information in the first place.
Prevention tips:
Train employees to recognize phishing and follow secure information handling practices.
Ensure your payment systems comply with PCI DSS (Payment Card Industry Data Security Standard) requirements.
7. Account Takeover Fraud
Account takeover (ATO) fraud typically follows identity theft. Once attackers obtain a user's credentials, they change the password and contact information to lock the real owner out. From there, they may use the account for fraudulent purchases or sell it to other bad actors.
Prevention tips:
Enforce strong password requirements for all accounts.
Require two-factor authentication (2FA) and send confirmation alerts for any significant account changes.
Notify customers of purchases and account modifications in real time.
8. New Account Fraud
New account fraud (NAF) occurs when someone uses stolen or fabricated identities to open new lines of credit or accounts. These fraudulent accounts can then be used to make purchases or commit further fraud down the line.
Prevention tips:
Require multi-factor authentication (MFA) - not just email verification - during account creation.
Verify address details and card security information during transactions.
Use fraud protection tools that leverage machine learning to detect unusual account creation patterns.
9. Gift Card Fraud
Gift card fraud is a social engineering scam where criminals pressure victims into purchasing gift cards and handing over the card numbers. Once the numbers are given, the funds are essentially unrecoverable, making this a popular method among scammers.
Prevention tips:
Display warnings about gift card scams during the checkout process.
Remind customers never to share gift card numbers with people they don't personally know.
Educate in-store staff to recognize signs of gift card fraud and when to escalate the situation.
10. Merchant Identity Theft
In merchant identity theft, attackers impersonate legitimate businesses or vendors to defraud customers or partner organizations. They may use phishing to extract employee credentials and gain access to business systems, or they may pose as a trusted vendor and redirect payments to themselves.
Prevention tips:
Train staff to identify phishing attempts and follow secure communication practices.
Establish verification procedures when communicating with vendors and business partners.
Report phishing attempts to employees and partners promptly.
11. Pagejacking and Domain Spoofing
Pagejacking involves cloning an existing webpage and redirecting users to the fake version to steal login credentials or payment information. Domain spoofing follows a similar concept - attackers build an identical-looking site under a slightly different URL. Users are typically directed to these fraudulent pages through malicious emails or texts.
Prevention tips:
Run plagiarism detection tools to identify duplicate versions of your pages online.
Pay attention to unusual customer service complaints that might signal a spoofed site.
Submit takedown requests to search engines if you discover a duplicate site, and notify affected customers.
12. Mobile Payment Fraud
As mobile payments become more prevalent, they've also become a target for fraud. Attackers can exploit mobile apps through malware installation, stolen app credentials, or interception of 2FA codes. For example, a scammer may call a customer pretending to represent a business and ask them to read back a verification code - which is actually a 2FA code the attacker has triggered on the victim's account.
Prevention tips:
Authenticate customers over the phone carefully to reduce the risk of impersonation-based fraud.
Monitor for unusual spending or refund activity in mobile transactions.
Educate customers about the risks of clicking on unknown links, QR codes, or visiting unfamiliar websites.
13. Push Payment Fraud
Unlike unauthorized transaction fraud, push payment fraud involves tricking the victim into willingly sending money to a fraudster. This can take many forms, including phishing, blackmail, or deceptive scenarios like fake emergencies. The key distinction is that the victim actively initiates the transfer.
Prevention tips:
Clearly communicate to customers what your staff can and cannot ask them to do or pay.
Make it easy for customers to report anyone impersonating your business.
Issue proactive alerts about ongoing scam attempts tied to your brand.
14. ACH Payment Fraud
ACH (Automated Clearing House) payment fraud involves criminals gaining unauthorized access to a victim's bank account details and using them to initiate fraudulent transfers. For businesses, this risk can come from both outside attackers and malicious insiders.
Prevention tips:
Strictly limit and monitor employee access to business bank accounts.
Educate all staff with account access about phishing tactics and establish firm security policies.
Which Businesses Have the Highest Fraud Risk?
Not all businesses face the same level of exposure. Fraud risk is generally highest in sectors that process online payments, handle sensitive personal data, or still accept paper checks.
E-Commerce Businesses
E-Commerce businesses are particularly vulnerable. Online retail involves accepting payments from a wide range of locations, often with multiple payment methods. Features like peer-to-peer payment integrations or international checkout add more potential points of failure. The more accounts and payment methods a customer has linked, the more attractive a target they become for data breaches.
Healthcare, Banking, and Data-Sensitive Industries
These sectors are at elevated risk because of the high value of the information they store. A breach in these sectors doesn't just expose financial data - it can compromise identity information used to commit fraud across many platforms simultaneously.
Businesses Still Accepting Checks
These kinds of businesses face unique challenges. As check usage declines, employees may become less experienced at identifying fakes, which makes training and verification systems all the more important. According to the Association for Financial Professionals, check fraud remains one of the most common forms of payment fraud.
How to Mitigate Risk
A variety of tools and strategies are available to help businesses identify and reduce fraud exposure. Conducting a security risk assessment is a strong starting point, helping teams understand which vulnerabilities are most critical and where to prioritize investment.
From there, organizations should focus on establishing a solid operational and security foundation before layering in more advanced fraud detection capabilities.
Foundational Controls
These measures create a baseline level of protection by securing systems, safeguarding data, and reducing avoidable losses:
Strong network and password security: Establish internal policies governing account access, password requirements, and physical access to devices and systems.
Network tokenization: Ensure payment systems encrypt and tokenize customer data to protect sensitive information.
PCI standards compliance: Build payment workflows that meet Payment Card Industry (PCI) standards to safeguard cardholder data.
3D Secure (3DS) authentication: Use the latest 3DS protocols to validate transactions and verify user identity before completing purchases.
Chargeback protection: Work with your payment processor to implement tools that help minimize financial losses from disputed transactions.
Once these core protections are in place, businesses can enhance their fraud prevention strategies with more dynamic, data-driven approaches.
Advanced Detection & Optimization
These techniques improve visibility, adaptability, and long-term resilience against evolving fraud tactics:
Fraud KPI tracking: Monitor key metrics such as dispute rates, authorization rates, and approval/decline ratios to identify trends and respond proactively.
Rules-based systems: Implement rule-based detection as a reliable operational backbone. While rules require ongoing maintenance, they are especially useful in early stages and can be refined over time.
Machine learning algorithms: Leverage ML-powered systems to analyze large, complex datasets and uncover patterns that are difficult to detect manually. These models continuously improve as they adapt to new fraud behaviors.
Staying Ahead of Payment Fraud
Payment fraud is an ongoing challenge, but a proactive, layered approach can significantly reduce risk. By combining strong foundational controls with data-driven detection and continuous monitoring, businesses can stay ahead of evolving threats.
Ultimately, effective fraud prevention requires regular review, employee awareness, and a commitment to adapting as tactics change.
The internet is basically a giant digital city, and you need to be just as streetwise here as outside your front door. Most people go online every day - scrolling through TikTok, finishing a research paper, or making purchases - but they don't always know the "rules of the road" or the vocabulary that tech experts use to describe our digital lives. Here's a breakdown of essential digital citizenship terms to help you navigate the web and mobile apps like a pro:
Authority - Authority refers to how trustworthy a source is based on who created it. If information comes from a qualified expert or a well-known organization, it's more likely to be reliable than something posted by an unknown user.
Bystander - A bystander is someone who sees harmful behavior online, like cyberbullying, but chooses not to get involved or take action.
Cookies - Cookies are small files that websites store on your device to remember information about you, like login details or browsing habits. They make websites easier to use, but they also allow service providers to track your activity.
Cyberbullying - Cyberbullying is when someone uses digital platforms to repeatedly harass, threaten, or embarrass another person. Unlike trolling, it usually targets a specific individual.
Data Breach - A data breach happens when private or sensitive information is accessed or stolen without permission, often from companies or large platforms.
Digital Citizen - A digital citizen is anyone who uses technology to interact with others online. Being a good digital citizen means using the internet responsibly, respectfully, and safely.
Digital Footprint - A digital footprint is the trail of information you leave behind online through posts, searches, and interactions. The more you share, the greater your exposure to privacy issues or misuse of personal information. Also, once something is online, it can be very difficult to remove.
Digital Identity Theft - Digital identity theft occurs when someone steals your personal information, like passwords or account details, to pretend to be you or access your accounts.
Digital Divide - The digital divide refers to the gap between people who have access to modern technology and the internet and those who do not.
Encryption - Encryption is a method of protecting data by turning it into a coded format that only authorized users can read. It helps keep sensitive information secure.
Firewall - A firewall is a security system that monitors and controls incoming and outgoing network traffic, blocking anything that looks suspicious or harmful.
Imaginary Audience - The imaginary audience is the feeling that people are constantly watching and judging you. Social media can make this feeling stronger by showing likes, views, and comments.
Invisible Audience - The invisible audience refers to the unknown people who may see your online content, including strangers, future employers, or others outside your immediate circle. It pays to assess your security blind spots because you may not realize who is viewing your posts.
Malware - Malware is any type of harmful software designed to damage devices, steal information, or disrupt normal operations. It is often installed as part of a package or application that otherwise appears innocent.
Password Hygiene - Password hygiene refers to the practice of creating strong, unique passwords and keeping them secure instead of reusing the same one across multiple accounts.
Phishing - Phishing is a scam where attackers pretend to be a trusted source to trick you into giving away personal information, often through fake emails, texts, or websites.
Public Wi-Fi Risk - Public Wi-Fi risk refers to the potential dangers of using unsecured networks, where hackers may be able to intercept your data.
Reliability - Reliability refers to whether information is accurate and dependable. Just because something looks professional online doesn't mean it's true.
Social Comparison - Social comparison is the act of comparing your life to what you see online. Since people often share only their best moments, it can create unrealistic expectations.
Targeted Advertising - Targeted advertising uses your online behavior, location, and personal data to show ads that are specifically tailored to you.
Trolling - Trolling is when someone posts deliberately annoying or provocative content online to get attention or start arguments.
Two-Factor Authentication (2FA) - Two-factor authentication is a security feature that requires a second form of verification, like a code sent to your phone, in addition to your password.
Upstander - An upstander is someone who takes action when they see harmful behavior online, such as supporting the victim or reporting the issue.
VPN (Virtual Private Network) - A VPN is a tool that creates a secure, encrypted connection to the internet, helping protect your data and privacy, especially on public networks.
For security professionals evaluating threat intelligence vendors, the Gartner Magic Quadrant offers an indispensable perspective. Gartner analysts’ thorough and nuanced analysis cuts through the noise, making it easier for teams to understand each platform’s approach, strengths, and considerations—and helping them determine whether a particular vendor fits their organization’s unique needs.
That’s why we’re honored to share that Gartner has named Recorded Future a Leader in the first-ever Magic Quadrant™ for Cyberthreat Intelligence Technologies. This new report evaluated 17 vendors in the space, providing a comprehensive look at the competitive landscape.
“In our view, being recognized as a Leader means something specific to us: we feel it reflects our ability to help our customers with the outcomes they depend on. These include stopping threats pre-attack, running intelligence autonomously at a scale no human team can match, and making every security control they own more effective," said Colin Mahony, CEO, Recorded Future. “We believe this recognition reflects both the trust our customers place in us and the strength of the outcomes we help them achieve.”
A research methodology that prioritizes customer voice
A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. By applying a graphical treatment and a uniform set of evaluation criteria, a Magic Quadrant helps you quickly ascertain how well technology providers are executing their stated visions and how well they are performing against Gartner’s market view.
For Recorded Future, this meant that Gartner analysts spoke directly with our customers about their real-world experiences—the challenges they face, how they use our Platform, and the outcomes they've realized. We feel their voices shaped our position in the Magic Quadrant, just as they’ve always shaped our product offerings and roadmap.
The new Gartner report offers a snapshot of what the analysts heard from customers. We haven’t stopped working since then and there’s much to talk about.
There’s more… the next phase of threat intelligence
In conversations throughout 2025, our customers gave us their thoughts about product complexity, pricing models, and the challenges of scaling intelligence across their teams. As a result of their input, we’ve fundamentally changed how they can access and make the most of Recorded Future threat intelligence.
