Normal view

The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04

Blogs

Blog

The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04

In this post, we examine how CISA BOD 26-04 shifts the industry away from flat CVSS scoring and details how Flashpoint bridges the critical data gaps left by public vulnerability repositories.

SHARE THIS:
Default Author Image
June 15, 2026

With the recent issuance of Binding Operational Directive (BOD) 26-04, CISA has officially shifted federal policy away from static severity scores and flat patching timelines  toward threat-informed prioritization. The move reflects a reality security teams have grappled with for years: not all critical vulnerabilities post the same risk, and not all active vulnerabilities receive the highest CVSS scores. 

Traditional vulnerability management programs have often relied on severity-based patching models that force resource-constrained teams to focus on large volumes of high-scoring vulnerabilities. Yet research consistently shows that threat actors routinely exploit a broader range of weaknesses, including lower-scoring vulnerabilities on internet-facing assets, to gain initial access and move laterally through victim environments. 

While BOD 24-04 represents a significant step forward, there are still hidden challenges organizations will face as they adopt a risk-based approach. The operational reality is that executing a truly risk-based matrix validates what Flashpoint has maintained for years: effective vulnerability prioritization requires deep, contextual threat data. Unfortunately, the needed real-world metadata for this kind of context are simply not supported by public sources of vulnerability intelligence.

Understanding BOD 26-04

BOD 26-04 evaluates the urgency of a vulnerability by cross-referencing a security flaw against four distinct operational variables:

  1. Asset Exposure: Is the asset publicly accessible via the internet?
  2. Known Exploited Status (KEV): Is there verifiable evidence of active exploitation in the wild?
  3. Exploit Automation: Can a threat actor completely automate the weaponization and delivery of the exploit?
  4. Technical Impact: Does a successful exploit result in partial disruption or total compromise of the target system?

By analyzing these variables in tandem, organizations can tier their response and execute clear, defensible SLA metrics.

Risk PriorityReal-World Matrix ConditionsRequired SLA & Operational Action
P1: Immediate RiskIn KEV + Publicly Exposed + Automatable + Total Impact3 Days (Includes Mandatory Forensic Triage)
P2: Urgent RiskIn KEV + Publicly Exposed + (Either Non-Automatable OR Partial Impact)7 Days
P3: Elevated RiskIn KEV + Internal / Non-Publicly Exposed Asset14 Days
P4: Standard RiskNot in KEV + Publicly Exposed + Automatable + Total Impact30 Days
Deferred RiskNot in KEV + Internal Asset OR Lower Technical ImpactNext Scheduled System Upgrade / Maintenance

According to CISA, the pilot testing of this model has shown that fewer than 1% of an organization’s typical vulnerability backlog requires urgent, immediate remediation, while over 60% can be safely deferred to standard system maintenance cycles. However, implementing this framework successfully requires access to granular, real-world data points that public sources of vulnerability intelligence simply do not support. 

“Speaking with security teams in the wake of this directive, it is clear that BOD 26-04 is a major paradigm shift. While the ability to safely defer more than half of your patch backlog is an invaluable efficiency gain for modern organizations, executing that strategy effectively requires ground-truth intelligence on exploit automation and adversary intent that public registries simply cannot deliver.

Josh Lefkowitz, CEO and Co-founder at Flashpoint

The Data Challenge

To operationalize this model successfully, organizations will require a high-fidelity intelligence pipeline that combines comprehensive threat and vulnerability intelligence into clear, context-rich insights that support prioritization and decision making. You cannot confidently defer remediation without verifiable intelligence that proves the vulnerability lacks active exploit history or automation maturity.

Unfortunately, relying on public data feeds like the CVE database or the National Vulnerability Database (NVD) to fuel this matrix creates an immediate operational bottleneck. Public repositories have historically struggled under severe analysis backlogs, leading to processing delays and missing Common Platform Enumeration (CPE) data. Furthermore, public feeds are inherently reactive; they do not monitor illicit communities where exploit code is developed, nor do they track the real-time weaponization metrics needed to meet BOD 26-04’s tight 3-day or 7-day compliance window.

How Flashpoint Solves the Prioritization Gap

Flashpoint Vulnerability Intelligence bridges the gap between public data limitations and the requirements of real-world exposure management. Independently researched and enriched, Flashpoint provides the precise contextual signals required by the CISA BOD 26-04 matrix:

  • Coverage across CVE and non-CVE vulnerabilities
  • Continuous tracking of exploitation activity and adversary usage
  • Context on exploit maturity and remediation
  • Consistent enrichment that can be integrated into operational workflows
  • Over 7,000 known exploited vulnerabilities (KEV)

By integrating Flashpoint’s continuous intelligence into operational workflows, security teams can automatically validate exposure, assess automation potential, and confidently claim the operational relief that risk-based prioritization promises.

“We are convinced by Flashpoint’s superior vulnerability coverage, timeliness in the updates, and long-term monitoring of exploits. We also really appreciate Flashpoint’s proprietary CVSS rating and classifications based on expert knowledge of the standard and practical use in the industry. Having all this curated information at your fingertips is a game changer.”

Vulnerability Manager, Telecommunications

Prioritize Vulnerability Risk Using Flashpoint

CISA’s BOD 26-04 represents a critical shift away from severity-based patching and toward defensive efficiency. However, the effectiveness of this model is entirely dependent on the fidelity of your threat data.

Without best-in-class comprehensive vulnerability intelligence, security teams will be forced back into reactive patching cycles. Request a demo to learn more how Flashpoint helps security teams move beyond the constraints of static scoring and align their vulnerability management workflows with actual risk.

See Flashpoint in Action

The post The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04 appeared first on Flashpoint.

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Blogs

Blog

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Our new guide explores how infostealers are fueling modern identity-based attacks and how organizations can build a proactive defense before stolen access is weaponized.

SHARE THIS:
Default Author Image
June 10, 2026

The New Reality of Identity-Based Threats

A publicly exposed database surfaced in early 2026 containing more than 149 million stolen login credentials. The records were not tied to a single breach or organization. Instead, they had been quietly collected over time from devices infected with information-stealing malware, with each record containing usernames, passwords, session data, and the context needed to use them.

Unlike traditional breach dumps, this data was structured, searchable, and immediately actionable. Credentials were mapped to specific services, session artifacts reflected active logins, and much of the information was recent enough to enable direct access without triggering traditional security controls.

This incident reflects a broader shift in the threat landscape.

More than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets.

11.1 million infected hosts and devices
3.3 billion stolen credentials
Top 5 most prolific infostealers in 2025 (by infected hosts or devices):
Lumma
Acreed
Rhadamanthys
Vidar
StealC
Top 6 countries affected by information-stealing malware, 2025:
India
Brazil
Indonesia
Vietnam
Phillipines
United States

For security teams, the challenge is no longer simply detecting a breach after it occurs. It is understanding when access may already exist — where compromised credentials are circulating, how they are being used, and how quickly they can be weaponized.

That’s why Flashpoint created Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense.

Drawing on Flashpoint’s Primary Source Collection (PSC) and analyst-driven intelligence, this guide helps IT, Threat Intelligence, Fraud, and HUNT teams understand how infostealers operate, how stolen identity data fuels real-world attacks, and how organizations can move from reactive response to proactive defense.

The guide explores:

  • How today’s most active infostealers power modern attack chains
  • How threat actors weaponize stolen credentials, cookies, and session data
  • How organizations can operationalize infostealer intelligence for proactive defense
  • How to evaluate infostealer intelligence providers and detection capabilities

Why Identity Has Become the Preferred Attack Surface

For years, security teams focused on vulnerabilities, malware delivery, and network intrusion as the primary paths to compromise. Increasingly, however, threat actors are taking a different

Modern infostealers such as Lumma, StealC, Vidar, Acreed, and Rhadamanthys provide attackers with something more valuable than initial access: usable identity. These malware families collect credentials, browser artifacts, session cookies, application data, and host metadata that help threat actors understand how a victim authenticates and what systems they can access.

A single infected device can expose credentials, browser artifacts, session cookies, application data, host metadata, and access to enterprise SaaS platforms. Together, these artifacts create a detailed profile of how a user authenticates, what systems they access, and how those systems trust that identity.

This is what makes infostealer data so valuable.

For years, organizations have invested heavily in detecting malware, blocking exploits, and hardening infrastructure. Meanwhile, attackers have increasingly shifted to a simpler strategy: logging in with valid identities.

Infostealers have fundamentally changed the economics of access. Threat actors no longer need to compromise a network directly when billions of credentials, session cookies, and authentication artifacts are already circulating in underground ecosystems. The challenge for defenders has risen from preventing compromise to identifying where access already exists and how quickly it can be weaponized.

Ian Gray, Vice President of Intelligence at Flashpoint

Identity data is inherently reusable. A stolen credential can be tested across multiple services. A session cookie can potentially allow attackers to hijack authenticated sessions. Browser and host metadata can help threat actors recreate a victim’s environment and bypass security controls designed to detect suspicious logins.

What begins as a single infection can quickly evolve into access across multiple systems, applications, and organizations.

What Is an Identity-Based Attack?

Identity-based attacks occur when threat actors use legitimate credentials, session cookies, authentication tokens, or other identity artifacts to gain access to systems and applications. Rather than exploiting a vulnerability or deploying malware inside a target environment, attackers authenticate as trusted users using stolen identity data.

This shift is one of the primary reasons infostealers have become so valuable. Modern infostealer logs often contain far more than usernames and passwords. They may also include browser cookies, session information, host metadata, application data, and other artifacts that help attackers understand how a user authenticates and what systems they can access. When combined, this information enables account takeover, fraud, lateral movement, and other forms of identity-based abuse.

From Credential Theft to Identity Exploitation

The way threat actors operationalize stolen data is evolving just as rapidly as the data itself.

Historically, attackers often had to manually review stolen credentials and determine which accounts were worth pursuing. Today, that process is increasingly automated.

Infostealer logs can be aggregated, tested, and prioritized at scale, allowing threat actors to rapidly identify valid access across enterprise systems, SaaS platforms, VPNs, and cloud environments.

Flashpoint identifies this as a hybrid threat: the convergence of large-scale identity compromise and automated exploitation.

Once valid access is identified, attackers can move quickly. Credentials may be reused across services. Session data can be leveraged for account takeover. Access can be sold to ransomware operators, fraud actors, or other criminal groups. In many cases, exposure itself becomes part of the attack lifecycle rather than merely a precursor to it.

The result is a threat landscape where stolen identity data is not simply stored and sold. It is continuously tested, validated, reused, and operationalized.

Turning Exposure Into Actionable Intelligence

For defenders, prevention remains important. But prevention alone is no longer enough.

Organizations must also be able to identify when credentials, session cookies, and other identity artifacts have already been exposed and are circulating within underground ecosystems.

The earliest opportunity to intervene is often after data has been exfiltrated but before attackers have successfully operationalized it.

Achieving that visibility requires more than traditional breach feeds or aggregated datasets.

Flashpoint’s Primary Source Collection approach provides direct visibility into the forums, marketplaces, Telegram channels, malware repositories, and illicit communities where infostealer activity originates. Rather than relying solely on recycled breach data, Flashpoint continuously collects from the environments where stolen identity data is first shared, sold, and operationalized.

However, collection alone is not enough.

Raw infostealer logs are noisy, fragmented, and difficult to operationalize at scale. Flashpoint transforms these logs into structured intelligence through a multi-stage workflow that includes:

  • Source ingestion from underground ecosystems
  • Normalization and de-duplication of collected data
  • Automated parsing and enrichment of credentials, cookies, host metadata, and malware attribution
  • Structured output that supports alerts, investigations, and integrations across existing security workflows

This process helps defenders understand not only what was exposed, but who may be affected, how exposure occurred, what systems may be at risk, and how quickly action is required.

Building a Proactive Defense Across the Identity Layer

The rise of infostealers has fundamentally changed how organizations should think about attack surface management.

The attack surface is no longer limited to infrastructure, endpoints, or internet-facing applications. It now includes the digital identities of employees, partners, vendors, and customers.

Security teams need visibility into the identity layer itself — understanding where exposure exists, how attackers are leveraging stolen data, and what actions should be taken before access is exploited.

By combining direct visibility into underground ecosystems with structured, actionable intelligence, organizations can identify compromised accounts earlier, uncover infection trends, prioritize response efforts, and reduce the likelihood of downstream compromise.

Download Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense to learn how your organization can build a proactive defense program across the identity layer.

Key Infostealer Statistics

According to Flashpoint research:

  • More than 11.1 million devices were infected with infostealers in the last year.
  • Over 3.3 billion credentials, session cookies, cloud tokens, and identity artifacts are circulating across illicit markets.
  • Flashpoint analysts identified 30+ active infostealer strains being sold across underground ecosystems.
  • Flashpoint’s credential database contains 48+ billion credentials, including more than 1 billion tied to infostealer activity.
  • More than 4.2% of infostealer-exposed credentials include browser cookies that may support session hijacking.
  • Flashpoint can collect and parse some infostealer logs within one to two days of infection.

Frequently Asked Questions (FAQ)

FAQ: Infostealers and Identity-Based Threats

What is an infostealer?

An infostealer is a type of malware designed to collect sensitive information from an infected device. Depending on the strain, this can include usernames and passwords, browser cookies, session tokens, saved payment information, cryptocurrency wallets, system metadata, and other identity-related artifacts.

How do infostealers work?

Infostealers infect a victim’s device and collect information such as credentials, browser data, session cookies, autofill information, cryptocurrency wallet data, and system metadata. The stolen information is packaged into files known as infostealer logs, which can then be sold, shared, or operationalized by threat actors.

What information can infostealers steal?

Depending on the malware family, infostealers can collect usernames and passwords, session cookies, authentication tokens, browser history, saved payment information, cryptocurrency wallet data, system information, installed applications, and other identity-related artifacts. The goal is to provide attackers with enough information to access accounts and impersonate legitimate users.

What are the most common infostealers?

The infostealer ecosystem changes rapidly, but Flashpoint analysts currently track strains such as Lumma (also known as LummaC2/Remus), StealC, Vidar, Acreed, and Rhadamanthys among the most prominent malware families driving credential theft and identity-based attacks.

Why are infostealers so dangerous?

Infostealers provide attackers with more than credentials. Modern infostealer logs often contain the context needed to use stolen data, including session information, browser artifacts, and device metadata. This allows threat actors to perform account takeovers, move laterally within environments, and gain access to business-critical systems. According to Flashpoint’s 2026 Global Threat Intelligence Report, more than 11.1 million devices were infected with infostealers last year, contributing to a pool of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other identity artifacts.

What is an infostealer log?

An infostealer log is a package of data collected from an infected device. Logs may contain credentials, cookies, browser data, application information, host metadata, and other artifacts that help attackers understand how a victim authenticates and what systems they can access.

Can infostealers bypass multi-factor authentication (MFA)?

In some cases, yes. While multifactor authentication remains a critical security control, stolen session cookies and authenticated session data can sometimes allow threat actors to hijack existing sessions without needing to complete the MFA process themselves. Flashpoint found that more than 4.2% of infostealer-exposed credentials in its dataset were associated with browser cookies, highlighting the growing importance of session-based risk.

How do threat actors obtain infostealer logs?

Infostealer logs are frequently bought and sold across illicit marketplaces, forums, Telegram channels, and other underground communities. Many are distributed through Malware-as-a-Service (MaaS) offerings that make infostealer capabilities accessible to a wide range of threat actors. Flashpoint analysts identified more than 30 unique infostealer strains actively offered for sale across underground ecosystems.

How can organizations detect credential exposure from infostealers?

Organizations can monitor underground sources where stolen data is shared and sold, identify exposed credentials associated with their domains, and investigate related artifacts such as cookies, host metadata, and malware attribution. The earlier exposure is identified, the greater the opportunity to remediate before attackers operationalize access. Flashpoint collects and parses some infostealer logs within one to two days of infection, helping organizations detect exposure closer to the point of compromise.

What should organizations do if employee credentials appear in an infostealer log?

Organizations should immediately assess the scope of exposure, reset affected credentials, invalidate active sessions, review authentication activity, investigate the infected device, and determine whether additional accounts or systems may have been impacted.

How is Flashpoint’s approach to infostealer intelligence different from traditional breach monitoring?

Many organizations rely on aggregated breach feeds or credential dumps that may be weeks or months old by the time they are discovered. Flashpoint’s Primary Source Collection (PSC) approach provides direct visibility into the forums, marketplaces, Telegram channels, and underground communities where stolen identity data is first shared, sold, and operationalized.