Here are the highlights of our continued commitment to simplicity and innovation to provide better experiences for our customers in 2026:
1. Goodbye, modules. Hello, simplicity. Meet our four new solutions. Our four new solution areas cover the four major attack surfaces—an organization’s systems, brand, supply chain, and payment methods:
Cyber Operations—This foundational solution empowers security teams with the intelligence to monitor and prioritize threats and vulnerabilities, get in-depth malware insights, triage alerts and detect threats, and stand up an intelligence-driven defense.
Digital Risk Protection—Also foundational, this solution allows teams to monitor malicious sites, code repositories, and the dark web to detect brand abuse, employee credential compromise, and other threats to digital trust.
Third-Party Risk—This solution enables teams to continuously assess supplier security posture with real-time intelligence, accurate risk ratings, vendor action plans, and more.
Payment Fraud—With this solution, teams can detect and prevent card-not-present fraud with intelligence that identifies compromised payment data before it's used.
The solutions are built on a unified intelligence foundation to provide consistency, accuracy, and alignment around shared security outcomes. And they integrate with other security solutions like CrowdStrike Falcon and Google SecOps, bringing the benefits of Recorded Future intelligence and rich context directly into common SIEM and EDR workflows.
2. New pricing packages for less friction, more intelligence We’re offering the four solutions in new pricing packages designed to fit customer needs:
Simplicity—Customers can purchase one package instead of juggling multiple modules
End-to-end workflows—Packages cover full use cases, complete with the key capabilities to get the job done
Wider access—Higher tiers offer unlimited seats, so everyone now can be intelligence-led.
In addition, integrations are included. Now your tools in the security stack—SIEM, SOAR, firewall, endpoint protection, ticketing system, and more—can leverage Recorded Future intelligence without integration fees or limitations.
3. Expansion into Latin America The threat landscape knows no geographical borders, and neither do we. We’ve expanded Recorded Future’s operations into Latin America, giving security teams in the region better access to the expertise and support they need to mount a successful proactive defense.
4. Autonomous Threat Operations for autonomous defense In February, we launched Autonomous Threat Operations to help customers move from isolated threat intelligence insights and manual workflows to automated and continuous defensive actions across the entire security ecosystem. Complete with AI-powered, 24/7 autonomous threat hunting and multi-source correlation in the Intelligence Graph®.
As we continue to build on our vision of moving from automated to autonomous operations, we’re developing Recorded Future AI and agentic experiences to help our customers reduce alert fatigue, save time on research, and run threat hunts faster so they can detect and defend at scale.
Explore the Gartner Magic Quadrant report today
We’re proud to be recognized by Gartner as a Leader in Cyberthreat Intelligence Technology, and we’ll continue innovating for our customers to help them mitigate risk and stay ahead of evolving threats.
Get the report to review Gartner analysis and see how Recorded Future fits your CTI program needs.
Gartner and Magic Quadrant are trademarks of Gartner, Inc. and/or its affiliates.
Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.
This article introduces threat activity enablers (TAEs), the infrastructure providers and networks that underpin modern cyber threats across both criminal and state-sponsored activity. These entities sustain operations by enabling resilient, high-risk infrastructure that persists despite sanctions, takedowns, and public exposure.
Behind every ransomware demand, botnet, or threat activity group is a server sitting in a data center. While most legitimate hosting providers evict threat actors once identified, a specific class of providers does the opposite. Recorded Future® calls these providers threat activity enablers(TAEs).
What Is a Threat Activity Enabler?
Figure 1: Overview of threat activity enablers’ patterns, ecosystem, and impact
A threat activity enabler (TAE) is an individual, organization, or service provider that supports malicious cyber activity by providing infrastructure or services leveraged by threat actors. More commonly, this includes providers that lack a formal physical or virtual storefront, conduct business only via email or messaging platforms, and do not enforce know-your-customer (KYC) policies. It also includes hosting providers that selectively respond to abuse reports or law enforcement inquiries to maintain plausible deniability, as well as more traditional self-proclaimed “bulletproof” providers that openly ignore oversight or advertise non-cooperation.
TAE networks serve as the backbone for ransomware groups, infostealer campaigns, botnets, and even state-sponsored threat actor operations. What distinguishes TAE networks is the sustained concentration of malicious infrastructure within their networks.
How TAEs Operate
TAEs are masters of obfuscation and are highly resilient, hiding behind layers of decoy companies to evade accountability. They use several core tactics:
Corporate Shell Games: They establish front companies across multiple jurisdictions to create legal distance between the infrastructure and the operators.
Strategic Resource Control: They often operate as local internet registries (LIRs). This gives them direct control over IP resources and autonomous systems (ASNs), allowing them to manipulate network resources at will.
Rapid Rebranding: When a network becomes too "hot" due to scrutiny, TAEs rapidly transfer IP address prefixes to a newly registered, clean-looking entity.
Identifying High-Risk TAE Networks
Recorded Future actively identifies high-risk TAE networks through its Network Threat Density List. These networks are ranked by their Threat Density Score, calculated from the concentration of validated malicious activity relative to the total number of IP address prefixes a network announces.
This approach cuts through the noise to quickly expose infrastructure that is disproportionately associated with threat activity, a core characteristic of TAEs, allowing network defenders to prioritize the infrastructure most likely to pose material risk.
Figure 2: High-risk suspected or confirmed TAE networks in 2025, ranked by Threat Density Score
From Insight to Action
Tracking TAE networks allows security teams to move from reacting to individual threats to proactively managing infrastructure risk. In practice, this means applying TAE intelligence across three core areas: prevention, detection, and exposure.
Figure 3: Three steps for operationalizing TAE intelligence
TAEs are persistent and continuously evolving, adapting quickly in response to sanctions, enforcement actions, and exposure. While their identities may change, their underlying infrastructure patterns often remain consistent.
The "metaspinner" Case Study
In April 2025, a TAE tracked by Recorded Future, Virtualine Technologies, shifted its IPv4 resources to a newly registered network that fraudulently impersonated a legitimate German software firm, metaspinner net GmbH. Because this provider’s historical infrastructure patterns were already being tracked, the newly created network was immediately identified as a front. Within weeks, this network became a primary distribution hub for malware families such as Latrodectus and AsyncRAT. When the operation was eventually exposed, Virtualine Technologies simply pivoted the infrastructure to a new identity within one of its existing autonomous systems to maintain its operations.
Figure 4: Validated malicious activity associated with Virtualine Technologies in 2025
This case underscores the reality of TAE networks: while identities, ownership records, and corporate fronts may change, the underlying infrastructure and its associated risk persist, making continuous tracking essential to identifying and prioritizing the networks that will drive future threat activity, as demonstrated by Virtualine subsequently emerging as the highest-risk TAE network in 2025.
The Stark Industries Case Study
In May 2025, the European Union sanctioned UK-registered hosting provider Stark Industries Solutions and its executives for enabling Russian state-sponsored cyber operations. However, enforcement did not halt Stark Industries’ operations. In the weeks leading up to the sanctions announcement, Stark Industries began transferring IP resources, modifying RIPE registrations, and shifting infrastructure to affiliated entities.
Figure 5: Timeline of Stark Industries-related events in 2025
Despite the sanctions, the underlying infrastructure, routing relationships, and operational patterns remained traceable across these new fronts. Continuous monitoring of TAE ecosystems enables defenders to detect these pivots in near real time, revealing continuity beneath corporate rebrands and legal restructurings. This case underscores a broader reality: sanctions may change names and ownership records, but without infrastructure-level visibility, the enabling networks behind malicious activity often persist.
What This Means for Security Leaders
TAEs represent an ongoing challenge. While individual campaigns and threat actors may come and go, the infrastructure that supports them remains adaptive and deliberately resilient.
For security leaders, this requires an additional shift from solely reacting to individual indicators to understanding and prioritizing the infrastructure that enables threat activity at scale. By identifying and tracking high-risk networks, organizations can reduce investigative noise, focus resources on the most impactful threats, and take proactive steps to limit exposure before attacks materialize.
Ultimately, addressing TAEs is not just about detection; it’s also about disrupting the conditions that enable modern cyber threats to operate.
Questions You Should Be Asking
How much of your network communicates with high-risk infrastructure?
Are you prioritizing alerts involving high-risk networks?
Is TAE or ASN risk intelligence integrated into your detection and triage workflows to ensure the highest-risk activity is addressed first?
Do any of your third-party providers rely on TAE-linked infrastructure?
Do you have hidden exposure to TAE networks?
Are your controls dynamically adjusting to infrastructure risk?
Can you proactively restrict or challenge traffic to and from high-risk networks?
Executives making AI decisions without hands-on building experience have a comprehension gap that no briefing can close.
AI is rapidly eroding most traditional competitive moats, and proprietary data's real value now comes down to how long it would take a competitor to reconstruct it.
As AI equalizes development speed, the most valuable engineers are those with sharp judgment and companies need to actively protect the foundational skills that make that judgment possible
Scams are a $450B–$1T global problem, and unlike card fraud, they don't require a breach; just convincing a victim to send money themselves.
The mule account is the most stable target: every scam needs an exit point, and intelligence gathered before a transaction occurs is more actionable than behavioral monitoring after the fact.
CYBERA's approach uses agentic personas to engage active scammers and extract verified mule account details, confirmed intelligence, not probabilistic scoring.
Regulatory pressure is accelerating: the UK already mandates APP fraud reimbursement, and the US, Canada, and Australia are following, raising the stakes for institutions that don't act proactively.
Last week’s reporting on unauthorized access to Claude Mythos reads as an AI security story. It is also, structurally, a North Korea (DPRK) story. Even if the current suspects turn out to be Discord hobbyists.
Mythos was meant to be contained. Within hours of the public Project Glasswing announcement, a third-party contractor environment became the access vector. Not because Anthropic did something wrong. Because controlled release, at the scale modern enterprise software operates, is a goal rather than a guarantee.
The interesting question isn’t who got in this time. It’s who gets in next, and their economics.
What happened?
The group accessed Mythos the same day it was announced, guessing the endpoint based on Anthropic’s naming conventions for prior models. The vector was an individual employed at a third-party contractor, not Anthropic’s core infrastructure. Source characterizations point to a research community “not wreaking havoc” with the model.
The misread
If the coverage only centers on Anthropic’s security posture or the AI safety debate, we’re missing an important angle.
The structural signal is that any preview or controlled-access model release has porous boundaries by design. Access controls on paper (contracts, NDAs, approved vendor lists) differ from those in practice. Every partner brings their own contractors, endpoints, and people with legitimate credentials and uneven security hygiene. That is the real control surface, not the cryptographic perimeter around the model itself. Which makes this a supply chain problem that happens to be about AI, not an AI problem that happens to involve vendors.
The blind spot
AI policy discourse is locked on US versus China, including energy, chip controls, export rules, sovereign AI posture, and who wins the race.
Structurally missing from the larger conversation is the one state actor whose entire foreign currency revenue stream is cyber-enabled theft. DPRK doesn’t need to win any race. They need a 20-30% productivity gain in existing operations.
The pipeline is documented. Insikt Group’s Crypto Country estimated that regime-linked cryptocurrency theft reached roughly $3 billion through 2023. The Multilateral Sanctions Monitoring Team (successor to the UN Panel of Experts after Russia’s 2024 veto) has since done the harder primary work. MSMT’s October 2025 report documents $2.8 billion stolen from cryptocurrency companies between January 2024 and September 2025 across more than 40 heists, with proceeds explicitly tied to WMD and ballistic missile program funding. The State Department updated the tally in January 2026: another $400 million stolen in the three months since publication, bringing the 2025 totals above $2 billion.
Every successful crypto exchange intrusion ends up on a launch pad.
Why North Korea wants the next model
Crypto exchange intrusions are labor-intensive at every phase. Recon, social engineering at scale (fake developer personas on GitHub and LinkedIn, spear-phishing of individual engineers at wallet providers), credential harvesting, post-exploit lateral movement, key extraction, and laundering.
Agentic capability compresses the cycle to include the same operator-hours, more successful intrusions, and more stolen $$$ per operator.
Lazarus and TraderTraitor don’t need AGI. They need the productivity lift that turns a junior operator into a senior one and shaves weeks off the planning phase. It doesn’t have to be Mythos specifically. Any comparable capability through a comparable vector does the job.
Better tools mean more successful intrusions. More successful intrusions mean more stolen crypto. More stolen crypto means more missiles.
Three access patterns
Three different tradecraft patterns keep getting conflated in media coverage. They are not the same TTP, and treating them as one weakens the response on all three.
1. Contractor misuse. A legitimately credentialed employee at a third-party vendor uses their access for unauthorized purposes. This is the Mythos story. The credentials and access are real, though the intent is variable. Defenses (easy to say, hard to do well): telemetry, behavioral monitoring, and least-privilege scoping at the vendor tier.
2. Fraudulent hiring. An adversary places its own operatives inside the target through stolen or synthetic identities, often via remote IT contracting. This is the DPRK IT worker scheme. Insikt’s Inside the Scam documents PurpleBravo’s infrastructure: front companies in China spoofing legitimate IT firms, and a malware ecosystem (BeaverTail, InvisibleFerret, OtterCookie) targeting the cryptocurrency industry. The credentials are real, but the identities are fake. Defenses: identity verification at hire (in-person interviews to avoid AI tricks), ongoing personnel vetting, geographic and behavioral baselining.
3. Supply chain compromise. A trusted vendor’s systems get breached, and the attacker uses that vendor’s legitimate distribution channel to reach the real target. TeamPCP’s March 2026 LiteLLM compromise hit the AI toolchain directly, poisoning Trivy (a defensive security scanner) to reach a package with 95 million monthly downloads. Defenses: build-pipeline integrity, dependency monitoring, signed artifacts.
These three attack vectors converge on the same truth. Any preview or limited-release AI program that depends on third parties is exposed to all three vectors simultaneously. DPRK is the actor most motivated across the full triangle because the revenue case is specific, measurable, and directly beneficial for the regime. They are incentivized to be “AI native.”
So what?
In the security industry, we need to stop thinking about AI access as purely a lab problem when it’s also a sanctions problem. The great-power competition framing obscures the actor already online, with a rich history of monetizing cyber heists to fund missiles.
“Limited release” is a wonderful bumper sticker. The AI reality, from a threat-modeling perspective, is a countdown to turbo-charging adversarial capabilities.
Now what?
The honest conversation is that perimeter-style AI “controlled access” is less effective against State-sponsored adversaries. A productive security path is a distinct preview infrastructure, aggressive telemetry, canaries, and third-party access tied to personnel-level vetting rather than contractual attestation. (Guessable endpoints should be the first thing dead.)
Crypto exchanges and custodians: your threat model needs to anticipate what Lazarus can do 3 to 6 months from now, not what they did last quarter. Assume they improve faster than your defenses do.
Policymakers: DPRK is a first-class entity in AI access governance. The Multilateral Sanctions Monitoring Team framework already documents cyber-enabled sanctions evasion thoroughly. What it doesn’t yet do is name AI capability access as a sanctions-relevant category. Dual-use export controls have governed the transfer of semiconductor and missile technology for decades. AI capability is the obvious next category.
Corporate CISOs (outside the AI-lab orbit): your third-party contractor environments are now inside the AI capability threat surface, whether you opted in or not. Inventory accordingly.
Close
Mythos is a preview of an access pattern. Any actor whose business model is stealing money to build weapons will find the third-party seam. This time, it was hobbyists. DPRK has spent two decades proving why nonproliferation is the right frame here.
The real challenge in cybersecurity isn’t intelligence or visibility, it’s speed. Attackers operate at machine speed, while most organizations are still constrained by manual, human-driven workflows.
Traditional threat intelligence falls short because it stops at insight. To reduce risk effectively, intelligence must not only inform decisions but also actively drive response.
Fragmentation across cyber, fraud, and third-party risk creates exploitable gaps. A unified, intelligence-driven approach is essential to understanding and addressing modern threats holistically.
Autonomous defense is the path forward. By enabling continuous, real-time action across the attack surface, organizations can close the speed gap and move from reactive security to proactive risk reduction.
For most security teams today, volume and access to intelligence isn’t the problem. It’s the speed at which they can turn that intelligence into action.
And yet, breaches still happen. Fraud still slips through. Third-party risk still catches teams off guard. The issue isn’t visibility. It’s the growing gap between how fast threats move and how fast organizations can respond.
Attackers now operate at machine speed, leveraging automation and AI to identify vulnerabilities, launch campaigns, and exploit opportunities in real time. Most security teams, however, are still constrained by manual workflows, fragmented systems, and processes that require human intervention at every step. That mismatch is where risk can accumulate—and where even well-resourced teams fall behind.
What many organizations are discovering is that the problem isn’t a lack of intelligence. The problem is their inability to turn the insights into contextualized, intelligence-led actions.
The Hidden Cost of Human-Speed Security
For many organizations, this gap shows up in subtle but compounding ways. Analysts spend hours triaging alerts, trying to determine which signals actually matter. Security teams often discover incidents after damage has already occurred, not because the data wasn’t there, but because it couldn’t be acted on quickly enough. Across the organization, teams responsible for cyber operations, fraud, and third-party risk operate in silos, each with their own tools and workflows, rarely sharing a unified view of risk.
At the same time, expectations from leadership have shifted. Executives and boards no longer want activity metrics—they want clear evidence that security investments are reducing business risk. But when intelligence is not clearly connected to action from security teams, that proof becomes difficult to deliver.
Traditional threat intelligence was designed to inform decisions made by humans, at human speed. In today’s environment, that model introduces delay. And delay, in cybersecurity, is increasingly indistinguishable from exposure.
Intelligence That Acts, Not Just Informs
Closing the speed gap requires more than incremental improvements. It requires a shift in how organizations think about intelligence altogether. Moving forward, the future of cybersecurity must be more than just intelligence-led—it must be intelligence-acted.
In this model, intelligence doesn’t sit in dashboards waiting for analysts to interpret it. It continuously correlates signals, prioritizes what matters, and drives action across the security environment automatically. Instead of asking teams to move faster, it enables the entire system to operate at the speed of the threat.
This is the foundation of autonomous defense, and it’s the future of effective, machine-speed cybersecurity.
From Reactive to Autonomous: A New Operating Model
Autonomous defense fundamentally changes the role of the security team. Rather than serving as the bottleneck between detection and response, analysts become decision-makers operating on top of continuously running intelligence.
Recorded Future’s Autonomous Threat Operations brings this model to life by eliminating the manual steps that slow teams down. It ingests and correlates intelligence from multiple sources, applies context in real time, and triggers actions across existing security tools—all without requiring constant human input.
The impact of such a dramatic shift is immediate and measurable. Threat hunting becomes continuous instead of periodic. Alerts arrive enriched with context, reducing the time needed to investigate and respond. Detection and remediation workflows execute automatically, freeing analysts to focus on strategic threats rather than routine triage.
Just as importantly, this approach transforms how organizations measure success. Instead of tracking activity—alerts processed, queries written, incidents reviewed—teams can demonstrate real outcomes: faster response times, reduced exposure, and a clearer connection between intelligence and risk reduction; the latter of which is becoming increasingly necessary for organizational buy-in.
The Bigger Challenge: Fragmented Visibility Across the Attack Surface
Speed alone, however, is only part of the equation. Many organizations are also limited by how they view risk. Threats today don’t respect organizational boundaries. A phishing campaign can lead to credential theft, which can then be used to access systems, exploit third-party relationships, or enable fraudulent transactions. These events are connected, but still far too many organizations manage them in isolation.
Cyber operations teams focus on internal threats. Fraud teams monitor transactions. Risk teams assess vendors. Each group has visibility into part of the problem, but no one has a complete picture. This fragmentation creates blind spots, and attackers are increasingly skilled at navigating between them.
A Unified Approach to Risk
To effectively reduce risk, organizations need more than faster response times. They need a connected understanding of their entire attack surface, along with the ability to act across it in a coordinated way.
In cyber operations, this means moving beyond alert overload to real-time prioritization. Instead of forcing analysts to sift through volumes of data, intelligence surfaces the threats that are most relevant to the organization’s environment and enables immediate action. The combination of prioritization and automation allows teams to reduce noise while improving both detection speed and response quality.
In digital risk protection, the focus shifts beyond the traditional perimeter. Today’s attackers target brands, customers, and executives just as frequently as they target infrastructure. By monitoring the open, deep, and dark web, Recorded Future provides visibility into impersonation campaigns, credential exposure, and emerging threats long before they impact the organization. More importantly, it enables rapid response, whether that means taking down fraudulent domains or preventing account takeover attempts.
Third-party risk represents another growing challenge. As organizations expand their ecosystems, they inherit risk from vendors and partners, often without real-time visibility. Third-party involvement in breaches has reached a staggering 30%, up from just 15% a year ago. Static assessments and periodic reviews can’t keep pace with how quickly vendor risk evolves today. Continuous monitoring, grounded in real-world intelligence, allows organizations to detect issues earlier, respond faster, and maintain a more accurate understanding of their exposure.
Threat intelligence-driven security is vital. It’s the eyes and ears of a security team. You can’t protect yourself against what you don’t know. A couple times now, Recorded Future has alerted us to something prior to the third-party vendor. That’s huge when we’re trying to protect our data.
Natalie Salisbury
Strategic Threat Intelligence Analyst, Novavax
In the realm of payment fraud intelligence, the shift is equally significant. There were some 269 million records posted across dark and clear web platforms in 2024, and a tripling of certain e-skimmer infections. It’s important to keep in mind that fraud doesn’t begin at the moment of transaction. Rather, it begins much earlier, in the environments where stolen data is exchanged and tested. Recorded Future provides comprehensive coverage across the complete payment fraud lifecycle. Sophisticated cleanup and normalization techniques result in better data quality and richer data sets, reducing manual research and enabling high confidence mitigation actions. By identifying these signals upstream and intervening, organizations can stop fraud before it’s executed, reducing both financial loss and customer impact.
One Intelligence Foundation. Total Visibility.
What makes this approach fundamentally different is that these capabilities are not delivered as isolated solutions. They are unified through the Recorded Future Intelligence Platform, which correlates data across millions of sources and billions of entities to provide a single, coherent view of risk.
This unified foundation enables organizations to connect signals that would otherwise remain siloed. Threat actors, infrastructure, vulnerabilities, and campaigns are all linked, allowing teams to understand not just what is happening, but what is likely to happen next.
That level of visibility is what makes autonomous defense possible. And not just within a single domain, but across the entire attack surface.
The urgency behind this shift cannot be overstated. Attackers are already operating at machine speed, using automation to scale their efforts and reduce the time between discovery and exploitation. At the same time, organizations that rely on manual processes are finding it increasingly difficult to keep up.
The consequences of this gap are significant. Longer dwell times allow attackers to entrench themselves more deeply. Delayed responses increase the cost and impact of incidents. And as breaches and fraud events become more visible, customer trust becomes harder to maintain.
This is no longer a question of optimization. It’s a question of whether existing operating models can keep pace with the reality of modern threats.
Rethinking What Threat Intelligence Should Do
As organizations evaluate their approach to cybersecurity, the role of threat intelligence needs to be reconsidered. It is no longer enough for intelligence to provide visibility. It must enable action. It must operate in real time. And it must extend across the full scope of organizational risk—not just one domain at a time.
Equally important, it must deliver outcomes that matter to the business. Faster detection, reduced exposure, and measurable risk reduction are no longer aspirational. They are essential for enterprise security in the modern, AI-powered threat landscape.
The goal for most organizations isn’t to replace their security stack. It’s to make it work better. By enabling intelligence to act autonomously, connecting visibility across domains, and aligning security operations with the speed of modern threats, organizations can close the gap that has long existed between insight and action. Recorded Future is built to make that possible.