In addition to collecting raw infostealer logs, Flashpoint parses and enriches the data with context such as malware attribution, session cookies, host metadata, browser artifacts, and affected identities. Today, Flashpoint’s credential database contains more than 48 billion credentials, including over 1 billion tied to infostealer activity, providing organizations with actionable intelligence rather than raw exposure data.

Request a demo today.

The post Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk appeared first on Flashpoint.

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

Blogs

Blog

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

As part of our ongoing series, we focus on the shared infrastructure that fuels threat actors; the intersection of mainstream social media, open-source messaging platforms, and gaming communities.

SHARE THIS:

Threat actors and their illicit communities do not exist in a vacuum. To scale their operations, coordinate financial fraud, deploy malware, and recruit new talent, threat actors must interface with the broader digital world. This means leveraging everyday, public digital spaces to facilitate illicit activity, effectively hiding in plain sight.

The Clearnet Threat Landscape: Hiding in Plain Sight

When conceptualizing the cybercriminal underground, it is easy to focus exclusively on Tor-based onion sites or restricted-access dark web forums and marketplaces. However, a massive portion of modern illicit activity thrives on the clearnet. Threat actors heavily utilize commercial social media and public messaging networks to coordinate fraud, deploy malware, and run public relations campaigns for their operations.

At first glance, conducting illicit operations on highly monitored, mainstream platforms seems counterintuitive. However, the massive, continuous volume of legitimate traffic on the clearnet provides a form of operational security. By blending into the noise, threat actors can maintain a highly accessible digital presence. This visibility is crucial for their business models: it allows them to maintain a low barrier to entry for potential recruits and targets who know exactly what markers to look for, or who are systematically funneled into these spaces.

How Threat Actors Weaponize Consumer Platforms

The misuse of mainstream communication tools has changed how threat actors interact. Rather than waiting for users to seek out the dark web, cybercriminals are actively meeting their targets or co-conspirators on platforms designed for daily socialization.

Discord

Originally built to connect gaming communities, Discord’s rapid growth and robust infrastructure have inadvertently made it a target for malicious activity. Cybercriminals treat the platform as a multi-functional tool for both technical infrastructure, social engineering, and radicalization.

On a technical level, advanced persistent threats (APTs) and other threat actors exploit Discord’s content delivery network (CDN) to host and distribute malware. Because traffic to Discord domains is generally trusted by corporate networks, threat actors can potentially use it to deliver payloads—such as infostealers and remote access trojans (RATs)—bypassing standard security perimeters.

Beyond hosting malware, extremist groups across various ideological spectrums often target the platform’s demographic, which skews heavily towards younger tech-savvy users. This group provides an impressionable pool of adolescents who may be susceptible to grooming, indoctrination, and recruitment into illicit operations.

Case Study: The Targeting and Recruitment Mechanics of “The Com”

While monitoring The Com, Flashpoint analysts have observed the systematic use of platforms like Discord, Roblox, and Minecraft to run predatory extortion pipelines. The mechanics of this ecosystem takes place through a multi-phase methodology:

  1. Platform Scouting: Recruiters patrol servers on popular youth-centric gaming platforms, such as Discord, Roblox, and Minecraft. They look for minors showing signs of social isolation, depression, disordered eating, or a desire to belong.
  2. Building Trust and “Love Bombing”: Initial engagements are seemingly harmless. However, trust is built quickly to establish a sense of indebtedness. Recruiters offer gifts such as in-game perks/currency, premium subscriptions, or other digital items. In some cases, a romantic facade is used to establish a connection. In either scenario, “love bombing” creates an immediate feeling of psychological obligation in the target.
  3. Platform Migration: Once rapport is established, the recruiter moves the target away from the game and into an encrypted app or private Discord server, following a public-to-private strategy. By moving the interaction away from the original platform’s safety controls, the recruiter can isolate the target in a more controlled environment.

Once isolated, perpetrators coerce victims into sending sensitive imagery or CSAM. This material is immediately compiled and weaponized as leverage for blackmail via doxxing. This creates a severe psychological trap in which the victim feels compelled to partake in escalating illegal activity to keep their previous actions hidden. This drives the victim to transition from a victim into an aggressor to escape their own abuse.

Telegram

While many social media and messaging platforms can serve as an initial funnel for engagement, Telegram has been known to be used from time to time as an operational hub for the broader illicit ecosystem. Since the arrest of Pavel Durov, Telegram has begun working more closely with law enforcement, leading to several key arrests and major disruptions due to their cooperation. 

The platform occupies a unique space in threat intelligence and open source intelligence (OSINT). While the vast majority of its user base is entirely benign, its minimal moderation policy and robust channel architecture have made it vital to public and private intelligence gathering.

Telegram functions as an open marketplace and real-time coordination center for a vast spectrum of threat actors. Flashpoint has observed it being used by:

  1. State-sponsored APT groups and hacktivists
  2. Geopolitical actors and mercenary groups distributing battlefield intelligence and propaganda
  3. Cybercriminal syndicates coordinating financial fraud schemes, check fraud, and the sale of compromised data.

Furthermore, threat actors routinely use other public-facing platforms like X (formerly Twitter) alongside Telegram to amplify their impact. They leverage the broad reach of social media to broadcast proof of their compromises, hype up ransomware leaks, and exert public pressure on corporate victims during extortion cycles. Concurrently, Telegram often acts as the backend repository where the stolen data is hosted, discussed, and monetized.

Monitor the Clearnet Using Flashpoint

The evolution of illicit ecosystems demonstrates that the lines between the dark web and the clearnet have intersected. Whether analyzing the activities of extremist and threat actor groups or tracking the predatory pipelines of The Com, defenders must look beyond traditional intelligence sources.

Because malicious actors rely heavily on consumer messaging apps and social platforms to coordinate attacks, leak data, and target people, monitoring these public-to-private pipelines is an essential component of threat intelligence. Uncovering these physical and cyber threats requires best-in-class threat intelligence and OSINT investigations capable of parsing the massive noise of the clearnet to find the signals of illicit coordination.

Request a demo to see how Flashpoint empowers security teams to monitor these decentralized threat landscapes to proactively protect their critical assets.

Check out the rest of our “Understanding Illicit Ecosystems” series:
Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”
Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

See Flashpoint in Action

The post Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure appeared first on Flashpoint.

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

Blogs

Blog

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

In this post, we explore XSS’ shift from a unified forum to a scattered community spread across several competing factions.

SHARE THIS:

What is XSS?

For more than two decades, XSS was the gathering ground for the Russian-speaking cybercriminal underground. Evolving from its former name, DaMaGeLaB, XSS evolved from a mid-tier message board into a top-tier hacking forum.

XSS is home to vendors of various crime types, including loaders, phishing, scamming, carding, malware development, distributed denial-of-service (DDoS) bots, and related services. It also facilitates the trade of illicit goods and services, while simultaneously serving as a networking and recruitment hub for threat actors.

XSS forum content falls within the following main sections:

  • “Underground”: Includes most noncommercial content, such as sharing information on malware, vulnerabilities, and exploits, phishing, fraud, open source intelligence, artificial intelligence, and machine learning.
  • “Programming, Development”: Includes posts and articles about programming languages and administration.
  • “Library”: Includes news articles, databases, and discussions around software and tools. Users also post about vulnerabilities and exploits.
  • “Business Decisions”: Users discuss different investments, the sale of digital goods, trading, start-ups of fraudulent businesses, and news about cryptocurrencies.
  • “Lounge Zone, Resting”: Content involves lifestyle discussions, hobbies, and cybercriminal community rumors and scandals.
  • “Trading Platform”: Users sell and look to buy network access, malware, counterfeit documents, and advertise their services. This is where users hire and look for work or partners.
  • “People’s Court”: Used for complaints and arbitration and contains lists of phishing forums and scammers.
  • “Ours”: Contains information about the XSS project, discussions on issues, suggestions, and initiatives for forum improvement.
  • “Private: Underground”: Closed section for only forum members.
XSS forum main sections (Source: XSS)

XSS Disruption: July 2025 Takedown

On July 23, 2025, law enforcement organizations reportedly seized XSS as part of a multinational operation with Ukrainian authorities, French police, and Europol. Alongside the domain seizure, French authorities reported the arrest of XSS’s longtime administrator in Ukraine.

This arrest triggered an immediate chain reaction that has had lasting effects on the Russian-speaking underground—with the XSS ecosystem splintering into several competing factions.

The Current State of the Russian-Speaking Underground

While the original XSS architecture was severely disrupted, the surrounding Russian-speaking cybercriminal ecosystem remains intensely active. However, instead of a centralized hub, the XSS ecosystem is spread out through competing environments that emerged directly from the fallout of the takedown.

DamageLib

Launched by the legacy moderators of XSS, DamageLib represents a structural pivot away from standard illicit forums. Concluding that the old XSS site was compromised by law enforcement, the moderators launched a new model that completely abandons commerce—shutting down all buying, selling, and auctions entirely—-to eliminate user tracking and surveillance. Instead, it focuses strictly on technical materials and tutorials.

Rehub

Recognizing that displaced cybercriminals still required a commercial venue to trade, a former XSS moderator launched Rehub quickly after the emergence of DamageLib. Rehub immediately integrated a commercial platform, successfully recruiting prominent threat actors into its moderation team to establish underground credibility.

The forum is still in its development stage, with its content being populated, and an active member base being built.

XSS[.pro]

In early August 2025, an unknown entity launched an alleged resurrection of the forum on a new domain [.pro], utilizing old backups that preserved legacy user data, threads, and forum deposits. However, this new version has been met with significant distrust from Exploit and DamageLib, believing the [.pro] domain to be a honeypot controlled by law enforcement.

XSSF Forum

Started by a pro-Russian Telegram hacking group, this community actively targets EU and Ukrainian digital infrastructure. According to user discussions on DamageLib, this forum is not related to XSS. In addition, Flashpoint analysts note that targeting Ukrainian infrastructure directly contradicts its original community rules. The authenticity of this forum and its ownership has not been verified.

Monitor a Fractured Underground Using Flashpoint

While law enforcement achieved a significant victory over XSS, they did not eliminate the Russian-speaking cybercriminal underground. Instead, they broke the foundational trust mechanics that had kept it centralized for twenty years.

This has left the Russian-speaking underground in a deeply fractured state that is still intensely active and highly adaptive. For defenders and analysts, this threat has not diminished—it has diversified. Tracking this ecosystem no longer means watching a single centralized community, but rather actively mapping out the live migrations, shifting rules, and behavioral patterns across these splintered groups.

Request a demo to learn how Flashpoint helps security teams aggregate intelligence from these scattered factions into a single source of truth, empowering your organization to proactively monitor and intercept emerging threats.

Request a demo today.

The post Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground appeared first on Flashpoint.

The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation

Blogs

Blog

The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation

In this post we break down the technical mechanics of TeamPCP’s recent campaign, the impact on the developer ecosystem, and the urgent steps needed to secure software supply chains.

SHARE THIS:
Default Author Image
May 28, 2026

The developer ecosystem recently faced one of its most significant architectural threats to date, with the threat actor group TeamPCP unleashing Mini Shai-Hulud—a self propagating worm and multi-ecosystem threat. Potentially affecting millions of developers and thousands of companies, Mini Shai-Hulud has fundamentally compromised the trust layer of modern CI/CD pipelines.

The operational tempo of Mini Shai-Hulud has accelerated with every campaign. What began as opportunistic credential theft has now evolved into a high-speed, automated operation that can compromise hundreds of packages in under thirty minutes. From the exfiltration of approximately 3,800 internal GitHub repositories to the poisoning of critical libraries like TanStack and AntV, TeamPCP’s campaign has been incredibly effective in exploiting developer tooling and identity infrastructure.

What is Mini Shai-Hulud?

Mini Shai-Hulud is deployed as a 498 KB obfuscated script executed using the Bun JavaScript runtime. The deliberate choice of Bun, rather than Node.js, is a tactical evasion technique as most endpoint detection and response (EDR) platforms and security information and event management (SIEM) solutions have behavioral rules tuned to Node.js execution patterns.

How Mini Shai-Hulud Works

The worm propagates by stealing npm and GitHub authentication (OIDC) tokens from developer environments, then using those credentials to publish malicious versions of packages the compromised user maintains. To accomplish this, the worm scrapes runner process memory to extract short-lived identity tokens, which it then exchanges for per-package npm trusted-publisher tokens without requiring any long-lived npm secrets.

Credential Exfiltration and Command-and-Control

Mini Shai-Hulud targets credentials across 130 file paths, including npm tokens, GitHub personal access tokens, AWS, GCP, and Azure configuration files, Kubernetes kubeconfig files, Docker credentials, HashiCorp Vault tokens, 1Password and Bitwarden CLI vaults, SSH private keys, and Bitcoin wallet files. 

Exfiltration occurs across multiple channels: the Session Protocol network, the GitHub Git Data API using dynamically created Dune-themed repositories on victim accounts, HTTPS to the threat actor-controlled domain, and an api for GitHub Actions workflow exfiltration.

The worm uses a dead-drop command-and-control (C2) architecture via GitHub’s public commit search API. An installed daemon (kitty-monitor, deployed as a systemd service on Linux or a LaunchAgent on macOS) polls GitHub for commits containing the string “firedalazer,” parses RSA-PSS-signed command payloads from matching commits, and executes them. This technique leverages GitHub as a trusted relay, making C2 traffic difficult to block without disrupting legitimate GitHub usage.

The worm then uses a persistence mechanism as a dead-man’s switch: a GitHub personal access token named “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner” is created on compromised developer machines. If an operator revokes this token without first disabling the persistence mechanism, the worm destroys all home directory data on the compromised device.

AI Agent Hijacking

Beyond standard persistence mechanisms, Mini Shai-Hulud targets AI coding agents. The SafeDep analysis documents that the worm modifies Claude Code’s settings .json to insert a SessionStart hook, enabling the worm to be reinstated with full LLM API privileges even if the infected npm packages are later removed, or the npm cache is cleared. A similar technique targets Visual Studio Code’s tasks.json file using the “runOn”: “folderOpen” trigger, and Codex configuration files are also targeted.

These AI agent hijacking techniques represent a novel attack surface: by persisting within trusted AI tool configurations, the malware can exfiltrate all code and secrets processed by those tools during future development sessions.

Four Waves of Supply Chain Attacks

Flashpoint has observed at least four documented waves of TeamPCP npm and PyPI supply chain attacks in 2026, leveraging Mini Shai-Hulud to compromise developer tooling ecosystems and steal credentials, cloud keys, and source code across tens of thousands of organizations. 

The following timeline tracks the escalation of TeamPCP and the Mini Shai-Hulud waves throughout 2026:

Wave 1: Initial SAP Packages (April 2026)

The first documented wave of Mini Shai-Hulud attacks targeted a small number of SAP-ecosystem npm packages in April 2026. While TeamPCP had already proven their CI/CD attack capabilities in March 2026 by compromising Aqua Security’s Trivy scanner and Checkmarx KICS via GitHub Actions, this initial wave served primarily as a proof-of-concept for the self-propagation mechanism and a reconnaissance phase for TeamPCP’s access broker network. Further, these attacks demonstrated the group’s ability to compromise widely used security tooling—a development that significantly undermines defenders’ ability to trust automated CI/CD pipeline scanning results.

Wave 2: TanStack, Mistral AI, and Guardrails AI (May 2026)

Leveraging a GitHub Actions cache-poisoning technique, TeamPCP published malicious versions of 42 TanStack packages across 84 releases, impacting a project with over 518 million cumulative downloads. 

The attack also compromised Mistral AI and Guardrails AI, extending the attack surface to the AI developer tools ecosystem. Forged commit authorship was used to blend the attacker’s commits into AI-assisted development environments where Claude Code is commonly deployed.

TeamPCP simultaneously listed Mistral AI source code for sale on BreachForums, claiming possession of approximately 5 GB of data across 450 internal Mistral repositories.

TeamPCP BreachForums posts advertising Mistral AI internal source code and repositories for sale, May 2026. (Source: Flashpoint)

Wave 3: AntV Ecosystem (May 2026)

Targeting AntV enterprise data visualization ecosystem, TeamPCP compromised the atool npm account, which held publishing rights across a broad catalog of AntV packages. In 22 minutes, 637 malicious versions were published across 323 packages—a scale and speed that overwhelmed standard security monitoring pipelines.

Each infected package contained the Mini Shai-Hulud worm, which, upon execution, created up to 2,500 compromised repositories on victim accounts within hours.

Wave 4: Co-Ownership of BreachForums and GitHub Breach

In the most recent wave, TeamPCP announced its assumption of co-ownership of BreachForums, the largest English-language cybercriminal forum currently active. This development significantly elevates TeamPCP’s standing and operational reach. As co-owners, the group stated it would manage platform operations, handle dispute resolution, staff and vet moderation personnel, and host monetary contests for the community. The announcement positions TeamPCP as both an active threat actor and a platform-level infrastructure operator, with the ability to shape forum policies, curate the availability of criminal tooling, and influence the broader access broker and ransomware ecosystem.

Additionally, by poisoning a GitHub employee’s development environment, TeamPCP exfiltrated approximately 3,800 internal GitHub repositories. Within the stolen data were highly sensitive codebases such as:

  • copilot-api and copilot-token-service
  • actions-runtime
  • billing-platform
  • enterprise-crypto
  • authentication
  • codeql-core
  • detection-engineering
  • csirt
  • azure-config
TeamPCP BreachForums posts advertising GitHub internal source code for sale. (Source: Flashpoint)

Recommended Immediate Actions

Critically, the theft of internal source code from one of the world’s most widely used code hosting platforms creates incredible downstream risk for organizations that depend on GitHub Copilot and GitHub Actions for their own software development pipelines. Organizations running AI coding agents such as Claude Code and VS Code with extensions in their CI/CD pipelines face heightened exposure. Security teams should treat AI agent configuration files as sensitive assets subject to integrity monitoring and change-control policies.

If your organization uses npm, PyPi, or AI-assisted development tools, Flashpoint recommends the following immediate steps:

  1. Audit and remove: Immediately audit CI/CD environments and remove all infected versions of AntV, TanStack, Mistral AI, and Bitwarden CLI packages.
  2. Rotate credentials: Rotate all cloud credentials (AWS, GCP, Azure) and npm tokens.
  3. Disable persistence first: Before revoking suspicious GitHub tokens, ensure the kitty-monitor daemon is disabled to avoid triggering the “dead-man’s switch” wiper.
  4. Lock down IDEs: Restrict the installation of VS Code extensions to an approved allow-list and monitor for unauthorized changes to settings.json or tasks.json.
  5. Block C2 infrastructure: Block all traffic to identified TeamPCP C2 domains.

Track TeamPCP and Defend against Mini Shai-Hulud Using Flashpoint

Flashpoint assesses with high confidence that TeamPCP will continue to scale its supply-chain attacks against npm, PyPI, and developer tooling ecosystems. The group’s shift from direct execution to orchestrating a broader ecosystem via BreachForums signals a maturation into a platform-layer criminal operation. While TeamPCP has hinted that the group may be approaching “retirement” due to law enforcement pressure, this should be treated with caution. Whether a misdirection or a genuine exit plan, the open-sourcing of Shai-Hulud means the tradecraft is available to the wider cybercriminal community.

Organizations should reference the OpenSSF npm Best Practices guidance for a practical baseline in hardening their package consumption posture. Flashpoint customers can gain access to known Indicators of Compromise (IOCs) and MITRE ATT&CK Mapping for Mini Shai-Hulud by logging into Flashpoint Ignite. To learn more about how Flashpoint tracks threat actor groups like TeamPCP and protects the software supply chain, request a demo.

Request a demo today.

The post The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation appeared first on Flashpoint.

Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”

Blogs

Blog

Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”

In this post, we dive into the decentralized architecture of “The Com,” exposing its hybrid ecosystem of hacking, extortion, and real-life violence—and how it fuels a ruthless pipeline of cyber-fraud cycles and adolescent exploitation.

SHARE THIS:
Default Author Image
May 26, 2026

What is “The Com”?

The Community, more widely known as “The Com” is a sophisticated hybrid threat ecosystem in which cybercrime serves as the venture capital for domestic terrorism. Existing since the early 2010s, it operates in the “edgesphere”, a grey area where mainstream social media overlaps with underground criminal networks, blending nihilistic violent extremism (NVE) with high-level financial fraud. In The Com, cybercrime against Fortune 500 companies is the primary revenue stream used by members to fund a domestic terror network that aims to radicalize youth and encourage real-world violence.

However, The Com poses more than just financial risk, it is a self-serving victim-to-perpetrator pipeline. It uses stolen capital to recruit adolescents, who they view as a disposable workforce, turning them from a victim to a perpetrator. Despite being a decentralized web of individuals rather than a traditional threat actor organization, The Com has managed to grow by hiding in the gaps between corporate security, parental oversight, and law enforcement.

How The Com is Structured

The Com is often mischaracterized as a single, formal organization. In reality, its ecosystem is unstructured and lacks a shared culture or leadership. However, the various factions within the ecosystem are extremely organized, supporting three broad categories of criminal activity: cybercrime, exploitation of minors, and real-world physical violence.

Federal investigations have shown that The Com includes a mix of adults and minors, men and women. While the exact number of members is difficult to determine, Flashpoint estimates that the broader ecosystem of The Com is in the thousands. While being a global threat, its most active core members are concentrated in Western English-speaking countries: the United Kingdom, the United States, and Canada.

Understanding the Key Pillars of The Com

While The Com is a decentralized ecosystem, its internal structure is defined by a high degree of operational alignment. Individual crews and networks within each pillar exhibit a shared psychology and standardized tradecraft that ensures their criminal activities remain effective and repeatable.

However, Flashpoint notes that members of these pillars do not operate alone. Their interaction with members of other pillars (extortion and real-world violence) amplifies the intended threat.

HACKER Com: The Economic Engine of The Com

Hacker Com acts as the ecosystem’s economic engine and primary technical arm. Its primary function is to hack major corporations and commit financial fraud to fund the broader community’s activities and lifestyle.
Seeing themselves as the elite technical tier of The Com, Hacker Com members are motivated primarily by financial gain and the thrill of outsmarting corporate security infrastructures. Notable crews within this pillar include Scattered Spider, LAPSUS$, ShinyHunters, and DragonForce.

TTPs Used by HACKER Com

The following tactics, tools, and procedures (TTPs) have been observed by HACKER COM groups:

Social Engineering (Vishing)

Hacker Com members capitalize on TTPs that target human vulnerabilities instead of relying solely on software and other exploits. Vishing is a signature move of the Scattered Spider crew, whose native English-speaking members call corporate IT helpdesks impersonating employees of that company. 

Analysts note these threat actors are likely Gen Z who socially engineer older support staff by mimicking the impatient attitudes and vernacular of young tech executives, essentially hacking the generation gap. They leverage this form of social engineering to convince support staff to reset passwords or even re-enroll new multifactor authentication (MFA) devices, which grants them access to the victims’ networks.

Supply Chain Targeting

Crews in this pillar have also successfully breached major targets by attacking their trusted vendors. For instance, Lapsus$ compromised Okta by targeting its third-party contractor, Sykes, while Scattered Spider has repeatedly targeted Okta’s identity services to pivot into their clients’ networks.

Living-off-the-land (LOTL)

Once inside a network, threat actors avoid detection by using legitimate, preexisting software and other remote admin tools such as AnyDesk, Ngrok, and Teleport to maintain persistence and move laterally. They often gamify this access, mocking victims for allowing them to simply “log in” using standard admin tools rather than having to hack their way in via complex exploits. They treat the ease of access as a testament to the victim’s incompetence.

SIM Swapping

A SIM swap attack is a foundational TTP used by financially motivated actors that involves social engineering mobile carriers to hijack a target’s phone number, usually resulting in the takeover of high-value cryptocurrency accounts.

EXTORT Com: The Ideological Engine of The Com

The Extort Com pillar functions as a machine designed for psychological control, coercion, and sexual exploitation of minors. Its goals intersect squarely with NVE ideologies, resulting in a marketplace and production center for CSAM and extreme violence, where members often trade these materials as a form of social currency.

Targets are migrated from public channels, which include social media and video games such as Roblox and Minecraft, to private ones maintained by The Com. Once moved, the dynamic shifts from recruitment to active exploitation, which is done to ensure the victim’s compliance.

IRL Com: The Enforcement Engine of The COM

The “In Real Life” (IRL) pillar serves as the physical enforcement arm of the ecosystem, effectively bridging the gap between virtual threats and reality. Sometimes referred to by law enforcement as “IRL Terror,” members often turn online animosity and disputes into real-world harm against people and their property.

Protect Against Converging Threats Using Flashpoint

The evolution of The Com represents a fundamental shift in the global threat landscape. It is not enough to view cybercrime as a purely financial risk or domestic extremism as a purely ideological one, the two have merged into a self-sustaining engine where stolen corporate capital fuels the radicalization and exploitation of the next generation.

As The Com continues to professionalize its tradecraft and expand its reach, the boundary between our digital and physical worlds will only continue to thin. To protect against this decentralized threat, organizations will require a mutli-layered defense strategy that is powered by intelligence that is sourced at the heart of these groups. Request a demo to learn more.

Request a demo today.

The post Understanding Illicit Ecosystems: The Hybrid Threat of “The Com” appeared first on Flashpoint.

AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

Blogs

Blog

AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

A monthly analysis of how artificial intelligence is used in illicit communities, based on Flashpoint proprietary intelligence and direct visibility into real threat actor environments.

SHARE THIS:

A finance employee joins a video call with their CFO and several colleagues. The request is routine. The faces match. The voices sound authentic. Minutes later, $25 million is transferred—only to be discovered later that every participant on the call, except one, was AI-generated.

Techniques behind incidents like this—synthetic video, voice cloning, scripted interactions—are now being discussed openly in the same environments where threat actors exchange tools and methods. In April 2026 alone, Flashpoint analysts identified 2,328,958 posts discussing artificial intelligence in the context of illicit activity.

This volume reflects a larger shift: artificial intelligence is now deeply embedded across cybercrime ecosystems, influencing fraud, impersonation, social engineering, and access operations at scale. It shows up in how content is generated, how identities are replicated, and how workflows are executed and refined over time.

That’s why we created the monthly AI Threat Report to examine how threat actors are using artificial intelligence in real-world illicit environments. Drawing on Flashpoint proprietary intelligence and direct visibility into primary source communities across forums, marketplaces, and chat services, the report analyzes the tactics, tools, and operational patterns shaping malicious AI use. Analysis of April’s activity shows a focus on prompt-sharing, jailbreak methods, and alternative models that support fewer safeguards or moderation controls.

AI Activity Volume and What It Represents

In April 2026, Flashpoint analysts identified 2,328,958 posts discussing artificial intelligence in the context of illicit activity across forums, marketplaces, and chat services.

Mentions of AI in conjunction with illicit advertisements and discussions in April 2026. (Source: Flashpoint)

The underlying activity was concentrated around a familiar set of use cases and workflows:

  • identity verification bypass
  • fraud enablement and scripting
  • impersonation through synthetic media
  • prompt-sharing and jailbreak workflows

However, the emphasis within those discussions shifted in several places in April.

  • Posts tied to custom malicious LLM development appeared less frequently than discussions centered on usability: how to bypass safeguards, generate more reliable outputs, or move activity onto platforms perceived as less restrictive. 
  • References to alternative models and prompt collections appeared more often throughout the month, alongside requests for jailbreak methods and phishing-oriented outputs.

This activity points to a more mature stage of adoption. The focus is less on building entirely new tooling and more on improving reliability, portability, and ease of use within workflows that already exist.

That pattern shows up repeatedly across monitored sources. Users exchange prompts, repost working methods, and refine outputs through direct feedback. In many cases, the same underlying techniques continue circulating with only minor changes between platforms or communities.Looking across April activity helps identify which methods continue to generate demand, where threat actors are adapting around platform restrictions, and which workflows remain active across multiple environments.

Where AI Activity Is Concentrated

AI-related activity in April remained concentrated on a small number of platforms, though the distribution shifted noticeably compared to March.

Telegram accounted for the majority of observed activity, with 1,395,075 posts tied to AI services and discussions. Reddit, GitHub Gist, Pastebin, Discord, and smaller forums accounted for significantly lower volumes.

Posts selling AI services (in red) and posts seeking to purchase AI services (in blue) on Telegram in April 2026. (Source: Flashpoint)

The lower Telegram volume does not indicate reduced interest in AI-enabled activity. The platform continues to function as a primary distribution layer for prompts, jailbreak methods, fraud tooling, and service advertisements.

Across April, the same prompts, offers, and workflows appeared repeatedly across channels, often reposted with only minor adjustments. Sellers updated listings based on user feedback, while buyers requested revisions tied to specific outputs or platforms.

Other platforms served more targeted roles:

  • GitHub Gist and paste sites hosted scripts or supporting material
  • forums supported reputation building and longer technical discussions
  • Discord communities centered around specific models, prompt collections, or jailbreak workflows

The activity remains connected across environments. Methods introduced in one community frequently reappear elsewhere, particularly when they produce reliable outputs or help users work around moderation controls.Tracking how these discussions move between sources helps identify which workflows continue to gain traction and which techniques are becoming more broadly operationalized.

AI-Enabled Fraud and Identity Verification Bypass

Across April, Flashpoint analysts observed 63,763 posts advertising or discussing KYC bypass methods using artificial intelligence, including deepfake-enabled verification workflows.

The methods were active across Telegram channels dedicated to identity verification bypass services.

Posts continued to advertise:

  • synthetic video generation designed to mimic live verification behavior
  • voice cloning and scripted interaction prompts
  • bundled “KYC bypass kits” tailored to onboarding and verification workflows

Some offerings included guidance on how to adapt responses for specific platforms or verification requirements. Others promoted combinations of synthetic video, matching fake documentation, and AI-generated scripts designed to support impersonation attempts from start to finish.

The broader workflow remains consistent. AI supports how identities are replicated, how verification checks are navigated, and how fraud operations are scaled across different services.

This activity connects directly to the wider access ecosystem already observed across illicit communities. Stolen credentials, session tokens, phishing infrastructure, and AI-enabled impersonation methods increasingly operate alongside one another within the same workflows.

Across April, posts tied to these methods continued to show active refinement through user feedback, reposting, and platform-specific variations.

For security teams, this activity remains relevant at the control layer. Verification systems, onboarding workflows, and account recovery processes continue to be tested in the same environments where these methods are exchanged and improved.

Malicious LLM Usage and Prompt-Based Workflows

Across April, discussions tied to malicious or unrestricted LLM usage focused heavily on jailbreak methods, prompt-sharing workflows, and access to alternative models perceived as less restricted than mainstream platforms.

The top observed malicious LLMs mentioned within Flashpoint Collections in April 2026. (Source: Flashpoint)

Flashpoint analysts observed a significant increase in discussions related to VeniceAI, driven in part by newly created Reddit and Discord communities dedicated to the platform. The increase highlights continued interest in models that users believe operate with fewer safeguards or moderation controls than services like ChatGPT or Gemini.

The activity centers on usability and output reliability.

Posts reference:

  • jailbreak prompts designed to bypass safeguards
  • phishing and fraud-oriented prompt collections
  • step-by-step instructions for generating specific outputs
  • requests for prompts tailored to impersonation or social engineering workflows

Many of these prompts are shared in collections that include updates, revisions, or support channels. Users exchange feedback when prompts stop working, outputs degrade, or platforms introduce new restrictions. Updated versions frequently follow within short timeframes.

This type of activity reinforces how prompt engineering has developed into its own service layer across illicit communities. The focus is not limited to the underlying model itself, but to the ability to generate repeatable outputs that can be applied directly within fraud, phishing, or impersonation workflows.

Across April, the same prompt structures and jailbreak methods appeared repeatedly across multiple sources, often with only small adjustments tied to platform or target.

The emphasis remains on accessibility, portability, and ease of use rather than custom model development.

Operational Patterns and What Holds Across Sources

Across April, the same behaviors continued to appear across different environments with only minor variation.

Prompt libraries, jailbreak methods, phishing workflows, and identity verification bypass techniques circulated across Telegram channels, forums, Discord communities, and paste sites. The wording changed slightly between platforms, though the underlying structure and outputs remained consistent.

This reuse is visible in how content moves between sources. A jailbreak prompt shared in one channel appears elsewhere with revised wording or additional instructions. A phishing workflow posted to a forum is copied into a paste site and redistributed through Telegram. Users request modifications, test outputs, and repost updated versions when restrictions change or methods stop working.

That cycle appeared repeatedly throughout April.

The activity also showed strong feedback loops tied to usability. Discussions focused heavily on which prompts generated reliable outputs, which models produced fewer restrictions, and which workflows required the least adjustment before use.