If your team is still struggling with alert fatigue, delayed responses, or fragmented visibility, the issue may not be a lack of resources. It may be a limitation in how intelligence is being applied.
Now is the time to rethink that model.
Connect with Recorded Future to see how autonomous defense can help your organization move at the speed of today’s threats—and stay ahead of what comes next.
The paradoxes of today’s digital world are well-known to anyone with a smartphone.
Over the last decade, connectivity has expanded, yet the world has become more fragmented. Our everyday lives are more digital, but we spend more time parsing text messages for scams or deliberating the authenticity of potential deepfakes. Technology is delivering great productivity gains to small businesses while making them a larger target for cybercriminals.
In this environment, exposure becomes the default: Access points are growing, control is hard and reacting to change stops working. AI intensifies these dynamics because it compresses time for everyone, including adversaries.
Today, trust has become the most critical tool to move all businesses forward. Without trust, even the best ideas stall. People hesitate, adoption slows and growth stagnates.
Trust used to be something businesses tried to repair after a breach. Now it must be the starting point, and something to nurture and continuously prove in a world that has fundamentally changed.
It would be impossible to eliminate the risk entirely. Some estimates project cybercrime could cost the world $15.6 trillion annually before 2030, surpassing all but two of the world’s largest economies. Instead, the goal must be to build the ability to see sooner, decide faster and limit impact when, not if, something breaks. Trust today is all about bringing together speed, intelligence and collaboration, and that’s exactly what we’re developing across our teams.
Getting this right isn’t just good business sense, but the only way to ensure new technologies are embraced and economies can keep growing.
The advantage is intelligence
Real advantage comes from understanding context and connecting signals across systems. That’s what turns data into better decisions. This kind of intelligence increases speed, reduces risk and enables proactive action. With the right intelligence, teams can hunt for threats continuously, test assumptions and act before harm occurs, not just triage alerts after the fact.
You can see this shift in how the payments industry is evolving, including the work we’re doing by bringing Recorded Future’s threat intelligence together with Mastercard’s security capabilities, payments infrastructure and partnership models. We’re helping organizations understand where risk concentrates, how it propagates, and how quick, collective action can reduce the cost of cybercrime.
Faster insights mean earlier action, which minimizes impact — and deepens trust.
Trust is built through collaboration
Security doesn’t scale through isolated heroics. It scales through ecosystems: shared signals, shared standards and partners who can move together as new threats arise, attack vectors shift and failures spread.
Resilience is strongest when public and private sectors plan, exercise and respond together, rather than in parallel. Different players have different sightlines in the digital ecosystem. Startups look at the edges of innovation. Enterprises understand the realities of operating in today’s environment. Governments see where systemic risk concentrates. When those visions combine, our shields strengthen and expand, pushing cybercriminals out of the frame.
During our time here in Miami for the eMerge Americas conference, we’ve had the opportunity to speak to enterprises, startups, investors and government leaders about the need to accelerate resilience in Latin America, where the digital economy is booming but security hasn’t always kept pace. The region has the world’s fastest-growing rate of disclosed cyber incidents — in 2025 alone, Recorded Future tracked 452 ransomware incidents — but only seven countries have developed cybersecurity plans protecting critical infrastructure, and only 20 have formal computer security incident response teams.
That gap is where trust breaks, and where more collaboration can become a growth necessity. We can’t build sustainable economic growth in Latin America without building digital trust and cyber resilience. That’s why we are deepening our footprint here, enhancing regional threat intelligence and resilience and paving the way for stronger public-private collaboration to address these complex risks.
Secure digital access unlocks economic opportunity — and insecurity shuts it down fast. For a first-time digital user, one fraud incident can be enough to opt out for good. For a small business, one account takeover can wipe out months of progress. That’s why trust is inextricably linked to financial health. People can’t build stability on top of systems they’re afraid to use. At Mastercard, we’ve committed to connecting and protecting 500 million people and small businesses by 2030, because secure participation is foundational, not optional.
The bar for digital innovation today is not what we can deliver, but what people will trust enough to use, depend upon and harness for their own financial health. Because in the end, trust is the superpower.
AI vulnerability research and discovery capabilities are improving, but they have not changed the fundamentals of vulnerability management. Instead, they are scaling up problems familiar to vulnerability managers: patch prioritization and remediation backlogs.
For defenders, the timeline for determining which vulnerabilities matter most and remediating them before exploitation begins is narrowing, even as the overall volume of vulnerabilities rises. Organizations that rely on manual prioritization, slow patch cycles, or legacy software will face growing operational and security risks.
Figure 1: Reality versus hype of automated vulnerability research
The Vulnerability to Exploit Ratio
Vulnerabilities are software flaws attackers can use to gain access, run malicious code, escalate privileges, or disrupt operations. However, not every bug becomes a real-world threat: many are hard to reach, difficult to weaponize, or simply not worth an attacker’s time.
The total number of disclosed vulnerabilities has increased sharply in recent years, rising from roughly 21,000 in 2021 to nearly 50,000 in 2025. Part of that increase likely reflects stronger disclosure practices and bug bounty activity, though software growth, a broader attack surface, and more systematic reporting also play a role. Nonetheless, in 2025, Recorded Future only identified 446 vulnerabilities that were actively exploited in the wild, a reminder that confirmed exploitations remain a small fraction of total disclosures.
Figure 2:Yearly comparison of disclosed CVEs against CVEs with public exploits and vulnerabilities assessed as actively exploited by the Cybersecurity and Infrastructure Agency’s Known Exploited Vulnerabilities (KEV) Catalog and Recorded Future, 2021-2025
This is because attackers do not exploit every bug they find. Instead, they focus on developing exploits for the small subset of vulnerabilities that offer the best combination of reach, reliability, and return on investment, such as flaws that can be exploited remotely or affect widely used software. In other words, a vulnerability still has to be validated, turned into a reliable exploit, matched to a target, and integrated into an attack path worth the effort.
When a flaw matches the criteria, however, exploitation can move quickly. VulnCheck found that nearly 29% of KEVs in 2025 were exploited on or before CVE publication, a slight increase from the previous year, indicating the continued prevalence of zero-days and n-days. Much as their legitimate counterparts use AI in software development, adversaries are already using AI to accelerate parts of the attack workflow, including vulnerability research, exploit-path analysis, and malware development, even if its precise effect on exploitation timelines is hard to quantify. Some trackers estimate the median time-to-exploit may now be measured in hours rather than days, demonstrating the shortening window of time to act on a high-impact vulnerability.
How AI Changes the Equation
Anthropic and OpenAI recently drew significant attention through their limited release of what they claimed were uniquely powerful cyber defense models. An independent evaluation of Anthropic’s Mythos found significant improvements in multi-step cyberattack simulations. However, AI-assisted vulnerability discovery and penetration testing predate these models, and most frontier models have already demonstrated the ability to identify vulnerabilities and assist with exploit development. At present, these tools are still most effective in the hands of capable operators rather than enabling frictionless, low-skill exploitation at scale. This matters, too, as even if these capabilities are used primarily by security researchers in the near term, the resulting increase in disclosures, proofs of concept, and validated findings still adds to the defensive burden.
This impacts vulnerability management in three important ways:
More credible vulnerability reports to triage: New agentic systems can do more than flag suspicious code; they can reason through program behavior, validate findings, and help identify which weaknesses appear most exploitable.
Less time to mitigate exploitable vulnerabilities: Large-language models (LLMs) are accelerating the speed and scale of weaponization, meaning the path from disclosure to exploit could go from hours to minutes.
Reduced the cost of exploit development: Emerging models appear more capable of producing proof-of-concept exploit code, testing attack paths, and helping skilled operators iterate toward weaponizable exploits faster than before.
Figure 3: The vulnerability equation: How automated capabilities will likely impact reporting, exploit development, and impact
More Reports, More Noise
Using AI agents for software code will almost certainly increase the number of reported vulnerabilities and developed proofs-of-concept. Microsoft’s April 2026 Patch Tuesday, which followed Anthropic’s Project Glasswing announcement, was the company’s second-largest on record. However, according to Microsoft, it “does not reflect a significant increase in AI‑driven discoveries, though [they] did credit one vulnerability to an Anthropic researcher using Claude.” The more important question is not whether more flaws will be found — because they will be — but whether defenders can process, validate, and prioritize them fast enough to act.
Vulnerability submissions are already overwhelming researchers’ ability to assess their overall risk, creating a backlog of vulnerability enrichment and scoring. If AI sharply increases the volume of plausible findings, defenders will face even more uncertainty around which vulnerabilities represent the next high-impact systemic event and which are background noise.
Less Time to Act
For the vulnerabilities that are actually a problem, defenders have even less time to respond. Automated exploit development will likely shorten the path from discovery to proof of concept and, in some cases, to weaponization for the subset of vulnerabilities worth pursuing. Adding to the triage problem, some medium-severity or otherwise “non-critical” vulnerabilities will need to be re-evaluated as possible components of exploit chains, even if they would not normally rank as urgent on their own.
Drowning out the Alarms
Even as defenders deal with more noise, a larger volume of reported, plausible findings is likely to increase the absolute number of high-impact exploits they need to address quickly. As a result, defenders face an even greater challenge in identifying the small subset of issues that matter most before attackers do.
This does not mean every newly disclosed flaw will be weaponized, or that high-impact, “internet-breaking” events will become commonplace; however, even a modest increase in exploited vulnerabilities puts more pressure on prioritization, patching speed, and compensating controls, especially for organizations already struggling with manual triage, slow patch cycles, or legacy software.
How to Use Automation for Good
For most organizations, the immediate risk is not that every vulnerability will suddenly be exploited, but that defenders will have less time to determine which findings matter most. Vulnerability discovery and exposure management should therefore be treated as related but distinct problems: AI may increase the number of findings, but defenders still need context to determine which exposures are actually reachable, high-impact, and worth urgent remediation.
In this environment, using AI-enabled vulnerability discovery, prioritization, and defensive remediation will be essential to keeping pace with attackers. The five actions listed in the following section can help organizations stay ahead of the threat.
1. Automate Vulnerability Prioritization and Response
Shift from CVSS-only scoring to real-time exploitability and exposure-based risk scoring to handle the surge in AI-assisted vulnerability discovery. Deploy automated scanning, validation, and threat hunting to identify exploitation activity quickly, especially in widely used software and internet-facing systems. Recorded Future’s Insikt Group regularly reports on new vulnerabilities and exploit trends and develops Nuclei templates to detect actively exploited vulnerabilities.
2. Accelerate Patching and Upgrade Cycles
As the time to exploit shifts from days to hours, the time to mitigate vulnerabilities will similarly shorten. Patch management will need to move faster, particularly for internet-facing systems, widely used software components, and critical dependencies. Automated remediation and automated compensating controls will likely become necessary to keep pace with AI-accelerated discovery. The Vulnerability Intelligence module in the Recorded Future Intelligence Operations Platform can help with prioritization based on the likelihood of exploitation. Ensure all automated actions are logged and regularly audited by a human, and require a human-in-the-loop for any actions on high-impact systems.
3. Reduce Dependence on Legacy and Unsupported Software
AI may make it easier for threat actors to identify and validate exploitable weaknesses in older, under-maintained codebases. Unsupported systems and aging software are likely to become increasingly difficult to justify unless they are strongly isolated and tightly controlled.
4. Shift Vulnerability Detection Earlier in the Software Lifecycle
Organizations should integrate automated security testing and AI-assisted vulnerability discovery into development pipelines. Early detection can help defenders fix vulnerabilities before production, reducing remediation burden later.
5. Get Ready for the Next High-Impact Event
Develop emergency response and mitigation playbooks specifically for high-impact, broadly applicable flaws, including scenarios where a patch is not immediately available. Preparation should include not just patching, but also containment measures such as segmentation, access restrictions, traffic filtering, and other compensating controls.
Integrate, don't replace. Recorded Future enriches your existing security tools by automatically layering in contextual threat intelligence, reducing manual effort and enabling faster, better-informed decisions.
Know where you stand. Assessing your organization's maturity across four stages — reactive, proactive, predictive, and autonomous — helps you identify which workflows to prioritize and where automation can have the most impact.