Across monitored sources, the same operational priorities appeared consistently:

  • reliability of outputs
  • ease of reuse
  • ability to bypass safeguards
  • compatibility with existing fraud and impersonation workflows

Looking across April activity reinforces how AI-enabled methods continue to mature through repetition, iteration, and distribution across connected communities.

What Security Teams Should Take Away

The activity tracked in this report shows how artificial intelligence is being used in environments where techniques are developed, tested, and shared before they surface elsewhere.

Across these communities, methods tied to fraud, impersonation, and access are reused, adjusted, and circulated in forms that others can apply directly. That process does not require significant change to move from discussion into use.

For security teams, the priority is maintaining visibility into how these methods are evolving and where they are being applied. That visibility supports earlier detection, more focused response, and a clearer understanding of which techniques are actively in circulation.

Monitoring these sources provides that context. It connects observed activity to the methods behind it and helps teams track how those methods develop over time.

If you want to see how this activity maps to your environment, request a demo.

Request a demo today.

The post AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities appeared first on Flashpoint.

Navigating the Threat Landscape of the 2026 FIFA World Cup

Blogs

Blog

Navigating the Threat Landscape of the 2026 FIFA World Cup

In this blog, we break down emerging threat activity, protest movements, cyber risks, and operational challenges shaping the security environment for the 2026 FIFA World Cup.

SHARE THIS:
Default Author Image
May 11, 2026

Updated June 2026

The 2026 FIFA World Cup will be unlike any tournament before it.

Set to run starting next month from June 11th to July 19th across the United States, Canada, and Mexico, this will be the first World Cup co-hosted by three nations and expanded to 48 teams across 16 host cities. More than five million fans are expected to attend matches in person, with billions more engaging globally.

That scale introduces a different class of risk. The World Cup is a distributed, high-visibility global operation spanning stadiums, transit systems, hotels, fan festivals, and digital infrastructure.

At the time of writing, Flashpoint analysts have not identified any specific, credible threats targeting the tournament. However, recent extremist propaganda and geopolitical tensions continue to reinforce the need for heightened vigilance across host nations.

A Converging Threat Environment

The risks surrounding the 2026 World Cup intersect across multiple domains.

Physical security, cyber activity, geopolitical tensions, and social movements all operate against the same infrastructure and audiences. Activity in one area can quickly affect another.

Flashpoint assesses that the most persistent risks across all host nations include:

  • Crimes of opportunity targeting visitors unfamiliar with local environments
  • Lone-actor attacks, including those driven by extremist ideologies
  • Overcrowding, fan conflicts, and unmanaged gatherings

These risks are amplified by the tournament’s scale and geographic distribution.

Civil Unrest and Protest Activity

World Cup tournaments routinely become platforms for protest.

For 2026, multiple movements are already organizing around the event:

  • “Boycott USA 2026” campaigns and groups like CODEPINK are calling for relocation of matches
  • The “50501 Movement” has signaled intent to leverage the tournament’s visibility for national demonstrations
  • Coalitions of civil society organizations have raised concerns around immigration enforcement, surveillance, and civil rights

Recent organizing activity has expanded beyond traditional anti-FIFA campaigns. Civil rights organizations, labor groups, anti-ICE coalitions, and community organizations in multiple host cities have announced or promoted demonstrations tied to immigration enforcement, displacement concerns, labor issues, and the broader social impacts of the tournament.

In the United States, Flashpoint analysts assess with high confidence that protests will occur across all host cities, with messaging tied to immigration policy, labor issues, and geopolitical tensions.

In Canada and Mexico, protests tied to environmental concerns, infrastructure impact, and global conflicts are also expected.

At this stage, most campaigns remain organizational rather than operational. But the scale of the event means even localized demonstrations can escalate quickly, especially around stadiums, transit hubs, and fan zones.

Physical Security and Crowd Risk

No specific terrorist plots have been identified. But that does not reduce the risk.

Large gatherings remain attractive targets for:

  • Lone actors seeking high visibility
  • Opportunistic criminals
  • Disruptive fan groups

Online chatter continues to reference potential attacks, including decentralized calls for violence from extremist-linked media outlets. Recently, a pro-ISIS media outlet released World Cup-themed propaganda that appeared designed to portray major football venues and international sporting events as symbolic targets, underscoring the continued threat posed by lone actors and extremist-inspired violence.

Beyond intentional threats, crowd dynamics pose a persistent risk. Past sporting events have shown how quickly panic, overcrowding, or pyrotechnics can trigger dangerous conditions, including crowd crush incidents.

Fan culture adds another layer. Organized groups such as Ultras and hooligan firms increasingly operate with coordination, using encrypted messaging, reconnaissance (“spotting”), and off-site meetups to avoid security controls.

Security concerns extend beyond traditional supporter culture. Some organized fan groups have evolved increasingly sophisticated tactics, including coordinated reconnaissance, plain-clothes scouting, encrypted communications, and deliberate efforts to move confrontations away from stadium security zones and into “soft zones” like bars, transit hubs, and other gathering locations.

Geopolitical Tensions and High-Risk Matches

Geopolitics will shape the security environment throughout the tournament.

The ongoing tensions involving the United States, Israel, and Iran are expected to influence both protest activity and threat perceptions. Iran’s participation—particularly matches held in U.S. cities—has already sparked debate, travel concerns, and increased security planning.

The issue extends beyond match security. Visa policies, travel restrictions, diaspora activism, and ongoing debate surrounding Iranian participation have already generated significant discussion among supporters, advocacy groups, and government stakeholders.

Certain matches carry elevated risk due to:

  • Historical rivalries
  • National identity tensions
  • Known fan group activity

These matches require heightened monitoring not just inside stadiums, but across surrounding areas where supporters gather.

The Expanding Cyber Threat Surface

The World Cup is also a large-scale digital event.

Even without identified active campaigns, Flashpoint analysts expect the tournament to function as a stress test for global infrastructure.

Key cyber risks include:

  • Ticketing fraud: Fake domains impersonating official FIFA platforms
  • Phishing and social engineering: Targeting fans, vendors, and staff
  • Ransomware and DDoS attacks: Disrupting transit systems, stadium operations, and hospitality networks
  • Infrastructure targeting: Exploiting vulnerabilities in public-facing systems

Researchers have already identified thousands of fraudulent domains impersonating FIFA-related services, alongside phishing campaigns designed to harvest credentials, hijack accounts, and resell legitimate tickets purchased by victims.

Threat actors are also expected to monetize the event through:

  • Fraudulent housing and rental listings
  • Rideshare and transportation scams
  • Sports betting manipulation and extortion

Even minor disruptions to digital infrastructure can have cascading effects on physical operations that cause delayed transportation, overwhelming venues, or other safety concerns.

Operational Security Gaps

Some of the most overlooked risks are also the simplest.

Attendees, staff, and media frequently post images of credentials like press passes, security badges, and access tokens on public social media. These images can be used to replicate credentials and bypass controls.

Similarly, fans often attempt to:

  • Access team hotels
  • Enter restricted areas
  • Interact directly with players

These behaviors create additional pressure on venue and hospitality security teams, particularly in high-profile locations.

Beyond the Stadium: Distributed Risk

The World Cup extends far beyond match venues. Security teams must account for:

  • Team base camps and training facilities
  • Fan festivals and unofficial gatherings
  • Hotels, tourist destinations, and transit systems
  • Cross-border travel between host nations
  • Increased human trafficking and exploitation risks associated with large-scale international travel and temporary workforces

Unauthorized fan festivals and spontaneous gatherings remain a persistent concern, often drawing large crowds without coordinated security planning.

At the same time, environmental factors including extreme heat, severe storms, flooding, air quality concerns from wildfires, and other weather-related disruptions may affect operations, travel, and crowd safety across host regions.

Getting Ready for the Tournament

The absence of identified threats should not be misinterpreted as low risk.

Events of this scale require continuous monitoring across physical, cyber, and social domains. Threat indicators often emerge early in:

  • Online forums and messaging platforms
  • Local protest planning
  • Fraudulent domain registrations
  • Changes in adversary behavior

Effective preparation depends on:

  • Broad, multilingual monitoring across open and closed sources
  • Correlation between physical and cyber indicators
  • Visibility into both high-profile targets and “soft zones”
  • Close coordination between public and private sector partners

Flashpoint recommends monitoring key terms such as “World Cup,” “FIFA,” “Fan Festival,” and related hashtags across intelligence platforms to maintain situational awareness.

Preparing for the Whistle

Building a robust threat monitoring architecture is a continuous process. Host cities and law enforcement often use smaller-scale international competitions as test runs to prepare for the scale and complexity of events like the FIFA World Cup.

By leveraging Flashpoint’s advanced search capabilities—including broad keyword coverage, wildcard operators, and visibility into deep and dark web communities—organizations can maintain awareness of emerging risks tied to large-scale events. From stadium infrastructure to digital ticketing platforms, actionable intelligence supports more informed, timely decisions.

To see how Flashpoint enables this level of visibility and monitoring in practice, request a demo.

Request a demo today.

The post Navigating the Threat Landscape of the 2026 FIFA World Cup appeared first on Flashpoint.

Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

Blogs

Blog

Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

In Flashpoint’s recent webinar, we examine the defining shifts shaping the 2026 threat landscape, from AI-driven attack automation to the growing role of identity in initial access. We analyze how infostealers, vulnerabilities, and ransomware activity are evolving, and where security teams should focus now.

SHARE THIS:
Default Author Image
May 8, 2026

In 2026, the threat landscape operates as a single, connected system. Identity, malware, and infrastructure are now part of the same attack chain, executed at a speed that compresses the time between access and impact.

What once required multiple stages and specialized tooling is now streamlined and automated.

Flashpoint recently hosted an on-demand webinar, “Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities,” where our intelligence team broke down the trends driving this shift. Drawing from primary source intelligence across forums, marketplaces, and closed communities, the session examined how modern attack chains are forming and evolving, as well as where defenders still have opportunities to intervene.

Here are the key takeaways you need to know to prioritize threats and protect your organization.

AI Is Being Operationalized Across the Attack Lifecycle

Artificial intelligence is now embedded across multiple stages of attacker workflows.

Flashpoint tracked more than 1.5 billion mentions of AI in illicit communities in 2025, with activity accelerating sharply toward the end of the year. These discussions center on how AI can be applied to real operations, including phishing, malware development, and fraud.

As Ian Gray, Vice President of Intelligence at Flashpoint, noted during the session, “Adversaries are extremely adept, and they’re constantly looking at how they can use the newest state-of-the-art tools—whether that’s commercial models or their own implementations—and how they can jailbreak them or adapt them to their workflows.”

One of the most notable developments is the use of agentic AI systems to automate tasks that were previously manual. These systems are being used to:

  • Test stolen credentials across VPNs, SaaS platforms, and cloud environments
  • Rotate infrastructure during active operations
  • Generate and refine attack inputs based on previous outcomes

Alongside this, threat actors are actively exploring ways to bypass safeguards in commercial AI tools, including:

  • Jailbreaking model restrictions
  • Embedding hidden instructions through prompt injection
  • Manipulating AI-powered features within enterprise applications

This activity reflects a sustained effort to integrate AI directly into attack execution rather than treating it as a standalone capability.

Identity Is Driving Initial Access

The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

As Gray explained, “Threat actors are finding a variety of ways to get into enterprise networks, and typically it’s through the human element. While humans can be trained or educated, it’s not something that can be patched in the traditional sense.”

This dynamic is already visible at scale.

Flashpoint observed 11.1 million infected devices and 3.3 billion stolen credentials in 2025. These credentials are extracted through infostealers and circulated across marketplaces, enabling direct access into enterprise environments.

In many cases, attackers are using:

  • Session cookies and tokens to bypass authentication flows
  • Browser fingerprints and system metadata to replicate legitimate user behavior
  • Valid credentials to access SaaS platforms, VPNs, and internal systems

Once access is established, activity often blends into normal user behavior, making detection more difficult. Compromised identities are also reused across multiple services, expanding the scope of potential exposure.

This pattern continues to appear in intrusion activity tied to SaaS platforms and third-party integrations, where access to one system can provide visibility into multiple environments.

Infostealers Are Enabling Scalable Access

Infostealers remain a primary driver of credential exposure.

Logs containing credentials, cookies, and system data are continuously harvested and made available through criminal marketplaces and subscription-based services. These logs are used directly or integrated into automated workflows that test and validate access at scale.

Gray pointed to how this plays out in practice: “Infostealers have really commoditized access. They harvest credentials, identify which ones are useful, and then test them at scale across VPNs, SaaS platforms, and cloud environments.”

The ecosystem continues to shift as law enforcement activity disrupts established players and new variants gain traction. Families such as Vidar, Lumma, and others maintain a strong presence due to accessibility and ongoing development.

In parallel, credential harvesting is feeding downstream activity, including:

  • Account takeover
  • Fraud operations
  • Data exfiltration and extortion

This linkage between initial access and follow-on activity is consistent across multiple reporting streams.

Vulnerability Exploitation Is Moving Faster

Vulnerability volume continues to increase alongside exploitation speed.

Flashpoint recorded more than 44,000 disclosed vulnerabilities in 2025, with over 14,000 tied to publicly available exploits. In several cases, exploitation activity followed disclosure within a day.

As Gray put it, “With vulnerabilities, it can feel like you’re trying to boil the ocean. There’s such a high volume of disclosures, but in reality, there’s a smaller set—those that are remotely exploitable, have proof-of-concept code, and are being actively used—that you need to focus on.”

Attacker focus is concentrated in areas that provide broad access or downstream impact, including:

  • Software supply chains and CI/CD environments
  • Open-source dependencies
  • Widely used enterprise platforms

Given the volume of disclosures, prioritization remains critical. Vulnerabilities that are remotely exploitable and paired with public exploit code present immediate risk, particularly when active discussion or exploitation is observed.

Ransomware Activity Continues to Shift

Ransomware activity increased by 53%, with continued changes in how operations are carried out.

Gray framed the shift this way: “Why even bother to develop ransomware? That takes time, resources, and overhead—when you can gain access through a compromised account or third-party platform and immediately move to extortion.”

In addition to traditional ransomware deployment, there is sustained activity centered on:

  • Data exfiltration followed by extortion
  • Use of compromised credentials for direct access
  • Targeting of third-party providers and SaaS platforms

Intrusions tied to help desks, identity workflows, and federated applications continue to appear in reporting, often involving social engineering or unauthorized access provisioning.

There is also ongoing activity related to insider recruitment, with threat actors seeking individuals who can provide direct access or privileged information.

Industries with higher operational dependencies, including manufacturing, technology, and healthcare, continue to be targeted due to the potential impact of disruption.

Translating Intelligence Into Action

The trends shaping 2026 are grounded in how attackers are currently operating across multiple domains.

As Gray emphasized, “You have to take into account vulnerabilities, exposures, infostealers, and identity compromise all at the same time. These aren’t separate problems anymore—they’re all part of the same attack chain.”

Security teams should focus on:

  • Identifying exposures with a high likelihood of exploitation
  • Monitoring for compromised credentials tied to organizational domains
  • Reviewing identity access and third-party integrations
  • Prioritizing vulnerabilities with active exploit availability
  • Tracking attacker activity across forums, marketplaces, and communication channels

These actions align with observed attacker behavior and provide a clearer path to prioritization.

Watch the Full Webinar and Explore the Data

The trends shaping 2026 are grounded in how attackers are already operating.

Flashpoint’s full webinar provides a deeper look at the data, along with practical guidance on how to translate intelligence into action.

Watch the on-demand session to see the full breakdown of these trends, or download the 2026 Global Threat Intelligence Report to explore the underlying data and analysis in more detail.

Request a demo today.

The post Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities appeared first on Flashpoint.

Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows

Blogs

Blog

Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows

In this post, we outline how cyber threat intelligence is evolving to support agentic AI-driven security operations, why MCP is emerging as a foundational standard, and how Flashpoint is operationalizing data for this new model.

SHARE THIS:
Default Author Image
May 7, 2026

Security teams are under more pressure than ever to move faster, see more, and act with confidence.

At the same time, the way cybersecurity investigations happen is evolving. The “human-in-the-loop” model is expanding: analysts increasingly direct AI agents that gather context, correlate signals across sources, and handle repetitive triage.

While AI is rapidly becoming a staple of modern security operations, a significant gap remains: most intelligence sources were originally designed for human consumption, not AI agents. Historically, threat intelligence platforms were built for analysts to log in and piece together disparate insights. While that model remains the gold standard for deep research, it can become a bottleneck in a high-velocity, agent-led workflow where AI assistants and automation pipelines are the primary investigators.

At Flashpoint, our Ignite threat intelligence platform was built to support deep investigative workflows, enabling analysts to search and connect intelligence across primary-source datasets and build a complete picture of emerging threats. That foundation remains critical.

But as workflows evolve, customers are increasingly looking to extend that same intelligence beyond the platform—into AI assistants, automation pipelines, and other environments where work is actively happening.

That raises an important question: How do you make high-value intelligence as usable for an AI agent as it is for a human analyst?

Today, we are outlining our approach to building the Flashpoint Model Context Protocol (MCP) Server, a strategic initiative that makes Flashpoint’s best-in-class intelligence accessible not only via our award-winning platform but also natively “AI-callable” within the agentic workflows of today and tomorrow.

What Is an MCP Server and Why Does It Matter in Cyber Threat Intelligence?

Model Context Protocol (MCP) is the standard for connecting AI systems to external data sources and tools. 

In practical terms, an MCP server provides a structured way for AI systems, like agents, assistants, copilots, and automation frameworks, to access and interact with data in real time.

For cyber threat intelligence, this represents a fundamental shift in how teams operate:

  • Faster investigations: AI agents can query and correlate data across disparate datasets in seconds.
  • Comprehensive coverage: By searching across all primary sources in parallel, teams eliminate the risk of missing critical intelligence. 
  • More seamless workflows: Analysts can stay within their agentic workflow without constant context switching.
  • Reduced integration overhead: Less need for custom engineering to connect intelligence into new environments.

Flashpoint MCP Server: A Foundation for AI-Native Threat Intelligence

Flashpoint has always differentiated itself on the quality and depth of our data, sourced directly from where threats emerge. Our goal is to ensure this intelligence is available wherever your analysts are working.

Currently, teams experimenting with AI assistants face significant friction: copying and pasting, relying on third-party bridges, or maintaining custom integrations.

We are building the Flashpoint MCP Server as a foundational access layer, the architectural connector that will power both external integrations and future AI experiences within the Flashpoint platform.

With this new layer, teams can:

  • Query intelligence in one workflow: Access intelligence reports, ransomware, vulnerabilities, communities, and Deep Dark Web, and technical indicators in a single research task rather than hopping tool-to-tool.
  • Ground AI agents in truth: Provide a direct, authenticated bridge to real-time, verified Flashpoint intelligence, ensuring AI responses are based on evidence rather than static training data or hallucinations.
  • Scale expert analysis: Use guided prompts and workflow templates to teach the AI exactly how to use our tools to conduct expert-level investigations across our datasets.

The threat intelligence industry is adopting MCP as the standard for how AI systems connect to data.

We’re building the Flashpoint MCP Server to ensure our intelligence is a foundational component of that ecosystem and usable wherever AI-driven workflows occur.

What to Expect from Flashpoint MCP Server

The initial release of the Flashpoint MCP Server in Spring 2026 is intentionally read-only and query-focused. This creates the production-grade foundation required to bring intelligence into the workflows customers are already building. It aligns with customer guidance about using agentic AI to solve the most pressing challenges they face today.

What Comes Next

Later this year, we will move from information retrieval to Action-Oriented Intelligence. This expansion will allow users not only to access data but also to act on it directly within their AI-driven workflows. As this ecosystem evolves, we plan to deliver:

  • Natural Language Orchestration: We are empowering analysts to interact with our data more intuitively. Through the MCP server, complex actions such as updating an investigation or identifying new threat sources are handled via natural-language orchestration. This ensures that the speed of an investigation is limited only by an analyst’s questions, not their mastery of a specific query syntax.
  • Flashpoint-Native Agents and Skills: We are developing specialized Flashpoint Agents and “skills” built on top of this server. These will be purpose-built to address specific workflows, such as ransomware monitoring or vulnerability triage, allowing teams to deploy out-of-the-box expertise without building their own agentic logic
  • Fusion of External and Internal Data: A critical advantage of the MCP framework is the ability to combine Flashpoint’s external threat intelligence with a customer’s internal environment data (SIEM, Cloud, IAM, Endpoint, etc.). This allows an agent to correlate global threat signals with your specific footprint to provide instant, individualized risk context. 
  • Embedded AI within Flashpoint Ignite: This same MCP infrastructure will serve as the shared engine for new, embedded AI experiences within Flashpoint Ignite. This ensures that the same natural-language power and automated data correlation fueling external agents are also natively available within our platform UI, creating a seamless investigative experience regardless of where an analyst chooses to work.

Built and Validated in Real Workflows

We believe in the power of this new architecture because we are already using it. The MCP Server is currently embedded in our own Flashpoint Intelligence Team’s workflow, helping our analysts research and respond to complex client RFIs. 

By applying this capability to our own high-stakes research first, we ensure that what we bring to market is grounded in real investigative needs, not just technical potential. 

Operationalizing the Best Data

The future of security operations won’t be defined solely by who has access to the most data or even the most AI agents; it will be defined by who can operationalize the best data directly within the workflows where decisions are made.

The Flashpoint MCP Server is our strategic commitment to that future—making the world’s best intelligence natively accessible, usable, and aligned with the way modern security teams work.

The Flashpoint MCP Server is currently in active development, with customer availability planned for late Spring 2026. 

Subscribe to the Flashpoint blog for more updates on Flashpoint MCP Server and the latest insights from the front lines of threat intelligence.  

Frequently Asked Questions

What is the Flashpoint MCP Server? 

The Flashpoint MCP Server enables Flashpoint’s threat intelligence to be directly callable by AI agents. It implements the Model Context Protocol (MCP), an open standard for connecting AI systems to external data, so any MCP-compatible agent, including Claude, Gemini, and Cursor, can query our datasets without bespoke API integration work.

Who is the MCP Server designed for?

The MCP Server is designed for technical, forward-leaning security teams and AI-native organizations. This includes SOC analysts, CTI practitioners, and security engineers who are already building or experimenting with AI agent workflows using tools like Gemini, Claude Code, or custom LLM-based assistants.

Which Flashpoint datasets are accessible via MCP?

The initial rollout (Spring 2026) provides access to Flashpoint’s core intelligence collections, including:

  • Intelligence Reports
  • Communities (Online forums, messaging platforms, closed digital communities)
  • Technical Indicators (IOCs)
  • Vulnerability Intelligence (CVEs)
  • Ransomware
  • Compromised Credentials and Infected Hosts
  • Strategic Entity Data

How does this differ from Flashpoint’s standard APIs?

While our standard APIs are designed for direct programmatic consumption, the MCP Server is optimized specifically for AI agents. It exposes intelligence as composable tools and guided prompts that AI agents can understand and use to perform complex, multi-step research tasks. 

How does this differ from the Flashpoint Ignite platform?

The Flashpoint MCP Server is not a replacement for Flashpoint’s award-winning Ignite platform; rather, it is a complementary access layer designed for a different type of user and workflow. While Ignite is a destination for deep research, the MCP server provides the infrastructure that enables that same intelligence to live in AI-native environments.

To learn more about Flashpoint’s MCP Server, schedule a demo today.

See Flashpoint in Action

The post Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows appeared first on Flashpoint.

2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders

Blogs

Blog

2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders

SHARE THIS:
Default Author Image
May 6, 2026

We are proud to share that Flashpoint has been named a Challenger in the inaugural 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence Technologies. 

“We see this recognition as a testament to Flashpoint’s ability to execute at the highest levels for the world’s most discerning threat intelligence customers, with our unique combination of primary source collection and human analysis at the core,” — Josh Lefkowitz, CEO at Flashpoint.

The Gartner Magic Quadrant provides organizations with a wide-angle view of vendors in the cyber threat intelligence market. By applying a graphical treatment and a uniform set of evaluation criteria, the Magic Quadrant helps organizations assess how well technology providers are executing their stated visions and performing against Gartner’s market view. Vendors are evaluated based on their Ability to Execute and Completeness of Vision:

  • Ability to Execute reflects the Gartner assessment of the vendor’s product and/or service, overall viability, sales execution and pricing, market responsiveness and record, marketing execution, customer experience, as well as operations.
  • Completeness of Vision comprises the Gartner view of the vendor’s overall market understanding, marketing strategy, sales strategy, offering (product) strategy, business model, vertical/industry strategy, innovation, and geographic strategy.

“We believe, and our customers consistently validate, that the future of threat intelligence lies at the critical intersection of intelligence depth and application,” says Lefkowitz. “That’s why Flashpoint pairs unmatched access to primary-source environments with the ability to operationalize that intelligence across security workflows, enabling organizations to make faster, more informed decisions.”

A complimentary copy of the Gartner® Magic Quadrant™ for Cyber Threat Intelligence Technologies is available to download here.

Market Dynamics and Growth of the Threat Intelligence Market

The threat intelligence market has expanded in both scope and strategic importance as organizations contend with a broader and more complex threat environment. What was once a supporting function within security operations is now expected to inform decisions across vulnerability management, fraud prevention, and enterprise risk. This shift has raised the bar for how intelligence is collected, analyzed, and applied.

Gartner describes this evolution as a move toward unified cyber risk intelligence (UCRI) — an approach that brings together diverse internal and external data sources with advanced analytical capabilities to improve decision-making. As noted in The Evolution of Threat Intelligence Is Unified Cyber Risk Intelligence, “the future of threat intelligence is unified cyber risk intelligence (UCRI)… defined by the convergence of multisignal collection and advanced analytical capabilities.” In our opinion, this model reflects the reality that no single source provides sufficient visibility, and that intelligence must be corroborated across environments to be actionable. 

At the same time, the scale of available data continues to increase, introducing new challenges around prioritization and context. Gartner notes that organizations “receive vast amounts of threat data, and filtering out false positives, redundant information and irrelevant alerts to extract actionable intelligence remains a significant challenge. This “noise” can overwhelm security teams and lead to important threats being missed.” This is where AI plays a growing role. Techniques such as machine learning and natural language processing are increasingly used to correlate signals, identify patterns, and surface relevant risks faster. As intelligence becomes more integrated across the enterprise, the ability to combine multisource collection with AI-driven analysis is shaping how organizations evaluate platforms and build modern threat intelligence programs.

How Security Teams Are Evaluating Threat Intelligence

From Flashpoint’s experience working with the most discerning security and intelligence teams, the value of a threat intelligence platform is measured in how it performs in practice — how quickly it surfaces relevant activity, how much context it provides, and how easily it supports decision-making across workflows.

We see three areas consistently shape how intelligence is evaluated, supported by a combination of human expertise and AI-driven analysis:

  • Access to high-signal environments: Intelligence is most useful when it reflects activity at its source. Access to closed forums, encrypted messaging platforms, and illicit marketplaces provides the context needed to understand how threats develop and move.
  • Context that supports prioritization: Vulnerability and threat data require context to be actionable. Understanding how activity is discussed and operationalized in real environments allows teams to focus on what requires attention.
  • Integration into operational workflows: Intelligence must fit into the systems and processes teams already rely on. Integration across SIEM, SOAR, and internal workflows allows intelligence to be applied consistently at scale.

These areas are closely tied to how Flashpoint has built its platform and how it supports organizations operating in complex threat environments.

Where Intelligence Comes From Matters

A large part of how intelligence performs in practice comes back to the source of the data itself.

We believe, and our customers continue to validate, that Flashpoint’s approach is centered on primary-source collection. That means accessing environments where threat activity is actively discussed, coordinated, and developed, including closed forums, encrypted messaging platforms, and illicit marketplaces. These environments require sustained access and ongoing validation, but they provide a level of visibility that is difficult to achieve through surface-level collection alone.

From our experience, working from these sources changes how intelligence is used. Activity can be observed earlier and understood with more context, with discussions, relationships, and intent preserved.

In practice, this allows teams to:

  • Identify emerging activity before it becomes widely visible
  • Maintain context across conversations, actors, and environments
  • Reduce time spent investigating low-value or unverified signals

Intelligence Has to Fit Into How Teams Actually Operate

Collection alone doesn’t determine whether intelligence is useful. We believe it also has to be delivered in a way that aligns with how teams work.

In our experience, most security teams already have established workflows tied to SIEMs, SOAR platforms, and internal processes. Intelligence that integrates into those workflows can be applied consistently across investigation and response.

In practice, we see this support:

  • Delivery of intelligence directly into existing systems
  • Consistent application across automated and analyst-driven workflows
  • Reduced friction between intelligence, investigation, and response

Over time, this consistency allows teams to build repeatable processes around intelligence rather than treating it as a separate function.

Context Drives Prioritization

The same dynamics apply to vulnerability intelligence.

From our experience, understanding which vulnerabilities exist is only one part of the problem. Determining which ones require attention in a given environment depends on context — how those vulnerabilities are being discussed, shared, or used in active threat activity.

We have seen first-hand that when vulnerability data is connected to real-world activity, teams can:

  • Prioritize remediation based on active threat relevance
  • Align vulnerability management with observed adversary behavior
  • Reduce reliance on static scoring as the sole decision driver

Applying This in Practice

For organizations evaluating providers, challenge intelligence sources, challenge collection agility, challenge exploit prioritization and above all ask yourself is this a partner with a long-term track record of navigating the world’s most complex threat environments?

To see how Flashpoint, the world’s largest private provider of threat intelligence can help you make better decisions, faster and with confidence, schedule a demo.

Gartner Disclaimer

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Flashpoint.

Gartner, Magic Quadrant for Cyber Threat Intelligence Technologies, Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, May 4, 2026.

Gartner, The Evolution of Threat Intelligence Is Unified Cyber Risk Intelligence, By Jonathan Nunez, 15 September 2025.

Gartner and Magic Quadrant are trademarks of Gartner, Inc., and/or its affiliates.

Begin your free trial today.

The post 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders appeared first on Flashpoint.

How to Build and Operationalize Priority Intelligence Requirements

Blogs

Blog

How to Build and Operationalize Priority Intelligence Requirements

In this post, we break down how to define, structure, and operationalize Priority Intelligence Requirements (PIRs) to improve focus, reduce noise, and drive more effective intelligence outcomes, with a companion starter kit to help apply these concepts in practice.

SHARE THIS:
Default Author Image
April 30, 2026

Security teams are inundated with data. Alerts, feeds, reports, and signals continue to grow in volume, but without clear direction, much of that information fails to translate into meaningful action.

Flashpoint recently hosted a webinar, “How to Build and Operationalize Priority Intelligence Requirements,” where our intelligence team walked through how organizations can bring structure to their intelligence programs. The session focused on how to define Priority Intelligence Requirements (PIRs), align them to business needs, and operationalize them across workflows. If you missed it, you can catch the on-demand recording here.

In this blog, we’ll recap the key takeaways from the webinar that you need to know to build, structure, and operationalize Priority Intelligence Requirements within your organization.

Priority Intelligence Requirements Create Focus

Priority Intelligence Requirements (PIRs) define what matters most to an organization’s intelligence function.

They serve as a framework for identifying the threats, risks, and questions that intelligence teams are responsible for answering. Without that structure, teams often default to reactive workflows—chasing alerts and producing reporting without clear alignment to business priorities.

PIRs establish that alignment by grounding intelligence work in specific, decision-driven questions.

These questions are typically tied to areas such as:

  • Threat actor activity targeting the organization or its sector
  • Exposure of sensitive data, credentials, or infrastructure
  • Risks tied to third-party vendors or supply chain dependencies
  • Emerging trends that may impact operations or security posture

When defined correctly, PIRs act as a filter that helps teams determine what to collect, analyze, and escalate.

Effective PIRs Start With the Business

One of the most common challenges highlighted in the webinar is that PIRs are often defined in isolation.

When intelligence requirements are not tied to business priorities, they tend to drift toward generic threat monitoring. This leads to reporting that is technically accurate, but operationally disconnected.

Effective PIR development starts with first understanding:

  • What decisions need to be made
  • Who is responsible for making them
  • What information is required to support those decisions

This requires direct engagement with stakeholders across security, risk, and business teams. In practice, that often includes leadership, legal, fraud, and operational teams.

The goal is to translate business concerns into intelligence questions that can be consistently answered over time.

Structuring PIRs for Actionability

Clear structure is essential to making PIRs usable.

Well-defined PIRs are specific enough to guide collection and analysis, but flexible enough to evolve as threats change. They are typically framed as direct questions that intelligence teams can answer with available data.

Examples of structured PIRs include:

  • Are threat actors actively targeting our organization or industry?
  • Has our data appeared in criminal marketplaces or forums?
  • Are our third-party vendors experiencing security incidents that could impact us?