Start simple, then scale. Four core workflows (i.e., IOC enrichment, vulnerability prioritization, Autonomous Threat Operations, and watch list automation) offer a practical on-ramp, and many integrations can be activated in just a few clicks through Recorded Future's Integration Center.
Threat intelligence can elevate cybersecurity programs from reactive to autonomous, transforming workflows and delivering measurable improvements. In a recent webinar, we shared practical steps for integrating threat intelligence into existing security stacks, optimizing workflows, and accelerating organizational maturity in cybersecurity practices.
Read on for actionable insights, frameworks, and tools shared during the session.
Bridging the gap: threat intelligence integration
The key to effective threat intelligence is making your tools work together seamlessly. Recorded Future doesn’t aim to replace your existing cybersecurity tools, but rather to enrich and connect them.
When Recorded Future connects to the tools already in your stack, it automatically adds contextually relevant threat intelligence to whatever you're working on. This can mean less manual effort and faster, better-informed decisions.
Understanding your organization’s cyber maturity
A useful starting point is assessing where your organization currently stands across four stages of cybersecurity maturity: reactive, proactive, predictive, and autonomous:
Reactive organizations focus on responding to incidents as they occur.
Proactive organizations hunt for threats before they lead to incidents and align detection systems to adapt toward emerging risks.
Predictive programs extend threat intelligence beyond the security operations center (SOC) to other organizational stakeholders.
Autonomous programs leverage automation to identify and respond to threats in real time at machine speed.
Maturity doesn't have to be assessed at the program level alone. Individual use cases may be at different stages. Alert management, for instance, may already be highly automated, while other workflows remain more reactive.
A helpful way to identify where to focus is to ask a series of questions, including:
What does my current alert workflow look like?
What's my most time-consuming process?
What's my top priority for the next 12 months?
Your answers will enable you to identify areas for improvement and then prioritize your workflows as needed.
Three key integration workflows—and one bonus workflow
Next, we suggest integration workflows that are designed to help you optimize your security operations with Recorded Future threat intelligence:
1. Indicator of compromise (IOC) enrichment
Detection tools often generate alerts with limited context, leaving you asking why something was flagged and how risky it actually is.By integrating Recorded Future, you’ll find that those alerts can be automatically enriched with information such as malware families, exploited vulnerabilities, and threat actor connections—enabling better, faster decisions without additional manual research.
2. Vulnerability prioritization
Most organizations depend on CVSS scores or vendor-provided data to assess vulnerabilities, but that approach doesn't always reflect real-world risk. A more effective strategy is asking: Is this vulnerability being actively exploited in targeted campaigns? Are threat actors targeting my industry with it?
Recorded Future enhances vulnerability management primarily through threat intelligence context, with risk scoring that tells you why something is risky—specifically whether a CVE is being actively exploited in the wild, and whether it's targeting organizations in your industry.
3. Autonomous Threat Operations
The most advanced workflow involves automating threat detection and prevention from end to end. Recorded Future can identify emerging threats, initiate retroactive threat hunts, and automatically update detection and blocking lists in tools like EDR platforms—all without manual intervention. This will enable your security team to shift from reactive firefighting to real-time, autonomous threat prevention. Learn more about Autonomous Threat Operations, available in Recorded Future’s Professional and Elite pricing packages.
4. Bonus workflow: Watch list automation
Your existing vulnerability scanners like Tenable, Qualys, Wiz, and Rapid7 are already identifying vulnerabilities in your environment. A Watch List automation connector can link those tools directly into Recorded Future's Watch Lists, so the Platform automatically reflects your real threat footprint at all times. Instead of tracking a static list of top vulnerabilities, you get contextual intelligence tied to what's actually in your environment, and you're automatically alerted when vulnerabilities change in risk status.This shifts vulnerability management from a reactive posture to a predictive one, and makes prioritization effectively autonomous.
The role of Recorded Future’s Integration Center
The Integration Center makes it straightforward to connect with popular security tools including Splunk, ServiceNow, CrowdStrike, and SentinelOne. Many of these integrations are pre-built and can be activated in just a few clicks, meaning there may already be value waiting to be unlocked within your existing SIEM, SOAR, EDR, TIP, vulnerability management tools, GRC platforms, and more.
Driving business value with integrated threat intelligence
Beyond operational efficiency, well-integrated threat intelligence workflows build organizational trust and give security leaders a stronger, data-backed narrative about how their teams are operating. Automating enrichment and response creates the space to focus on strategic priorities—and makes it easier to demonstrate the program's value to leadership.
The path toward autonomous threat operations requires sophisticated technology, seamless integrations, smart prioritization, and strategic planning. The best approach is simply to start: Activate a workflow, see the value it delivers, and build from there.
If you need help getting started or have questions about your organization’s specific needs, book a custom demo.
Business impersonation is the hidden thread connecting old and new fraud. Discover how the same core tactic is fueling both a surge in commercial check fraud and an explosion of AI-powered online shopping scams targeting younger consumers.
Tools like Positive Pay and 3D Secure authentication, while effective against the fraud they were built to stop, have pushed threat actors to evolve their schemes in ways that render those controls irrelevant.
Ecosystem gaps are often the real vulnerability. Fraudsters exploit the chain of assumed trust between social media platforms, card networks, merchant onboarders, banks, and local business registries — turning each party's reliance on the last into an open door.
If you’re a millennial or Gen Z-er, then you probably haven’t used a paper check in a while. According to the Federal Reserve Bank of Atlanta, just 1 out of 5 of your peers used a check in the last 30 days, versus 2 out of 5 Gen Xers and 3 out of 5 boomers. Yet despite year-on-year decreases in overall usage, Nasdaq Verafin saw check fraud instances rise another 11% in 2025.
Then again, if you are a millennial or Gen Z-er, you will have seen an advertisement for a cheap product on social media. For 40% of you, that has meant falling for an online shopping scam.
On the face of it, these look like two ends of the fraud spectrum:
On the one hand, we have what feels like the past: paper check usage rates even among those aged 65+ fell from 13% of transactions in 2013 to 6% in 2025 (Federal Reserve Bank of Atlanta).
On the other hand, we have the future: online shopping scams target a younger demographic through AI-enabled brand impersonation and sprawling social media ad ecosystems.
The payment instruments, demographics, and the teams working at financial institutions to address these problems differ. So what’s the thread linking them together? Business impersonation. It manifests itself differently across schemes, but for anti-fraud systems built to detect check washing and counterfeiting on the one hand, and unauthorized third-party card fraud on the other, business impersonation has emerged as the fraudster’s response to exploit both.
Commercial checks and copycat businesses across state lines
In the past, stolen checks were often whitewashed to change the recipient and amount, and then walked into banks for cashout. The Postal Inspection Service received over 299,000 mail theft complaints in a single 12-month period—a 161% increase from the prior year. Recorded Future’s Fraud Intelligence Team analyzed and mapped stolen checks to US geographies, illustrating hot spots of physical crime and observing that it remains a national issue that extends beyond heavily urbanized areas.
Mapping stolen checks by zip code; courtesy of Recorded Future
Yet even among declining consumer check usage rates, businesses’ use of commercial checks remains stubbornly high in the US: the Association for Financial Professionals (AFP) found that 91% of organizations are still using checks, and 63% experienced check fraud in 2024. When businesses send checks to suppliers, the amounts can rise quickly, leading fraudsters to expand beyond simple check-washing schemes.
In perhaps the most eye-catching example, fraudsters intercepted a commercial check destined for bubble-gum giant Bazooka in 2022. A $1.24 million check. Over the next two weeks, they transferred and withdrew over half a million dollars. How’d they do it? You can’t just wash out the payee name on a million-dollar check, replace it with John Smith, and expect it to clear after depositing it into a personal checking account.
Instead, the threat actors just created a fake Bazooka. The real Bazooka is registered in Delaware under the name “The Bazooka Companies, LLC”, so culprits registered a fictitious company in New York under the name “The Bazooka Companies 1 Inc”. They then used the official business license to open a corporate bank account for the new fictitious business. From there, they used cashier checks, withdrawals, and transfers to personal accounts to cash out the funds.
Fast forward to today, and the scheme is still happening. Recent research from Recorded Future Payment Fraud Intelligence(PFI) surveyed stolen checks for sale on Telegram in Q4 2025 and found over 30 checks with a business as the payee, along with suspicious new entities registered in other states a few days later. The total face value of the checks amounted to $2M.
As with most fraud, this scheme’s emergence is based on:
Exploiting ecosystem gaps between disparate parties: Businesses can have the same name as another when registered in different states. Pair that with most states’ limited mandate to investigate business registrations, and we’re left with the first gap:
“As long as the basic filing requirements are met, the office[s] may have little or no authority to question or reject a document submitted for filing or to verify information included in the filing” (National Association of Secretaries of State, September 2025)
When a fraudster approaches a bank to open a business bank account, the bank conducts its own due diligence. But the focus here is on money laundering threats and the legitimacy of documents and applicants. If the fraudsters are using a clean identity — synthetic or otherwise — then the bank won’t have a clear reason to reject the application just because a business called John’s Toilet Supply, LLC exists in another state.
Delivering a reactionary counterpunch to effective fraud processes: Think of this as the cat-and-mouse game. Fraud defenders figure out how to stop one scheme, forcing fraudsters to innovate. In this case, Positive Pay has proven remarkably effective at preventing check washing and counterfeit checks (when parties agree to use it). Payee Positive Pay, in particular, allows the payer to make sure that when their checks are deposited, the check number, date, payee name, and amount match their files. But what happens if everything is correct, but a copycat payee deposits the check? Cases like Bazooka.
80% discount on shoes? How can you say no?
If we detour into e-commerce, we see a very similar dynamic play out, but at a staggeringly larger scale. The premise is simple: use AI to launch a fake online shop impersonating company A, B, or C, buy ad space on social media to drive traffic, pocket the proceeds, and launder the funds while customers wait for goods that never arrive.
The scheme works because 53% of consumers, and 76% of Gen Zers, now begin shopping journeys on social media, according to Salesforce’s 2025 report. The problem is that the journey is littered with traps: in November 2025, leaked internal documents from Meta claimed the “company shows its platforms’ users an estimated 15 billion ‘higher risk’ scam advertisements — those that show clear signs of being fraudulent — every day”. Industry reporting paints the same picture, with the Better Business Bureau finding online shopping scams as the most reported scam type and social media advertisements as the most common originator.
Brand impersonation shopping scams impacting shoppers in January 2026; courtesy of Recorded Future
The basics of the scheme are nothing new. Capture payment card data by creating a fake online store and advertise too-good-to-be discounts. What’s changed is that these are no longer just phishing websites. They’re functional online shops that process payments via merchant accounts. Behind each of these merchant accounts is a registered business.
This is creating problems throughout the ecosystem:
Cardholders see websites that exactly mimic major (and increasingly niche) brands, letting discounts outweigh better judgment.
Financial institutions face the challenge of balancing their duty of care to process customer transactions with the risks of fraud and money laundering. But in these cases, the traditional indicators of cyber-enabled fraud aren’t present. The cardholder is authorizing the transaction, and there’s nothing suspicious within the behavioral or device indicators of the 3D Secure authentication stream. (Because, again, it’s the cardholder doing the transacting under manipulation.)
The fingers begin to point back at the acquirers and payment facilitators responsible for merchant onboarding, but, from their perspective, the entity holds a proper commercial license to engage in business issued by the local authorities. (Though, as a divergence from the check fraud scheme, the fraudsters in online shopping scams rarely impersonate a real big-name brand at the business creation and merchant onboarding stage. Instead, the fraudsters hide evidence of impersonation from the merchant onboarders and leave the impersonation for the ads and fake online shops visible to victims.)