This approach ensures that intelligence outputs remain focused on answering defined questions rather than producing general reporting.

It also enables consistency across teams, making it easier to track trends and measure changes over time.

Operationalizing PIRs Across Workflows

Defining PIRs is only the starting point. Their value comes from how they are integrated into day-to-day operations.

In the webinar, Flashpoint emphasized the importance of embedding PIRs across the intelligence lifecycle, including:

  • Collection: Prioritizing sources and datasets that align with defined requirements
  • Analysis: Structuring outputs around PIR-driven questions
  • Dissemination: Delivering intelligence to the stakeholders tied to each requirement
  • Feedback: Continuously refining PIRs based on evolving needs

This integration ensures that intelligence efforts remain consistent and aligned, even as threat conditions change.

It also reduces duplication of effort and helps teams avoid producing intelligence that does not support decision-making.

Measuring the Impact of Intelligence

PIRs provide a foundation for evaluating whether intelligence efforts are effective.

Without defined requirements, it is difficult to determine whether outputs are relevant or useful. PIRs create a benchmark against which teams can assess:

  • Whether key questions are being answered
  • Whether intelligence is reaching the right stakeholders
  • Whether outputs are informing real decisions

This shifts intelligence from a reporting function to a decision-support capability.

Over time, this approach helps organizations refine both their requirements and their workflows, improving efficiency and impact.

Dive Deeper | Watch the Full Webinar

Building and operationalizing Priority Intelligence Requirements is a foundational step toward a more focused and effective intelligence program.

Flashpoint’s on-demand webinar walks through this process in detail, including practical examples and guidance for implementation.

For teams looking to move from theory to implementation, the Priority Intelligence Requirements (PIR) Starter Kit provides a practical extension of this approach. The resource includes a structured framework for defining requirements, a catalog of adaptable PIR examples across key intelligence drivers, and a template to support documentation and governance.

Watch the full session and download the starter kit to begin building requirements that directly support decision-making and risk reduction.

Begin your free trial today.

The post How to Build and Operationalize Priority Intelligence Requirements appeared first on Flashpoint.

Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework

Blogs

Blog

Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework

In this post, we examine why intelligence requirements often fail to drive decisions and how to operationalize Priority Intelligence Requirements to align collection, analysis, and action.

SHARE THIS:
Default Author Image
April 13, 2026

In modern security operations, the “more is better” approach to threat intelligence has failed. Teams are drowning in alerts, not because the tools aren’t working, but because they lack a defined “North Star” to tell them which signals actually matter. 

To move from reactive monitoring to proactive defense, you need Priority Intelligence Requirements (PIRs). 

What is a Priority Intelligence Requirement (PIR)?
Definition: A Priority Intelligence Requirement is a decision-support question that identifies a critical knowledge gap. It defines what an organization needs to know, why it matters, and which specific business decision the information will support.

What Are the Biggest Challenges in Implementing PIRs?

Most teams buy intelligence tools, connect their sources, and immediately hit a wall: What should we actually be looking for?

Without a requirements-driven intelligence model, programs typically suffer from three critical points of friction that teams face every day: 

  1. Alert Parity: A low-level credential leak on a forum is treated with the same urgency as a targeted ransomware threat.
  2. The “So What?” Gap: Analysts produce reports that leadership finds “interesting” but not “actionable”.
  3. Analyst Burnout: Teams spend the majority of their time chasing “exploratory” data rather than defending the business. 

Requirements-driven intelligence changes the starting point. It moves the focus from “What data can we get?” to “What decisions do we need to make?”

The 3-Tier Intelligence Requirements Model: GIR, PIR, and SIR

To operationalize intelligence, you must understand its hierarchy. A PIR is the bridge between executive strategy and technical execution. We recommend structuring requirements across these three tiers:

  1. General Intelligence Requirements (GIRs): The “Why”)

These are the big-picture risks that keep your CISO or Board up at night. They focus on trends and long-term posture.

Example: “How is the ransomware landscape evolving for the healthcare sector in 2026?”

Outcome: Informs budgeting and annual security priorities.

  1. Priority Intelligence Requirements (PIRs): The “What”

This is the operational heart of your program. PIRs turn strategic concerns into specific, high-impact scenarios.

Example: “Which ransomware groups are actively targeting our specific supply chain partners?”

Outcome: Defines daily monitoring and escalation triggers.

  1. Specific Intelligence Requirements (SIRs): The “How”

SIRs are the tactical “boots on the ground” that power your PIRs with granular data.

Example: “Monitor for [Specific Malware Family] indicators or [Specific Actor] infrastructure associated with Group X.”Outcome: Drives threat hunting and automated detection logic.

Why Should You Focus on Building at the PIR Level?

While you need the full hierarchy, your primary effort should live at the PIR layer.

General IRs are often too high-level to automate, and SIRs (technical indicators) change too quickly to manage manually. PIRs are the “Stable Middle.” They are broad enough to capture business risk but specific enough to map to a workflow. By building your program around a library of PIRs, you create a system that is:

  • Machine-Readable: Easy to translate into platform automation.
  • Stakeholder-Aligned: Written in language that leadership understands.

Action-Oriented: Designed to trigger a specific response every time they are “answered.”

How To Audit Your PIRs (The Stress Test)

Before you commit resources to monitoring, run each requirement through this three-point filter:

  1. Is it tied to a decision? If we learn the answer today, what specifically changes in our defense?
  2. Does it have an owner? Which specific stakeholder is accountable for acting on this information?
  3. Is it time-bound? Is this requirement evergreen, or active during a defined risk window?

For a more comprehensive view of your full threat intelligence picture, take the Threat Intelligence Capability Assessment.

Frequently Asked Questions About Priority Intelligence Requirements

What is the difference between PIRs and general monitoring goals?
PIRs are decision-driven requirements tied to specific risks. Monitoring goals (like “watch the dark web”) describe activities without defining a clear outcome.

How often should PIRs be updated?
PIRs should be revisited when decisions are made, risks shift, incidents occur, or strategic priorities change.

Can small security teams implement PIR frameworks?
Yes. In fact, smaller teams often benefit most because requirements help prioritize limited resources.

How do you measure PIR effectiveness?
Indicators include reduced alert noise, clearer reporting alignment, faster investigations, and improved stakeholder satisfaction.

Join the Webinar: How to Build and Operationalize Priority Intelligence Requirements

Register to learn how to define actionable PIRs that stakeholders actually care about and align intelligence to real business decisions.

Register now for the webinar.

Note: Attendees will receive our exclusive “Priority Intelligence Requirements Starter Kit,” which features a practical workbook and a PIR library.

Begin your free trial today.

The post Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework appeared first on Flashpoint.

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

Blogs

Blog

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

In this post, we examine how threat actors use emojis across illicit communities, how these symbols function as a form of coded language, and why understanding this form of communication is increasingly critical for threat intelligence teams.

SHARE THIS:
Default Author Image
April 6, 2026

As threat actor activity continues to shift toward informal, fast-moving communication platforms such as Telegram and Discord, the way adversaries communicate is evolving. Emojis, often dismissed as casual or nontechnical, have become a meaningful part of that evolution.

Across illicit forums, messaging apps, and closed communities, emojis are used not just for expression, but for signaling intent, categorizing activity, and, in some cases, obscuring meaning from outsiders. For analysts, this introduces an additional layer of context that can influence how communications are interpreted, prioritized, and actioned.

Emojis as a Functional Layer of Communication

Within threat actor communities, emoji usage is often structured and repeatable.

Rather than replacing language entirely, emojis act as a functional overlay — reinforcing key concepts, highlighting important information, and accelerating communication in high-volume environments.

This is especially common in:

  • Telegram fraud channels
  • Phishing and carding communities
  • Service marketplaces and access broker groups

In these environments, speed and clarity matter. Emojis allow actors to quickly scan messages, identify relevant content, and engage without parsing long text-based posts.

Common Emoji Categories and What They Signal

Flashpoint analysis of illicit communities shows that emoji usage tends to cluster around a set of recurring categories. While meanings can vary slightly by group, several patterns appear consistently.

Financial Activity and Monetization

Emojis related to money are among the most frequently used.

Common examples include:

  • 💰 / 💸 — Profit, successful fraud, or payouts
  • 💳 — Credit cards, carding activity, or stolen payment data
  • 🏦 — Banks or financial institutions
  • 🪙 — Cryptocurrency-related activity

These symbols often appear in sales posts, fraud logs, or success claims, helping actors quickly identify opportunities tied to financial gain.

Access, Credentials, and Compromise

Another cluster of emoji usage centers on access and account compromise, where symbols are used to signal the availability of credentials, successful intrusions, or control over compromised systems.

Examples include:

  • 🔑 — Credentials or account access
  • 🔓 — Successful breach or unlocked account
  • 📥 / 📤 — Data exfiltration or transfer
  • 🗂 — Databases or collections of stolen data

In many cases, these emojis are used in combination with minimal text, allowing actors to advertise access or share results without detailed descriptions.

Tools, Automation, and Services

Emojis are also used to signal tooling and service offerings.

Examples include:

  • 🤖 — Bots, automation tools, or malware
  • ⚙ — Configuration, setup, or infrastructure
  • 🧰 — Toolkits or bundled services
  • 📡 — Infrastructure, communication channels, or delivery mechanisms

These are commonly seen in phishing-as-a-service, SMS gateway services, and malware distribution communities.

Targets and Geography

Threat actors frequently use emojis to represent targets or regions.

Examples include:

  • 🏢 — Corporate or enterprise targets
  • 🎯 — Targeting or “hits”
  • 📍 — Specific targets, drop locations, or points of interest
  • 🌐 — Global campaigns
  • Country flags — Specific geographic targeting

This allows actors to signal targeting scope quickly, particularly in multilingual or international groups.

Urgency, Success, and Status

Some emojis are used to communicate momentum or importance.

Examples include:

  • 🔥 — High-value or trending activity
  • ✅ — Verified success or working method
  • 🚨 — Urgent update or active campaign
  • 📈 — Growth or increased results

These signals are particularly important in fast-moving channels where actors compete for attention.

Emojis as a Tool for Obfuscation

Beyond signaling, emojis are also used to evade detection.

Threat actors may substitute emojis for keywords associated with:

  • Fraud techniques
  • Financial activity
  • Specific platforms or services

For example, replacing “credit card” with 💳 or “bank” with 🏦 can help bypass basic keyword filters or reduce visibility in automated moderation systems.

When combined with slang, abbreviations, and multilingual phrasing, this creates a layered form of obfuscation that complicates large-scale monitoring efforts.

Building Identity and Reputation Through Emoji Patterns

Emoji usage is not just functional. It can also be behavioral.

Over time, actors often develop recognizable patterns in how they use emojis:

  • Consistent combinations in sales posts
  • Repeated formatting styles
  • Unique ways of structuring messages

These patterns can serve as lightweight identifiers, helping analysts:

  • Track the same actor across different channels
  • Identify reposted or syndicated content
  • Link activity between platforms

In ecosystems where aliases frequently change, these subtle patterns can provide additional attribution signals.

Cross-Language Communication in Global Threat Ecosystems

Illicit communities are inherently global, spanning multiple languages and regions.

Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text. This is particularly valuable in:

  • Large Telegram channels with international membership
  • Cross-border fraud operations
  • Decentralized marketplaces

For example, a combination of 💳 + 💰 + 🌍 can communicate “global carding opportunity” without requiring a shared language.

This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.

Context Still Determines Meaning

Despite these patterns, emoji usage is not universal or fixed.

The same emoji can carry different meanings depending on:

  • The platform (Telegram vs. Discord vs. forums)
  • The specific community
  • The surrounding text and context

For example, 🔥 may indicate “high value” in one group, but simply “active discussion” in another.

For analysts, this reinforces the need to treat emojis as contextual signals, not standalone indicators. Accurate interpretation depends on understanding the broader communication environment.

What This Means for Threat Intelligence Teams

Emoji usage reflects a broader shift in how threat actors communicate toward faster, more visual, and more adaptive forms of interaction.

Flashpoint assesses that incorporating emoji analysis into intelligence workflows can enhance:

  • Detection of emerging campaigns
  • Identification of high-value activity
  • Attribution and actor tracking
  • Interpretation of intent and sentiment

While emojis alone are not decisive indicators, they provide an additional layer of signal that can strengthen overall analysis.

Supporting Security Teams with Threat Intelligence

Understanding how threat actors communicate down to the symbols they use provides critical context for identifying and interpreting emerging threats.

Flashpoint delivers intelligence that helps organizations monitor illicit communities, track evolving communication patterns, and translate raw data into actionable insights. Within the Flashpoint platform, analysts can search across environments like Flashpoint Ignite and Echosec using emojis alongside keywords—enabling more precise discovery of relevant conversations, signals, and emerging activity that might otherwise be missed.

This approach allows teams to capture nuance in how threat actors communicate, improving detection, attribution, and overall situational awareness.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Begin your free trial today.

The post The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online appeared first on Flashpoint.

Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders

Blogs

Blog

Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders

Key insights from Forrester’s External Threat Intelligence Service Providers Landscape, Q1 2026 and what they mean for security teams.

SHARE THIS:
Default Author Image
March 30, 2026

Forrester recently published The External Threat Intelligence Service Providers Landscape, Q1 2026, an overview of 34 vendors in the external threat intelligence market — defining market maturity and outlining key dynamics and use cases.

For security and risk leaders, the report offers a clear picture of how the market is evolving and where organizations should focus as they evaluate and operationalize threat intelligence.

The Market Has Moved Beyond Undifferentiated Data Collection

One of the clearest takeaways from the report is how significantly the market has matured.

Threat intelligence is no longer simply about collecting indicators or monitoring feeds. The expectation is now:

  • Contextualized analysis
  • Relevance to specific business risks
  • Direct applicability to detection, response, and decision-making

In our experience, turning data into action is among the most pressing challenges for security leaders. At RSA Conference 2026, Flashpoint introduced new capabilities designed to address this gap by connecting adversary activity directly to business priorities, assets, and investigations.

Intelligence Is Only Valuable When It’s Operationalized

The report also calls out a central challenge: gaps in operationalizing intelligence and aligning it to business context.

Forrester notes, “Gaps in operationalizing intelligence and aligning it to business context are the primary challenge in this market. As the industry shifts from static IOCs to TTPs, scaling operational use becomes difficult when intelligence is not tightly integrated into existing detection, response, and investigation workflows.”

This reflects what we consistently see across teams:

  • Intelligence exists, but sits outside workflows
  • Insights don’t map cleanly to assets, users, or priorities
  • Teams spend time interpreting instead of acting

This alignment of collection and operationalization is defining the next phase of the market.

AI Is Accelerating, But Not Replacing, Intelligence Workflows

Another key theme is the role of AI.

The Forrester report points out, “The main trend in this market is agentic AI being embedded into threat intelligence workflows to improve effectiveness and efficiency… While AI is reshaping the threat intelligence industry, human expertise remains essential to interpret intelligence, apply it to an organization’s unique risk profile, and design, validate, govern, and maintain even highly automated systems over time.”

This balance is critical.

AI is improving how teams operate day to day. Our customers largely credit AI for optimizing:

  • Correlation across disparate signals
  • Speed of triage and enrichment
  • Detection engineering and threat hunting

At the same time, customers do not believe that it can replace:

  • Contextual understanding of adversaries
  • Business-specific risk interpretation
  • Decision-making under uncertainty

Security teams that treat AI as a force multiplier tend to see the most impact. We explore this further in our recent work on AI and threat intelligence.

Where Flashpoint Fits Into The Threat Intelligence Landscape

In The External Threat Intelligence Service Providers Landscape, Q1 2026, Flashpoint self-reported the extended use cases of fraud, financial abuse, counterfeiting, and piracy, threats targeting physical assets, and vulnerability and exposure prioritization as the top three use cases for which clients select them.

From our perspective, the direction outlined in the report closely aligns with how we see the market evolving. Flashpoint is designed to operationalize the capabilities described in the report by linking adversary activity to business context, assets, and decision-making workflows.

From our experience as the largest private provider of threat intelligence, effective threat intelligence today requires:

  • Primary source collection at scale: Direct access to adversary communications, illicit marketplaces, and closed communities — not just aggregated feeds
  • Contextualized, finished intelligence: Analysis that connects activity to real-world impact across assets, people, and operations
  • Operational integration: Intelligence that maps directly into workflows and investigations
  • Cross-domain visibility: Coverage that spans cyber, physical, and geopolitical risk — not treating them as separate problems

What Security Leaders Should Take Away

Based on our experience working with security teams, we see a few consistent priorities for those evaluating threat intelligence providers:

  1. Prioritize outcomes over inputs: The volume of data matters less than its relevance and usability
  2. Look for operational alignment: Intelligence should integrate into detection, response, and investigation workflows
  3. Evaluate context, not just coverage: Breadth of collection matters — but depth of analysis is what drives decisions
  4. Plan for convergence: Cyber, physical, and brand risks are increasingly interconnected
  5. Treat AI as an accelerator, not a replacement: Automation improves scale, but expertise drives impact

Final Thoughts

We believe Forrester’s overview reflects a market that is maturing quickly, but highlights the continued need for security teams to focus on turning intelligence into action.

For organizations evaluating providers, the question is not solely “Who has the most data?”

Organizations must also consider “Where does that data come from, and who can help us make better decisions, faster and with confidence?”

To see how Flashpoint supports this in practice, schedule a demo.

Required Disclaimer

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.

Begin your free trial today.

The post Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders appeared first on Flashpoint.

Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026

Blogs

Blog

Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026

At RSA Conference 2026, Flashpoint introduces new capabilities that enable security teams to move from visibility to defensible action by connecting adversary activity to business priorities, assets, and investigations.

SHARE THIS:
Default Author Image
March 23, 2026

Most organizations are not lacking visibility, but they are drowning in large volumes of information that are difficult to prioritize and even harder to tie back to clear action. In practice, this creates a familiar problem.

They can see what vulnerabilities exist.
They can track threat activity.
They can monitor alerts across their environment.

But the questions they struggle to answer are more important:

Which of these exposures actually matter?
What do we fix first — and why?
How does this activity translate to risk for the business?

As a result, teams fall back on patching cycles, compliance requirements, or best-effort prioritization and are left making decisions based on incomplete context.

This gap between data and decision-making has become one of the most persistent challenges in modern security operations.

At RSA Conference 2026, Flashpoint is sharing how we are addressing this gap directly — connecting adversary activity to assets, investigations, and defined business priorities so teams can make more consistent, defensible decisions.

“The industry has reached a tipping point where security teams are drowning in data that fails to align with their most important business requirements and decisions. Visibility alone is no longer a victory; it’s a baseline. By connecting underground adversary activity to an organization’s specific attack surface and strategic requirements, Flashpoint is raising the bar beyond passive observation. We are enabling defenders to stop asking ‘what do we own’ and start answering ‘what do we fix first, and why,’ turning raw data into an engine for risk reduction at speed.”

Josh Lefkowitz

What Flashpoint is Showcasing at RSA Conference 2026

Flashpoint is introducing a set of capabilities designed to connect threat intelligence directly to business risk, assets, and investigations:

  • Threat-informed External Attack Surface Management (EASM)
  • Business-Aligned Priority Intelligence Requirements (PIRs)
  • Managed Attribution browser for anonymous investigations

Together, these capabilities enable organizations to move beyond passive monitoring and toward intelligence-driven action.

What Is Threat-Informed External Attack Surface Management (EASM)

Most organizations maintain an inventory of their external assets, but prioritizing them is a persistent challenge. Traditional EASM tools identify what you own but often fail to answer the critical “so what?”. Without contextual risk, prioritization is often driven by static severity scores, patch cycles, or compliance requirements rather than real-world attacker behavior. As a result, teams are left managing stale data through manual CSV uploads and struggling to determine which exposures actually matter.

Flashpoint’s EASM module transforms this stream of exposure data into a prioritized action plan. It continuously discovers a customer’s external attack surface, including domains, subdomains, and IP addresses, and automatically maps this live inventory directly to Flashpoint’s industry-leading vulnerability intelligence.

This allows security teams to:

  • Maintain a Dynamic Inventory: Eliminate manual uploads and stale CMDB exports with an always-current map of internet-facing assets.
  • Contextualize Risk Immediately: Go beyond simple asset discovery by mapping the specific software running on each asset to known vulnerabilities, including pre-NVD findings.
  • Prioritize with Precision: Connect the asset to the actual risk, showing teams not just their external exposure, but where they are truly vulnerable and what needs to be fixed first.

By layering deep vulnerability intelligence onto live asset discovery, Flashpoint enables defenders to move from reactive analysis to proactive, intelligence-driven risk reduction.

Why Priority Intelligence Requirements (PIRs) Are Foundational

Many intelligence teams operate without a formal structure that defines what their work is intended to support.

In day-to-day operations, this results in:

  • Reactive investigation of incoming alerts
  • Reporting driven by the availability of information rather than the need
  • Difficulty demonstrating how intelligence outputs influence decisions

Priority Intelligence Requirements (PIRs) are designed to address this, but in many organizations, they are not integrated into operational workflows.

In May, Flashpoint is introducing in-platform Intelligence Requirements to formalize this structure and embed it directly into the way teams work.

Alerts, investigations, and reporting can be tied to defined requirements, allowing teams to:

  • Focus on activities that directly align with defined business risk priorities
  • Maintain consistency in what is tracked and reported
  • Provide a clearer justification for the intelligence work being done

This creates a more structured intelligence program. Instead of producing outputs based on what is observed, teams can align their work to defined objectives and decision-making needs.

Enabling Safe, Scalable Investigations with Managed Attribution

Accessing adversary-controlled environments such as forums, marketplaces, and encrypted platforms is a core part of many intelligence workflows.

However, doing so safely requires careful setup. Analysts typically need to:

  • Use isolated infrastructure
  • Manage attribution and identity exposure
  • Avoid introducing risk to internal systems

This creates operational overhead and can slow down or limit investigation.

The new anonymous browser capability within Flashpoint Managed Attribution is designed to address this by providing a non-persistent, isolated environment for research and immediate triage. This removes setup friction and allows analysts to move immediately from detection, to investigation, to deeper analysis in the same environment.

Analysts can:

  • Access underground communities
  • Open suspicious links or files
  • Engage with threat actors

Without exposing their identity or internal infrastructure.

By removing the need for manual setup, this allows analysts to move directly into investigation while maintaining operational security. 

See it at RSA Conference 2026

Security teams are being asked to do more than identify threats. They are expected to prioritize, act decisively, and justify those decisions.

That becomes difficult when the inputs — vulnerabilities, alerts, threat reporting — are not clearly connected to each other or to the business.

​​Intelligence needs to be tied to assets, aligned to defined priorities, and usable in day-to-day workflows. That’s the focus of Flashpoint’s updates this year.

At RSA Conference 2026, we’ll be walking through how this works in practice—how teams are connecting adversary activity to what they own, what matters, and what they do next. Flashpoint will be sharing more on these new innovations, including threat-informed EASM, in-platform Intelligence Requirements, and the Managed Attribution browser.If you’re attending, stop by Booth S-3341 to see how teams are moving from visibility to action. For a personalized demo, schedule a meeting with us.

Frequently Asked Questions

What is Flashpoint showcasing at RSA 2026? 

Flashpoint is showcasing how its primary-source threat data connects directly to business assets and priorities. At the booth, attendees can get a sneak peek of the upcoming in-platform Priority Intelligence Requirements (PIRs), which formalize how security teams tie investigations to business risk. Flashpoint will also be discussing the upcoming general availability of threat-informed EASM for asset discovery and risk prioritization, alongside the Flashpoint Managed Attribution browser, designed for secure underground research.

What is Flashpoint Threat-Informed EASM? 

Flashpoint External Attack Surface Management (EASM) goes beyond simple asset discovery by automatically mapping your external footprint to our industry-leading vulnerability intelligence. This allows teams to prioritize remediation by identifying which software versions are actually running on key assets, flagging critical risks often missed by public databases.

How do Flashpoint Priority Intelligence Requirements (PIRs) help security teams? 

Flashpoint PIRs provide a formal in-platform structure that ties security alerts and investigations to specific business risks. This helps teams move away from reactive “activity-based” work and toward “decision-based” intelligence that is defensible to executive stakeholders.

What are the benefits of the Flashpoint Managed Attribution browser? 

The Flashpoint Managed Attribution browser allows threat analysts to safely research the web using a disposable, anonymous environment. This prevents the analyst’s identity from being exposed and protects the corporate network from malware while conducting underground research.

How does Flashpoint’s new offering support a Continuous Threat Exposure Management (CTEM) framework?

Flashpoint facilitates the CTEM lifecycle by providing the primary source data necessary to move beyond traditional point-in-time scanning. EASM enables organizations to start focusing on the specific vulnerable software and high-risk exposures that threat actors are actively targeting.

Begin your free trial today.

The post Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026 appeared first on Flashpoint.

Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks

Blogs

Blog

Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks

In this post, we examine the disruptive cyber activity targeting Stryker, potential links to the Handala persona, and what the incident signals about evolving threats to healthcare supply chains.

SHARE THIS:
Default Author Image
March 12, 2026

Over the past several years, destructive cyber operations have increasingly expanded beyond traditional critical infrastructure targets. State-linked actors have demonstrated a growing willingness to disrupt organizations that sit at key logistical and supply chain nodes, where a single intrusion can generate cascading operational impacts across entire sectors.

Healthcare supply chains are particularly exposed to this dynamic. Large medical technology providers, pharmaceutical distributors, and logistics partners often support hundreds or thousands of downstream healthcare providers, making them attractive targets for adversaries seeking to create disruption without directly attacking hospitals themselves.

On March 11th, medical technology company Stryker disclosed that a cyberattack had disrupted portions of its global network infrastructure, affecting Microsoft systems used across the organization. In public statements and regulatory filings, the company indicated that the incident impacted internal operations and that the full scope of the disruption and timeline for restoration remain under investigation. At the time of writing, the company stated it had not identified evidence of ransomware or conventional malware, suggesting the activity may involve alternative attack methods or infrastructure abuse.

Separately, reporting has noted that the Handala persona — a hacking group widely assessed to be linked to Iranian state actors — appeared on some company login pages during the incident, further raising questions about possible attribution.

Yesterday’s cyberattack against Stryker reflects several dynamics that Flashpoint analysts have been tracking across disruptive cyber operations. Flashpoint analysts are monitoring technical indicators and reporting associated with destructive activity targeting the organization and assessing potential links to threat actors previously associated with disruptive campaigns targeting Western organizations.

While the full scope of the incident remains unclear, the activity highlights several trends that threat intelligence teams are tracking closely.

Observed Activity Linked to the Handala Persona

Flashpoint analysts are monitoring indicators associated with the Handala threat persona in relation to the incident.

Handala has maintained an online presence that presents itself as a politically motivated hacktivist movement. However, based on targeting patterns, messaging, and operational behavior observed over the past year, Flashpoint assesses that the persona is likely linked to Iranian state actors rather than an independent hacktivist collective. In public Telegram posts and website manifestos monitored by Flashpoint analysts, Handala framed the Stryker attack as retaliation for recent kinetic strikes in the Middle East. By operating behind a persona styled as a grassroots, pro-Palestinian resistance movement, Iranian state-nexus actors are able to conduct destructive cyber operations against Western organizations while maintaining a degree of plausible deniability.

“From our perspective tracking Handala over the past year, the group has done an effective job presenting itself as a grassroots resistance movement. However, the tactics and targeting we observe are far more consistent with activity linked to Iranian state actors than with independent hacktivism. What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure — potentially weaponizing Microsoft Intune — to carry out destructive activity at scale.”

Kathryn Raines, Cyber Threat Intelligence Team Lead for Flashpoint National Security Solutions

Flashpoint analysts have previously documented how Iranian state-linked actors are increasingly integrating cyber operations into broader geopolitical and military campaigns. For additional context on this trend, see our recent analysis of how cyber activity is evolving alongside the current regional conflict.

Unlike financially motivated cybercriminal groups, Handala-associated activity has historically emphasized disruption, psychological impact, and geopolitical signaling. Operations attributed to the persona frequently align with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value.

While attribution for the Stryker incident has not been definitively established, the activity is consistent with patterns previously associated with the persona.

Potential Abuse of Enterprise Management Infrastructure

Flashpoint analysts are reviewing indications that attackers may have leveraged enterprise device management infrastructure, including Microsoft Intune, to trigger wiping actions across managed devices. This method explains Stryker’s initial public statements indicating that “no evidence of malware or ransomware.” Because Intune is a trusted, native Microsoft administrative tool, an attacker weaponizing it to issue mass remote wipe commands would not trigger traditional endpoint detection and response (EDR) or antivirus alerts. To the victim’s security sensors, no malicious files are being dropped; therefore, the activity would appear to be a highly privileged IT administrator executing a standard, albeit catastrophic, compliance policy. This living off the land (LotL) approach represents a massive blind spot for traditional security architectures

If confirmed, this technique represents an evolution in destructive cyber operations.

Rather than relying exclusively on custom malware designed specifically for wiping systems, attackers may increasingly attempt to abuse legitimate administrative tools already embedded in enterprise environments. Compromise of a centralized management console could allow an adversary to execute commands across large numbers of endpoints simultaneously.

This approach can significantly expand the potential impact of a compromise while reducing the need for specialized destructive malware.

Targeting Supply Chain Nodes in Critical Sectors

As a major provider of equipment used in surgical suites and emergency rooms, Stryker occupies an important position within the healthcare ecosystem. Disruption affecting organizations in this category can create second-order operational impacts across healthcare providers that depend on their products and services.

“The attack on Stryker highlights a troubling shift we’re increasingly seeing in destructive cyber operations. Rather than targeting hospitals or frontline healthcare providers directly, adversaries may focus on critical suppliers and logistics providers where disruption can cascade across the entire healthcare ecosystem. A single intrusion at a key node in the supply chain has the potential to create widespread operational impact far beyond the initial target.”

Josh Lefkowitz, CEO, Flashpoint

Flashpoint analysts have increasingly observed state-linked cyber activity targeting logistical nodes and supply chain providers, rather than only frontline institutions such as hospitals. From an operational perspective, this strategy allows adversaries to generate broader disruption while potentially avoiding the immediate scrutiny associated with direct attacks on healthcare facilities.

Ongoing Monitoring

Flashpoint analysts continue to monitor developments related to this incident and are evaluating additional indicators as they emerge.

Several factors will shape the broader assessment of the activity in the coming days:

  • Confirmation of the mechanism used to carry out destructive actions
  • The scale of affected systems or devices
  • Additional evidence linking the activity to known threat actors or state-linked groups
  • Whether the activity represents a single incident or part of a broader campaign

Incidents involving destructive cyber activity targeting critical supply chain organizations underscore the increasing intersection between geopolitical tensions, cyber operations, and operational resilience.

Flashpoint will continue to track this activity and provide updates as more information becomes available.

Supporting Security Teams with Threat Intelligence

Understanding how adversaries operate — including the tradecraft used to weaponize enterprise infrastructure and target supply chain dependencies — is essential for defending critical organizations.

Flashpoint delivers actionable intelligence that helps security teams detect emerging threats, contextualize adversary activity, and respond faster to disruptive campaigns targeting critical sectors. Schedule a demo to learn more.

Begin your free trial today.

The post Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks appeared first on Flashpoint.

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

SHARE THIS:

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through May 4.

Latest Update: Escalation Across Maritime, Cyber, and Economic Domains (Last 24–48 Hours)

The conflict has entered a phase of direct maritime and economic confrontation, with both kinetic and cyber activity intensifying in parallel.

Following the collapse of diplomatic efforts, the United States has formally initiated a naval blockade of Iranian ports, while Iran has responded by deploying midget submarines and reportedly mining key transit routes in the Strait of Hormuz. These developments signal a shift from pressure on infrastructure to direct control over regional shipping and energy flows.

At the same time, cyber operations have escalated beyond disruption into claims of large-scale destructive activity targeting industrial and government systems across the Gulf. While some of these claims remain unverified, the volume and nature of activity indicate a sustained effort to degrade both public-sector and commercial infrastructure.

Timeline of Key Developments

May 4
~06:00 UTC
CENTCOM announces the commencement of “Project Freedom” to secure maritime transit through the Strait of Hormuz.
~08:30 UTC
The IRGC Navy declares a new operational control sector in the Strait, warning that vessels failing to coordinate transit will be “stopped with force”.
10:15 UTC
Iran launches a barrage of four cruise missiles toward the UAE; three are intercepted by UAE air defenses while one falls into the sea.
11:00 UTC
A drone strike targets an ADNOC oil tanker in the Gulf.
13:45 UTC
The South Korean Ministry of Foreign Affairs confirms a South Korean vessel was struck in its engine room while transiting the Strait.
15:30 UTC
Handala Hack announces “Operation Premature Death,” releasing the names and ranks of 400 US Navy officers.
17:00 UTC
IRGC releases footage purportedly showing strikes on US vessels; CENTCOM dismisses these claims as false.