But just like with the check fraud example, a big part of why online shopping scams have exploded — outside of generative AI making brand abuse content easier than ever to create at scale — is ecosystem gaps and fraudsters reacting to the defense:
Exploiting ecosystem gaps between disparate parties: By the time a victim is making a purchase on an online shopping scam website, each entity along the way has looked to the one before and trusted that due diligence had been performed. The cardholder wants to trust that the social media platform screened out malicious advertisers; the card issuer wants to trust the cardholder vetted the merchant; the card network wants to trust the merchant onboarder verified the business; and the merchant onboarder wants to trust local authorities properly licensed the business. A big, long line of incentivized trust.
Delivering a reactionary counterpunch to effective fraud processes: The industry has made huge strides in combating unauthorized, third-party card-not-present (CNP) fraud in the last decade. A major part of the success has been built on 3D Secure, introducing a layer of authentication on top of existing authorization controls. Online shopping scams completely sidestep the defensive layer by making the merchant the fraud surface and rendering cardholder authentication controls irrelevant.
Thinking towards the way out
On the check fraud side, the best solution may already be available, but, as with most solutions, it comes with trade-offs and adoption issues. The basic idea of Positive Pay and its derivative, Payee Positive Pay, is that a business informs its bank of the checks it is sending, and the bank only disburses funds if the check matches what the business provided. Positive Pay was designed to combat counterfeit and forged checks, and it does that very well.
Of course, in the Bazooka example of same-name business impersonation, this wouldn’t help. Nothing about the check was modified. So here, banks offer Reverse Positive Pay, which basically means the business personally signs off on each sent check. It can solve the problem but shifts more operational and investigatory expenses onto the business (which might explain why adoption rates are south of 20%, according to Datos Insights and Alkamai). In the end, though, it makes you wonder why not heed the advice and move to alternative electronic payment methods?
On the online shopping scam side, solutions are more complex and scattered across the ecosystem.
At the top of the funnel, there’s rising pressure on online advertising platforms to do a better job at limiting the presence of fraudulent advertisements. Based on more leaked internal Meta documents, regulatory pressure may not be producing the desired outcome.
At the merchant onboarding level, both the major card networks are forcing acquirers and payment facilitators to do more to defend the gates into payment processing, while also devoting more resources to identifying scam merchants that do make it in.
For card issuers on the frontline, it’s a more delicate dance. Card issuers aren’t on the hook for authorized card payments to fraudsters under the Fair Credit Billing Act (FCBA) or Electronic Funds Transfer Act (EFTA), but 67% of cardholders expect them to cover scam losses. Though when cards transacting on scam websites end up on the dark web for resale, and unauthorized charges start rolling in, it is the issuer’s problem.
The best solution aligns with the industry’s movement toward CTI-fusion models to address the cyber component of cyber-enabled fraud. The convergence of online shopping and purchase scams is precisely the type of problem the new organizational model was meant to combat.
In applying the CTI-fraud fusion model to purchase scams, traditional fraud assets start at the end of the fraud attack chain to correlate reported cardholder manipulation and non-delivery alerts against merchant account patterns. The CTI assets start at the beginning, sourcing online shopping scams at runtime and attributing the abused merchant accounts. The two teams then meet in the middle, using modeled transaction patterns and threat-hunted active scam websites, ultimately leading to the deployment of merchant-based fraud risk rules.
So, in the meantime, where does all this leave us? The same thing you’ve heard plenty of times: stop using checks if you can and don’t trust too-good-to-be-true offers from online ads.
How Recorded Future Helps
The research in this blog came directly from Recorded Future's Fraud Intelligence teams. Two capabilities speak to the threats described.
Payment Fraud Intelligence — tracks the complete fraud lifecycle: for check fraud, it uses OCR to extract payee, amount, and date from compromised checks being sold in forums, enabling deposit screening against known stolen checks; for card fraud, it monitors compromised merchants, stolen cards on criminal marketplaces, and the tester merchants fraudsters use to validate cards before striking.
Digital Risk Protection — provides continuous monitoring across millions of sources for malicious sites, brand and executive impersonation, data leakage, and dark web mentions — with risk-based alerting that surfaces only actionable threats and takedown workflows built directly into the Platform.
TeamPCP exploited a single stolen credential to gain write access to trusted software repositories, inject credential-harvesting malware, and cascade across five ecosystems in five days.
Stolen credentials can enable payroll redirection, freight rerouting, and extortion — active campaigns Insikt Group is tracking that show how a software supply chain breach can quickly become a business operations crisis.
Learn why an inventory of your software components isn't enough when malicious code is injected after the source commit, and what a truly effective defense — combining third-party due diligence. cryptographic signing, and AI-driven anomaly detection — actually requires.
In March 2026, a group calling itself TeamPCP compromised LiteLLM (a Python package with roughly 97 million monthly downloads used by thousands of organizations to connect to AI services) and Checkmarx (one of the most widely used application security testing platforms on the planet). How they got in isn’t publicly confirmed. But the result was write access to a trusted software repository.
From there, they injected a credential-harvesting payload into the software and poisoned two Checkmarx GitHub Actions workflows. The malware ran silently on installation, vacuuming up access keys, cloud credentials, secrets, and (the cruelest irony) every AI API key that LiteLLM was specifically designed to manage. The stolen data was encrypted, then pushed to a lookalike domain.
And here is the part that should keep you up at night: this was one campaign, by one group, in one week. The downstream consequences are still unfolding.
Identity Is the Perimeter (and the Attack Surface)
The throughline in the TeamPCP campaign is identity. Start to finish.
TeamPCP intelligence summary courtesy of Recorded Future.
No one has publicly confirmed exactly how TeamPCP gained access to the LiteLLM maintainer’s repository, but the most likely vector is stolen credentials. Recorded Future’s identity intelligence contains almost 1 million compromised GitHub developer credentials harvested by infostealers and sold across dark web marketplaces. A single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. TeamPCPs’ earlier compromise of Aqua Security’s Trivy infrastructure in late February (where incomplete credential rotation left residual access open for weeks) demonstrates exactly this pattern: one stolen token, one missed rotation, and the door stays open.
Whatever the precise mechanism, TeamPCP used valid credentials to push malicious code into trusted repositories. No firewall to bypass. No endpoint to exploit. Just a valid login and the implicit trust that comes with it.
Then the payload itself was designed to steal more identities. Each compromised environment yielded credentials that unlocked the next target. Trivy led to GitHub Actions. GitHub Actions led to four additional software distribution ecosystems. One incomplete incident response created a cascading chain of supply chain compromises across five ecosystems in five days.
This is the identity and access management problem stated as plainly as possible: if the perimeter is identity, then every stolen credential is a breach in the wall. And unlike a firewall rule, a stolen credential doesn’t trigger an alert. It just works.
We previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. The pattern is always the same: trusting input that should not be trusted. Supply chain attacks are the organizational equivalent. We trust the packages we install. We trust the pipelines we build. We trust the security tools we deploy. TeamPCP exploited every layer of that trust, starting with a single compromised identity.
The Impact Is Not Just Ransomware
TeamPCPs’ Telegram channel references a ransomware victim’s site. The group appears to operate as a ransomware affiliate and has publicly discussed extorting companies by threatening to release over 300 GB of stolen data. Reports indicate a possible collaboration with the Lapsus$ extortion group. Ransomware is the obvious play.
CipherForce intelligence summary courtesy of Recorded Future.
But ransomware is only the most visible impact. The more dangerous question is: what else can you do with over a million stolen cloud credentials, API keys, and service account tokens?
The answer, based on what Insikt Group is tracking across multiple unrelated campaigns, is far broader than encryption and extortion.
Redirect payroll. Late last year (2025) Insikt Group was monitoring activity around a campaign called “Swiper,” run by likely Russian-speaking actors who set up phishing infrastructure impersonating major financial institutions and payroll service providers. Stolen credentials were transmitted in real time, enabling the actors to alter direct deposit accounts and redirect payments before anyone noticed. The responsible actor was identified through a dispute on a criminal forum, and their cryptocurrency wallet has processed over 7,000 transactions. This was a credential theft operation that converted identity compromise directly into financial theft. Now imagine that same playbook amplified by a supply chain attack that harvests payroll platform credentials at scale.
Reroute shipments. Separately, Insikt Group has identified TAG-160, a threat group targeting the US logistics and transportation sector. TAG-160 impersonates logistics companies, sends fraudulent rate confirmations via phishing emails, and delivers remote access malware. But TAG-160 has also been caught running “double brokering scams,” where they pose as a legitimate carrier, obtain valid load details from a real broker, then re-advertise the load under the broker’s name to contract a different carrier. The legitimate carrier moves the freight. The threat actor collects the payment. The real carrier never gets paid. A second, unrelated threat cluster targets German logistics companies with a similar playbook.
These are not theoretical scenarios. They are active campaigns running in parallel with the TeamPCP supply chain compromises. And the common denominator across all of them is credential theft and identity abuse.
In the five risk impact categories we use as a framework for translating cyber threats into business risk, the TeamPCP compromise touches every single one: operational disruption (ransomware, system lockout), financial fraud (payroll redirection, double brokering fraud, extortion payments), competitive disadvantage (credentials, trade secrets, PII), brand impairment (customers learning their security tooling was the vector), and legal and compliance consequences (breach notification obligations, potential liability for downstream impacts).
The tendency is to categorize supply chain attacks as a “security tool problem” or a “developer problem.” It is neither. It is a business risk problem whose blast radius extends from IT operations to payroll to logistics to the boardroom.
Organizations should ask how they can use AI-driven analysis to continuously verify the integrity of every package and build artifact entering their production systems. This means comparing distributed packages against their source repositories to detect injected code. It means analyzing updates to flag anomalous changes in behavior. It means automated provenance verification that traces software from source to distribution, flagging breaks in the chain.
But the TeamPCP campaign exposed a truth the industry has been slow to internalize: the security tools themselves are targets. TeamPCP specifically chose a vulnerability scanner and an application security platform because those tools have the broadest access to credentials and infrastructure. Compromising the tool that checks your code is the ultimate fox-in-the-henhouse scenario.
The organizations that weather this era of supply chain risk will be those that treat code integrity verification as a continuous, automated, AI-augmented process rather than a periodic audit.
So What. Now What.
TeamPCP is not done. Their Telegram channel explicitly states the operation is still unfolding, and they claim to be working with new partners to monetize stolen data at scale.
For security leaders, the immediate actions are straightforward: if your organization uses LiteLLM, Trivy, or Checkmarx GitHub Actions, assume compromise and rotate every credential on affected systems. Audit your software pipelines for unauthorized changes. Pin software dependencies to verified, immutable versions.
But the longer-term lesson is more fundamental. Supply chain attacks convert the trust model of modern software development into an attack surface. The packages you install, the tools you run, the pipelines you build: these are not neutral infrastructure. They are vectors. And the credential stolen today from a compromised software package could show up tomorrow as a payroll redirect, a rerouted shipment, or a ransomware demand.
The keys to your kingdom are scattered across every package manager, every automation token, and every service account in your environment. Someone is collecting them. And your supply chain breach is already someone else’s payday.
How Recorded Future Helps
The TeamPCP campaign left signals at every stage. Three Recorded Future capabilities speak directly to this threat:
Identity Intelligence — monitors infostealer logs, dark web markets, and credential dumps in real time, automatically detecting compromised employee credentials and triggering immediate response — including the nearly one million compromised GitHub developer credentials already in Recorded Future's dataset.
Insikt Group — elite analysts with deep government, law enforcement, and intelligence agency experience who produced the TeamPCP, Swiper, TAG-160, and CipherForce research in this blog. Customers see threats as they develop, not after they've made headlines.
Third-Party Risk — continuously monitors vendors for ransomware extortion activity, breach indicators, and credential leaks, replacing point-in-time questionnaires with real-time visibility across your supply chain.
Recorded Future is now offering four solutions covering cyber operations, digital risk protection, third-party risk, and payment fraud.
Three tiered packages (Core, Professional, Elite) bundle these solutions to scale with an organization's security program.
Packages include unlimited users and integrations so intelligence reaches everyone who needs it.
The global threat landscape didn't simplify in 2025. It shattered. Recorded Future's Insikt Group® 2026 State of Security documented how geopolitical fragmentation, state-sponsored operations, and criminal ecosystem adaptation reshaped global risk. Threats that once stayed in distinct lanes converged, and they converged fast.
Consider what Insikt Group® tracked last year:
State-sponsored cyber actors shifted from intelligence collection to persistent access, pre-positioning inside target infrastructure so they can disrupt operations the moment geopolitical tensions escalate.
Weak governance and systemic corruption fueled industrialized cybercrime, enabling payment fraud and criminal operations to scale like legitimate businesses.
Influence operators and hacktivist groups multiplied alongside rising interstate conflict, amplifying fear, uncertainty, and doubt through exaggerated exploit claims.
Loosely organized criminal collectives used social engineering to compromise third-party SaaS platforms, rapidly adapting to law enforcement action and traditional defenses alike.
The risk surface has expanded well beyond networks and endpoints. Your brand, your third-party vendors, your payment networks: each has its own threat actors, its own attack methods, and its own intelligence requirements. Yet most intelligence programs only cover one of these domains. Or they monitor them in silos, with no shared context.
The right intelligence, from the right sources, at the right time, is a critical competitive advantage. But intelligence only matters if you can act on it across every critical risk domain before attackers reach their objective.
Re-Imagining How Intelligence Is Delivered And Operationalized
Historically, Recorded Future has been sold on a per-user and per-capability basis - a model that worked well in a simpler world where security teams were focused on solving the most urgent problem in front of them.
Today’s threat landscape is fast, more complex, and deeply interconnected. Customers are no longer looking for point solutions, they’re asking for a fundamentally different way to consume and operationalize intelligence.
Customers are asking us to provide:
Complete capabilities to support use cases aligned with core risk domains.
Democratized access to intelligence across teams, workflows and systems.
A simplified and predictable way to purchase for ease of budgeting and adoption.
In response, we’ve re-imagined Recorded Future is delivered:
“Four Solutions. Three Packages. One Intelligence Foundation.”
A unified approach designed to scale with your organization, accelerate time to value, and embed intelligence into every decision that matters.
Four Solutions for Four Critical Risk Domains
Your threats span your infrastructure, your brand, your vendors, and your payment networks. Your intelligence should too. We’ve re-organized our platform into four purpose-built solutions tied to distinct domains of enterprise risk.
Cyber Operations gives your security team the intelligence, workflows, and autonomous actions to detect, investigate, and respond to threats targeting your infrastructure. Alert triage, real-world vulnerability prioritization, malware analysis, proactive hunting: this is where reactive firefighting becomes predictive, intelligence-led defense.
Digital Risk Protection helps detect and disrupt threats that never touch your network but directly damage your business: brand impersonation, domain abuse, credential leaks, and phishing infrastructure across the open, deep, and dark web. With access to active infostealer logs and automated IAM remediation, your team can act on exposures within hours, not weeks.
Third-Party Risk delivers continuous, intelligence-driven monitoring of your vendor ecosystem. Security ratings combined with real-time threat intelligence surface breaches, ransomware activity, and dark web exposure days or weeks before formal vendor notification, giving your security and GRC teams evidence they can act on and defend to stakeholders.
Payment Fraud Intelligence identifies stolen payment cards, compromised checks, scam merchants, and web-skimming activity earlier in the fraud lifecycle, so financial institutions can stop losses before they materialize.
Each solution delivers complete, end-to-end capability for its risk domain. And because all four run on the same Intelligence Graph®, a signal detected in one domain immediately enriches context across the others.
Three Packages That Scale With Your Program
Modern organizations operate across multiple risk domains. We are introducing three packages that reflect that reality, meeting customers where they are and scale as their programs mature.
Core is the foundation for intelligence-led security. It enables organizations to tackle essential use cases on day one - threat detection and alert triage, vulnerability monitoring, credential exposure detection, domain abuse monitoring, and executive impersonation protection. The package combines capabilities across Cyber Operations and Digital Risk Protection solutions, providing immediate, high-impact coverage.
Professional is built for organizations ready to mature their program and operationalize intelligence at scale. Building on Core, it introduces deeper insights and automation to extend team capacity - enabling autonomous threat hunting, multi-source correlation, and external asset discovery. The result is broader coverage, faster response, and more leverage for security teams without adding headcount.
Elite delivers the most comprehensive intelligence coverage available. By unifying Cyber Operations, Digital Risk Protection, and Third-Party Risk, it provides a complete view of risk across infrastructure, brand, and supply chain. With a single pane of glass, Elite operationalizes intelligence across workflows and teams—from CTI to SOC to Risk—driving smarter and faster risk-enabled decision making and response.
Across all packages, customers get full access to the Intelligence Graph®, Recorded Future AI, all compatible integrations, APIs, and Collective Insights. No hidden costs or barriers to connect to your existing security stack.
Built for Everyone Who Needs Intelligence, Not Just Analysts
Intelligence only creates value when the right people can act on it. That's why our platform packages include unlimited users. Every analyst, every engineer, every stakeholder who needs intelligence gets it, with no seat limits and no trade-offs about who gets access.
For smaller teams building early-stage programs, we still offer flexible user-based licensing so you can start where it makes sense and expand as your program matures. Either way, pricing is predictable. You know what you're paying, and you can scale with confidence.
Every package also includes unlimited integrations from Recorded Future’s hundreds of supported applications at no additional cost. Your SIEMs, EDRs, SOAR platforms, and ticketing systems all get equipped with real-time intelligence, so every analyst and engineer working in those tools benefits from enriched context without switching screens. Add Autonomous Threat Operations, and those same integrations become the foundation for autonomous hunting, detection, and prevention across your entire stack. Connected tools become an intelligence-led defense system that acts continuously, with minimal human intervention.
One Intelligence Foundation Across Every Domain
What makes this approach powerful isn't just simpler packaging. All four solutions and all three packages run on the same intelligence foundation: the Intelligence Graph®, correlating over 1.2 million sources and 26 billion entities across cyber, digital, third-party, and fraud domains.
A credential leak detected in Digital Risk Protection immediately informs a Cyber Operations investigation. A vulnerability under active exploitation triggers prioritized patching in your workflow. A third-party vendor breach surfaces before the vendor discloses it. Intelligence flows across your entire risk surface, giving you the correlated, high-confidence context that point solutions can't deliver.
That's what it means to be intelligence-led. Not consuming more data. Connecting signals across domains so you can act earlier, with greater confidence, at machine speed.
The Path Forward
Adversaries in 2026 are faster, more coordinated, and more resourceful than they've ever been. They operate across every attack surface simultaneously, and they're accelerating.
Whether you're a team of three building your first intelligence program or a global enterprise running intelligence-led autonomous operations, there's a clear path. Start with the solution or package that matches your priorities today. Grow into deeper automation and broader coverage as your program matures. And at every step, you're backed by the most comprehensive and independent intelligence platform in the industry.
We built this for the threats you're facing right now, and the ones coming next.
In March 2026, Insikt Group® identified 31 high-impact vulnerabilities that should be prioritized for remediation, 29 of which had a Very Critical Recorded Future Risk Score.
These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.
One vulnerability (CVE-2017-7921 affecting Hikvision) is approximately nine years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Legacy and unpatched systems remain attractive targets. Defenders should not discount older CVEs; instead, they should prioritize based on observed activity, maintain strong asset visibility, and apply compensating controls where remediation is not possible.
In March, Insikt Group® created Nuclei templates for a high-severity path traversal vulnerability in MindsDB (CVE-2026-27483) and a critical missing authentication vulnerability in Nginx UI (CVE-2026-27944). Additionally, Insikt Group® had already published a Nuclei template for CVE-2025-68613 (n8n) in December, prior to its exploitation this month. We also identified public proof-of-concept (PoC) exploits for 10 of the 31 vulnerabilities.
Quick Reference: March 2026 Vulnerability Table
All 31 vulnerabilities below were actively exploited in March 2026. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.
Table 1:List of vulnerabilities that were actively exploited in March based on Recorded Future data.
Key Trends: March 2026
Most commonly observed weaknesses: CWE-502 (Deserialization of Untrusted Data) and CWE-94 (Code Injection).
Two vulnerabilities and one exploit kit (consisting of 23 exploits, 12 of which are currently associated with specific CVEs) were linked to malware campaigns.
Interlock Ransomware Group exploited a zero-day in Cisco Secure Firewall Management Center to compromise enterprise networks, deploy custom remote access trojans (RATs), and facilitate ransomware operations.
Separately, the DarkSword iOS full-chain exploit enabled Safari-based remote code execution (RCE), sandbox escape, and kernel-level access, leading to deployment of the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
The Coruna exploit kit similarly compromised iOS devices to deliver the PlasmaLoader (PLASMAGRID) malware.
These 9 vulnerabilities affected Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.
Exploitation Analysis
This section analyzes two of the highest-impact, actively exploited vulnerabilities this month. Where applicable, it also highlights the availability of Nuclei templates created by Insikt Group®. The full list of reports and detection rules from March is available to customers in the Recorded Future Intelligence Operations Platform.
Interlock Ransomware Group Exploits Cisco FMC Zero-Day (CVE-2026-20131)
On March 18, 2026, Amazon Threat Intelligence published an analysis detailing an ongoing Interlock ransomware campaign exploiting CVE-2026-20131. CVE-2026-20131 is a critical vulnerability affecting Cisco’s Secure Firewall Management Center (FMC) software that allows unauthenticated threat actors to execute arbitrary Java code as root on vulnerable devices. Cisco Secure FMC is a centralized management platform that allows administrators to configure, monitor, and control Cisco firewall devices and network security policies across an enterprise environment. According to Amazon Threat Intelligence, Interlock Ransomware Group exploited CVE-2026-20131 as a zero-day vulnerability beginning January 26, 2026, indicating active exploitation prior to its public disclosure and enabling early compromise of enterprise networks.
The Interlock Ransomware Group exploits vulnerable Cisco FMC instances via crafted HTTP requests exploiting CVE-2026-20131 to execute arbitrary Java code as root. After gaining access, the threat actors deploy a malicious ELF binary from a staging server at 37[.]27[.]244[.]222 (Intelligence Card) to support follow-on operations.
They then use custom Java- and JavaScript-based RATs, a memory-resident web shell, and proxy infrastructure to maintain access, enable lateral movement, and evade detection. Post-compromise activity includes reconnaissance, data collection and staging, and the use of legitimate tools such as ConnectWise ScreenConnect, Volatility, and Certify for remote access, credential theft, and privilege escalation.
Changes the machine’s desktop wallpaper that displays a pornographic image
Delays execution using the Sleep API function for evasion
Detects debuggers using the GetTickCount API function to compare timing
Figure 1:Risk Rules History from Hash Intelligence Card® for 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f in Recorded Future (Source: Recorded Future)
There's a category of employee credentials where standard monitoring often falls short: executives, finance leaders, IT administrators, and those with privileged access have a large target on their back.
VIP Credential Monitoring in Recorded Future is built to solve this problem. It continuously monitors for credential exposures tied to your most sensitive individuals across both work and personal accounts, and alerts your team fast enough to act before an account takeover occurs.
The Challenge with Protecting Your Most Targeted People
According to Verizon's 2025 Data Breach Investigations Report, credential abuse was the most prominent initial access vector observed across breaches. Attackers don't need to find a technical vulnerability to get inside your organization. Stolen credentials are widely available across criminal forums and dark web marketplaces, and buying access is often faster and cheaper than building an exploit.
What makes this particularly calculated is how threat actors decide which credentials to buy. Infostealer malware logs don't just capture usernames and passwords — they capture the authorization URLs where those credentials were entered. According to Recorded Future’s 2025 Identity Threat Landscape Report, 7 million credentials were indexed with identifiable authorization URLs, with 63.2% of those having been linked to authentication systems.
Figure 1: Top authorization URL categories, 2025 (Source: Recorded Future)
That means attackers can usually identify the access endpoints credentials unlock and they will prioritize accordingly. Executives and anyone with broad access to systems and data sit at the top of that list.
The 2025 cyber attack on University of Pennsylvania illustrates exactly how this plays out. A threat actor compromised a single employee's SSO credential and used it to move laterally across corporate systems, ultimately exposing data on approximately 1.2 million donors, alumni, and students. One credential, one login, and an organizational crisis.
The threat doesn't stop at corporate accounts. When attackers can't get hold of an executive's work credentials, they target personal accounts for these high-value targets. A personal email or social account can expose sensitive communications, private information, or material an attacker can use for extortion.
Corporate security controls don't extend to personal accounts. When those credentials are stolen, most security teams have no line of sight.
That gap between exposure and discovery is where the risk lives. Credentials stolen by infostealer malware are often purchased and weaponized within 48 hours of the compromise, potentially days or weeks before a security team has any indication something is wrong. For standard employee accounts, that window is serious. For your CEO or Head of Engineering, it's critical.
Monitoring Built for High-Value Targets
VIP Credential Monitoring provides continuous monitoring and alerting on compromised credentials for your high-value targets. Security teams can add personal or work email addresses for their executives and others with widespread access.
From that point forward, Recorded Future continuously monitors for those accounts across its full source coverage: infostealer malware logs from 30+ malware families, dark web forums, criminal marketplaces, paste sites, and breach dumps. When a VIP credential surfaces in that data, the team receives an alert with full contextual detail (malware family, authorization URL, compromised host information, etc.) so they can act with confidence.
Many executive monitoring solutions surface credential data that is days or weeks old by the time it reaches an analyst. By then, the window to get ahead of an attacker has often closed. For all stolen credentials indexed in 2025, Recorded future detected 36.4% within 24 hours of exfiltration, and 52.9% within one week.
The gap between when credentials are stolen and when a security team finds out is where breaches happen. Recorded Future closes that gap.
When a VIP credential appears in exposure data, teams can initiate a password reset, review active sessions, or reach out directly to the individual — all before the credential is exploited. For identities that carry this level of organizational risk, getting ahead of the exposure isn't just operationally valuable; it can be the difference between a resolved alert and a significant incident.
A Complete Picture of Identity Exposure
VIP Credential Monitoring is built on the same intelligence infrastructure that powers Recorded Future Identity Intelligence broadly: the same source coverage, the same detection engine, the same alert and triage workflow. It applies that capability to a category of identities that warrant closer attention, without requiring a separate tool, process, or integration. That's the logic behind Identity Intelligence as a whole: a unified view of credential exposure across every category of identity your organization needs to protect, covering employees, customers, and your highest-risk individuals.
For teams already using Identity Intelligence to monitor employee and customer credentials, VIP Monitoring is a targeted extension of coverage that fits into what they've already built. Any VIP credentials identified will benefit from the same core features of Identity Intelligence.
This includes Incident Reports, which surfaces any other credentials that may have been compromised from the same machine, and Customizable Alerting, which streamlines prioritization of these detections and can trigger response workflows through existing integrations with Okta, Microsoft Entra ID, XSOAR, Splunk, and others.
Attackers don't limit their targets to one type of account, and your monitoring shouldn't either. To see where you stand today, request a free Identity Exposure Assessment Report and get a concrete, evidence-based picture of your organization's credential exposure over the past year. Contact us to learn more about how Recorded Future can help your organization protect its identities and to see a demo of the platform in action.
For years, the cybersecurity industry has treated third-party risk management as a compliance exercise. Assess your vendors. Assign a score. File the report. Move on. That model was built for a different era. One where supply chains were smaller, threat actors were less sophisticated, and a quarterly questionnaire could reasonably approximate a vendor's security posture. That era is over.
Today, the average enterprise works with hundreds of third parties. Threat actors actively target the weakest links across those supply chains, not because the vendors themselves are the prize, but because they're the path of least resistance into larger, more valuable targets.
Ransomware groups list vendors on extortion sites before those vendors even know they've been compromised. Stolen employee credentials surface on dark web forums undetected. Critical vulnerabilities are weaponized in hours, not months. In this environment, a security rating is necessary. But it is nowhere near sufficient.
Recognized in the 2026 Forrester Wave™
Recorded Future was recently included in The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2026. (The report is available online to Forrester customers or for purchasehere).
We see this recognition as a reflection of the market's evolution — and as an acknowledgement of the direction we've been building toward.
We believe the cybersecurity risk ratings market is at an inflection point. Analysts and practitioners alike recognize that the category is moving beyond standalone ratings toward integrated intelligence and actionable insights. We see our inclusion in this evaluation as confirmation that the convergence of hygiene data and threat intelligence isn't a niche play — it's where the market is heading. In light of where the ratings market is today, let’s dive into where Recorded Future is going and how Recorded Future envisions the future of securing the third-party ecosystem.
The Gap Between Hygiene and Intelligence
Cyber risk ratings have earned their place in the security stack. They provide a standardized, scalable way to evaluate a vendor's external security posture — patching cadence, encryption practices, DNS configuration, exposed services. That hygiene baseline matters. It's a correlative signal for breach potential, and it gives risk teams a common language for comparing vendors and benchmarking against industry peers.
But hygiene ratings only answer part of the problem: How well is this vendor maintaining their defenses?
They don't tell you whether anyone is actively trying to breach those defenses. They don't surface the dark web chatter on a specific vendor. They don't alert you when a vendor's credentials are leaked or has an active malware infection. This is the gap that has left third-party risk programs perpetually reactive. Teams learn about vendor compromises from news headlines or from the vendors themselves — often days or weeks after the initial breach. By then, the window for proactive response may have closed.
From our own customer conversations, we hear that security and risk teams have shifted from wanting ratings and accuracy alone to demanding intelligence that reveals real cybersecurity risk, with prioritized findings and actionable remediation guidance. Ratings are increasingly commoditized. The differentiation now lies in what you do with the data, and what additional signals you bring to the table.
Third-Party Risk Management Is an Intelligence Operation
If you accept that ratings alone aren't enough, the logical next step is clear: third-party risk management must be treated as an intelligence operation.
That means combining the hygiene baseline — the outside-in view of a vendor's security posture — with real-time threat intelligence that tells you who is being targeted, how, and what you should do about it. It means shifting from periodic assessments to continuous monitoring. It means equipping risk teams with the context to distinguish between a low-priority configuration issue and a vendor whose infrastructure is actively under attack. This is the problem Recorded Future Third-Party Risk was built to solve.
We've brought together two distinct capabilities that, until now, existed in separate worlds.
RiskRecon — built over a decade as one of the industry's leading cyber risk ratings platforms, trusted by 21,500+ users across 30+ industries, provides the hygiene foundation: transparent, evidence-backed security ratings evaluated across 40+ criteria in 9 security domains, with 99% audited data accuracy.
Recorded Future's threat intelligence capabilities, powered by collection and analysis across more than 1 million sources, adds the threat dimension: real-time alerting on ransomware extortion activity, dark web exposures, credential leaks, and active vulnerability exploitation — often before the affected vendor is even aware.
Together, these capabilities create something the market hasn't had before: a single solution that covers the full lifecycle of third-party risk, from initial assessment and onboarding through continuous monitoring and incident response.
What This Looks Like in Practice
The value of combining hygiene ratings with threat intelligence isn't theoretical. Our customers are already seeing it play out.
When a vendor appears on a ransomware extortion site, Third-Party Risk customers can receive alerts in hours — not the days or weeks it takes for vendor self-disclosure.
When credentials associated with a monitored vendor surface on dark web markets, risk teams can initiate outreach and remediation before those credentials are weaponized.
When a critical vulnerability is disclosed, intelligence context helps analysts determine which vendors are actually exposed and at risk of exploitation, rather than treating every vendor with the affected software as equally urgent.
Customers consistently report a roughly 33% increase in visibility into third-party risks after adopting the platform (UserEvidence). Teams save an average of 7 hours per week that was previously spent on manual research and monitoring (UserEvidence). And customers routinely detect vendor incidents before the vendor itself has disclosed — turning what used to be a reactive scramble into a controlled, proactive response.
These aren't incremental improvements. They represent a fundamental shift from reactive compliance to proactive risk management.
Where We're Going
We're not done. Bringing RiskRecon and Recorded Future together was the first step in a broader vision for what third-party risk management should become.
Our roadmap is focused on deepening the integration between these two platforms into a unified experience. One where hygiene ratings, threat intelligence, and risk workflows operate seamlessly together. We're investing in AI-driven capabilities that will help risk analysts cut through noise faster, automate routine assessment workflows, and surface the insights that matter most. And we're building toward predictive intelligence that doesn't just tell you what's happening now, but helps you anticipate where risk is headed.
The goal is straightforward: make third-party risk management as data-driven, automated, and intelligence-led as the best security operations programs already are.
Join the Shift to Intelligence-Driven Third-Party Risk
Third-party risk programs that rely exclusively on hygiene ratings will continue to be caught off guard. The vendors who score well on a Tuesday can be breached by Wednesday. The questionnaire response you received last quarter may not reflect today's reality.
The organizations that are getting ahead of this are the ones treating third-party risk as what it actually is: an intelligence operation that requires continuous monitoring, real-time alerting, and the context to act decisively when something changes.
That's the future we're building. And we believe we're the only ones building it with the depth of intelligence and the strength of ratings data required to get it right.
Recorded Future is the World’s Largest Intelligence Company. Our team works to build products that customers love. In this video, Kyle Kohler interviewed with VentureFizz about his day-to-day as a Senior Product Manager for Integrations. He describes the job as truly multifaceted, encompassing starting new strategic initiatives, turning customers feedback into improvements, and enabling other team members to do the same. Full video and transcript available below.
I’m Kyle Kohler. I’m a product manager over the integration strategy at Recorded Future.
Recorded Future is the world’s largest threat intelligence provider. We are covering all sorts of domains of intelligence. It’s geopolitical intelligence, cyber intelligence, payment fraud intelligence. And essentially intelligence is this data that an organization uses to take action and make a better decision. So the more that you understand a subject or topic, a current event, the better that you can define what actions you take to either defend your organization or proactively increase your competitive edge.
As a product manager, it’s funny. I see it as this arson firefighter educator role. And I think that definitely needs to be unpacked a bit. As an arson, you’re starting fires. So, very strategically, which fire do I put under which team, under which initiative, which fire do I stoke and one do I burn hotter? And as a firefighter, you’ve got maybe fires coming in being reported to you from a customer, from an organization, from another product team who needs this other product team to make something happen. And so, you’re very strategically figuring out what to stamp out, what to stoke. And as an educator, you’re also teaching others how to start fires and put out fires. So, you’re constantly going from one thing to the next and keeping all of these moving pieces going. There’s no one project that you just shepherd along and that’s the only thing you work on. You’re constantly context switching and a good product manager has that multi-domain knowledge to think laterally, but also track how this thing affects that thing and how it might affect the other thing in the future.
At Recorded Future, we’re a global organization and I’m based on the west coast of California. So I wake up in the morning and the first thing I’ve got are 10 to 12 Slack messages from across the globe that come in from different geographies. Other people are ending their day and they’ve got some questions that maybe I can answer or they’re looking for how to direct on who might have the right answer. So the first thing generally starts with voraciously checking Slack and I’m answering notifications as I mentioned questions and the next thing is okay well from the answers to those questions are there new initiatives that need to get spun up or are there existing initiatives that need to get nudged along or are there certain fires that need to get stamped out and that’s the whole day is you’re really tracking where things are in their current state what needs to get responded to and what needs to get pushed along.
Recorded Future really was attractive to me because it was a pretty new field within cyber security and within technology but also as a company was not just related to IT and cyber had this geopolitical and payment fraud type of angle looking at the world. So it was really taking a big data problem how do you track everything that happens everywhere but then how do you break that down into these bite-sized pieces that ultimately help an organization’s current mission. So I really was attracted by the fact that we are helping organizations secure the world. We’re able to do that by securing the world with intelligence, but it’s so multi-domain that you’re just never going to get bored. There’s always something new. There’s always something to track. There’s always some new threat. There’s always some new initiative, some new innovation. And Recorded Future has really been at that cutting edge of innovation. Always coming up with what’s next in the market, what’s next in the threat landscape and how will we as a company address supercharging the existing missions of our organizations that we help today.