What This Means

This phase of the conflict reflects a shift toward combined economic and operational pressure:

  • Maritime control is now central: The blockade and countermeasures in the Strait of Hormuz introduce sustained risk to global shipping, energy transport, and supply chains.
  • Cyber operations are aligning with physical objectives: Activity targeting industrial systems and government infrastructure suggests an intent to create downstream operational disruption, not just visibility or signaling.
  • Private-sector exposure continues to expand: Western-linked infrastructure—particularly in energy, logistics, and cloud environments—remains within scope of both kinetic and cyber targeting.

Immediate Outlook (Next 48–72 Hours)

Further escalation is highly likely.

Iranian retaliatory activity may target US or Israeli assets in the near term, while continued pressure on maritime routes is expected to sustain volatility in global energy markets. At the same time, divergence among Western partners may create additional operational uncertainty, particularly for organizations relying on regional stability for logistics, infrastructure, or personnel movement.

How the Conflict Evolved

Since the opening strikes on February 28, the conflict has progressed through a series of rapid shifts—each expanding both the scope of targeting and the systems under pressure. What began as a tightly scoped military operation has developed into a sustained, multi-domain conflict affecting regional infrastructure, global markets, and private-sector operations.

This evolution is best understood not as a linear escalation, but as a sequence of overlapping phases that introduced new targets, new tactics, and new forms of risk.

Phase 1: Decapitation and Immediate Regional Spillover

(February 28)

The conflict began with a coordinated US–Israeli campaign targeting senior Iranian leadership and missile infrastructure. The objective was clear: degrade Iran’s ability to project force through its ballistic and air defense systems.

That containment window was brief.

Within hours, Iran launched retaliatory strikes across the Gulf, targeting US and allied military installations in Kuwait, Qatar, and Bahrain. Civilian and commercial systems were immediately affected, including flight disruptions in Dubai and early instability in maritime routes near the Strait of Hormuz.

From the outset, the conflict was regional—not bilateral—and it unfolded across military, commercial, and civilian environments simultaneously.

Phase 2: Regional Expansion and Civilian Exposure

(March 1–3)

Within the first 72 hours, the battlespace widened significantly.

Air operations extended directly over Tehran, signaling degradation of Iranian defensive capabilities. At the same time, new fronts emerged, including Hezbollah activity along Israel’s northern border. Targeting patterns began to shift, with incidents affecting civilian-adjacent infrastructure such as hotels, diplomatic sites, and transit hubs.

This period also marked the early alignment of cyber and information activity with kinetic operations. While still limited in impact, these efforts reflected a broader strategy: shaping disruption beyond the battlefield.

Phase 3: Infrastructure and System-Level Targeting

(March 5–10)

By early March, the conflict moved beyond military objectives and into the systems that sustain state and economic activity.

Energy infrastructure, power grids, logistics hubs, and financial systems became consistent points of pressure. Strikes on refineries and industrial complexes—combined with increasing instability in the Strait of Hormuz—introduced immediate consequences for global energy markets and supply chains.

This phase marked a structural shift. The conflict was no longer defined by territorial or military outcomes alone. It began to affect availability, access, and continuity across critical systems.

Phase 4: Commercial and Private-Sector Targeting

(March 11–13)

The targeting set expanded again—this time explicitly incorporating the private sector.

Iranian-aligned channels began publicly identifying Western technology, cloud, and financial firms as operational targets. In parallel, cyber activity moved deeper into enterprise environments, with disruptions affecting global companies and financial institutions.

At the same time, physical operations reinforced this shift:

  • Commercial shipping was targeted near the Strait of Hormuz
  • Banking operations were disrupted or preemptively shut down
  • Industrial facilities and refineries were forced offline

At this stage, economic pressure was no longer a byproduct of conflict—it had become a deliberate objective.

Phase 5: Hybrid Operations and Distributed Pressure

(Mid–Late March)

As kinetic operations continued, the conflict took on a more distributed and persistent character.

Cyber operations evolved in both scale and intent, expanding from disruption into data destruction, extortion, and psychological operations. Activity linked to groups such as Handala and broader proxy ecosystems demonstrated increasing coordination and willingness to target both regional and international entities.

At the same time, physical targeting patterns shifted toward long-term degradation:

  • Industrial production sites were struck
  • Ports and logistics corridors faced sustained pressure
  • Aviation hubs and transit infrastructure became recurring targets

This phase blurred traditional boundaries. Military, cyber, economic, and information operations were no longer distinct lines of effort—they were operating in parallel against overlapping targets.

A Conflict Without a Single Center of Gravity

By the end of March, the conflict had stabilized into a sustained, multi-domain environment defined by persistence rather than decisive escalation.

Military exchanges continue across multiple fronts, but the broader impact is shaped by pressure on:

  • Energy production and transport
  • Maritime and aviation corridors
  • Financial systems and commercial operations
  • Digital infrastructure and enterprise environments

Rather than converging toward resolution, the conflict has distributed risk across systems that extend well beyond the immediate region.

Phase 6: Economic Warfare Formalized and Maritime Escalation

(Late March – Early April)

By late March and into early April, economic pressure became formalized as a central objective of the conflict.

Maritime activity in and around the Strait of Hormuz shifted from disruption to active enforcement. Threats to commercial shipping intensified, while both state and proxy actors signaled a willingness to restrict or halt transit entirely. At the same time, targeting patterns expanded further into energy infrastructure, including gas production and refining capacity across the Gulf.

These developments introduced a new level of systemic risk. With a significant portion of global seaborne crude tied to the region, even partial disruption began to influence global pricing, supply planning, and downstream operations far beyond the Middle East.

Phase 7: Ceasefire Fracture and Persistent Hybrid Operations

(Early–Mid April)

Attempts at de-escalation introduced a new layer of complexity rather than stability.

While diplomatic efforts produced temporary pauses in kinetic activity, underlying objectives remained unresolved. In some cases, these pauses created space for continued operations in other domains. Cyber activity, in particular, showed no meaningful reduction, with Iranian-aligned groups continuing campaigns targeting infrastructure, government systems, and private-sector entities.

At the same time, friction points, especially in Lebanon, remained active. The exclusion of key actors from ceasefire terms contributed to continued localized escalation, reinforcing the decentralized nature of the conflict.

This period demonstrated that pauses in military activity do not equate to reduced risk across the broader threat landscape.

Phase 8: Direct Economic Targeting and Globalization of Risk

(Mid April and Beyond)

Following the breakdown of ceasefire dynamics, the conflict moved into a phase defined by direct economic targeting and broader international involvement.

US and allied actions began to focus more explicitly on constraining Iran’s financial and energy systems, while Iranian responses expanded to include threats against Western-affiliated commercial entities, academic institutions, and infrastructure beyond the immediate region.

At the same time, indicators of internationalization became more pronounced:

  • External actors providing military and technical support across sides
  • Cyber operations extending into Western and allied networks
  • Increased risk to global supply chains, energy markets, and financial systems

By this stage, the conflict was no longer confined to regional dynamics. It had evolved into a sustained pressure campaign with global economic and operational implications.

The Escalating Cyber and Information Front

From the earliest hours of the conflict, cyber operations have moved in parallel with kinetic activity—sometimes reinforcing it, and at other times extending its reach beyond the physical battlespace.

What has changed over time is not just the volume of activity, but the role cyber operations play within the broader campaign.

Early Phase: Disruption and Narrative Control

In the opening days, cyber activity focused primarily on disruption and influence.

Coordinated campaigns linked to pro-IRGC and pro-Russian-aligned groups targeted government websites, defense contractors, and public-facing services with distributed denial-of-service (DDoS) attacks and defacements. At the same time, information operations began to take shape, including the manipulation of widely used platforms such as the BadeSaba prayer app, where push notifications were leveraged to deliver messaging at scale.

These efforts were designed to create confusion, shape perception, and amplify the impact of concurrent military operations rather than cause lasting operational damage.

Expansion: Coordinated Campaigns and Infrastructure Access

As the conflict expanded regionally, cyber operations became more coordinated and more ambitious in scope.

Campaigns operating under banners such as #OpIsrael brought together loosely affiliated actors targeting infrastructure across Israel, the Gulf, and allied states. Claims during this period included access to industrial control systems, water infrastructure, and surveillance networks. While not all claims were independently verified, the consistency of targeting pointed to a broader intent: probing critical systems while signaling capability.

At the same time, verified activity—particularly from groups such as MuddyWater—demonstrated continued intrusion into aerospace, defense, and financial networks, reinforcing that espionage objectives remained active alongside disruption efforts.

Escalation: Enterprise Targeting and Data Destruction

By mid-March, cyber activity shifted again—this time toward enterprise environments and private-sector targets.

Incidents linked to groups such as Handala reflected a move beyond disruption into destructive operations. Reported activity included large-scale data wiping, exfiltration, and coordinated doxxing campaigns targeting individuals and organizations tied to Israeli or Western interests.

Equally significant was the reported use of “living-off-the-land” techniques, where attackers leveraged legitimate administrative tools within cloud environments to execute destructive actions. This approach reduces reliance on traditional malware and complicates detection, particularly for organizations dependent on signature-based defenses.

At this stage, cyber operations were no longer operating at the edges of the conflict. They were directly targeting the systems organizations rely on to operate.

Persistence Through Ceasefire: Cyber as a Continuous Pressure Mechanism

Subsequent developments demonstrated that cyber activity is not tied to the tempo of kinetic operations.

During periods of diplomatic pause, Iranian-aligned groups continued to operate with little observable reduction in activity. Public statements from groups such as Handala explicitly reinforced this posture, framing cyber operations as independent from military timelines.

At the same time, targeting patterns shifted rather than paused. Activity expanded to include:

  • Western and allied government systems
  • Critical infrastructure, including water and energy sectors
  • Commercial platforms and authentication systems

This reflects a broader strategic advantage: cyber operations allow actors to maintain pressure, test defenses, and shape outcomes without requiring direct military engagement.

Current State: Distributed, Adaptive, and Blended Operations

At present, cyber activity reflects a blend of objectives:

  • Espionage, particularly against defense and government networks
  • Disruption, including DDoS and service degradation
  • Destruction, through data wiping and system compromise
  • Psychological operations, leveraging public platforms and data exposure

These activities are carried out by a mix of state-linked groups, proxy actors, and loosely affiliated hacktivist networks, often operating with overlapping targets and messaging.

The result is a distributed and adaptive threat environment in which attribution is complex, timelines are compressed, and the boundary between state and non-state activity is increasingly blurred.

What This Signals

Cyber operations in this conflict are not a supporting element—they are a persistent layer of pressure that operates alongside and, at times, independently from physical conflict.

For organizations, this introduces a different type of risk:

  • Activity may continue even when kinetic conditions stabilize
  • Targeting may shift quickly across sectors and geographies
  • Detection becomes more difficult as attackers rely on legitimate tools and blended tradecraft

While cyber operations extend the reach of the conflict, the most immediate systemic pressure is emerging through physical and economic chokepoints—particularly in energy production and maritime transit.

Strategic Chokepoints and Systemic Risk

As the conflict expanded, physical targeting patterns converged around a small number of systems that carry disproportionate global impact: energy production, maritime transit, and regional mobility infrastructure.

Energy Infrastructure as a Primary Lever

Energy systems have emerged as one of the most consistently targeted elements of the conflict.

Strikes on refineries, gas facilities, and industrial complexes—combined with explicit threats against major Gulf energy assets—reflect a deliberate effort to constrain production and introduce volatility into global markets. Incidents affecting facilities in Saudi Arabia and the UAE, along with threats tied to Iran’s own production infrastructure, indicate that both sides view energy disruption as a means of exerting strategic pressure.

The scale of exposure is significant. A substantial portion of global seaborne crude transits through the region, and even partial disruption has immediate downstream effects on pricing, supply planning, and industrial operations.

This dynamic introduces a level of sensitivity that extends well beyond the region. Energy is a transmission mechanism for global economic impact.

Maritime Transit and the Strait of Hormuz

The Strait of Hormuz has remained the central chokepoint throughout the conflict.

From the earliest days, threats to shipping were used to signal escalation. Over time, those threats evolved into direct action, including strikes on commercial vessels, increased naval activity, and the positioning of maritime assets capable of restricting transit.

In later stages, this pressure became more formalized, with both state and proxy actors signaling a willingness to enforce constraints on shipping aligned with opposing interests. The result has been sustained disruption to maritime traffic, increased insurance and routing costs, and reduced throughput across one of the world’s most critical energy corridors.

For organizations dependent on global supply chains, the implications are immediate:

  • Longer transit times
  • Higher costs
  • Reduced predictability in delivery schedules

Even without a complete shutdown, sustained pressure on the Strait introduces ongoing friction into global trade flows.

Aviation and Regional Mobility

Airspace and aviation infrastructure have also been repeatedly affected.

Early in the conflict, flight suspensions and airport disruptions were driven by proximity to kinetic activity. As the conflict progressed, aviation hubs themselves became targets. Incidents near major transit centers—particularly in the Gulf—demonstrate both the vulnerability and strategic importance of these nodes.

Aviation serves as a critical connector for personnel movement, logistics, and high-value cargo. Disruption at major hubs does not remain localized; it cascades across international routes, affecting scheduling, capacity, and access.

In combination with maritime constraints, this creates a compounding effect: fewer viable routes, increased congestion elsewhere, and limited flexibility for organizations attempting to move people or goods.

Expansion to Commercial and Financial Systems

Over time, economic pressure extended beyond physical infrastructure into commercial and financial environments.

Public warnings and targeting signals began to include:

  • Banking institutions and financial districts
  • Commercial office locations tied to Western firms
  • Technology and cloud infrastructure hubs

In parallel, operational impacts became visible. Banking services were disrupted or preemptively suspended in parts of the Gulf, while threats against commercial centers introduced new considerations for business continuity and personnel safety.

This expansion reflects a shift in how the conflict defines “infrastructure.” It is no longer limited to energy or transport, as it also includes the systems that enable economic activity itself.

Business and Security Implications

As the conflict has expanded into energy systems, maritime corridors, aviation hubs, and commercial infrastructure, enterprise exposure is no longer limited to organizations with a direct regional footprint.

The targeting patterns observed throughout this conflict indicate that the systems underpinning global operations—logistics, cloud infrastructure, financial services, and workforce mobility—are all within scope.

For organizations, this introduces sustained operational friction rather than isolated disruption. Planning assumptions should shift accordingly.

Personnel and Physical Security

Exposure to physical risk has expanded beyond military installations into commercial environments.

Incidents affecting transit hubs, diplomatic facilities, and Western-linked commercial districts, combined with public warning lists identifying specific office locations in Jordan and the UAE, indicate that personnel operating in previously low-profile environments may now fall within the threat envelope.

This shift requires a more dynamic approach to workforce security.

Organizations should:

  • Reassess travel posture across the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia
  • Elevate security protocols at offices, hotels, and logistics sites
  • Reinforce operational security practices, including routine variation and reduced visibility of affiliation
  • Monitor diplomatic advisories and local threat reporting in near real time
  • Reevaluate occupancy and travel policies for personnel in named commercial and financial districts

Supply Chain, Energy, and Commercial Operations

Disruption is not limited to physical logistics. It now extends into the broader commercial operating environment.

Pressure on maritime transit through the Strait of Hormuz, combined with strikes on energy infrastructure and disruptions to financial services, creates a layered risk model: goods may not move, payments may not process, and operations may not continue as planned.

Organizations should plan for sustained instability rather than short-term interruption.

Priorities should include:

  • Modeling extended disruption to Gulf shipping routes
  • Identifying alternative logistics pathways, including overland options
  • Stress-testing supplier dependencies tied to energy inputs and regional ports
  • Preparing for price volatility and delivery delays
  • Assessing exposure to regional banking, payment processing, and financial services continuity

Cloud and Technology Infrastructure

The conflict has demonstrated that commercial technology infrastructure is not insulated from physical or cyber spillover.

The reported impact to cloud environments in the Gulf, combined with targeting signals directed at major technology providers, indicates that infrastructure supporting global applications may be exposed to localized disruption.

At the same time, strikes on regional communication and defense systems introduce additional risk to connectivity and resilience.

Organizations should:

  • Validate geographic redundancy for critical workloads
  • Confirm recovery timelines for regionally hosted environments
  • Review third-party dependencies tied to Gulf-based infrastructure
  • Ensure leadership understands cascading risks from localized outages
  • Evaluate exposure tied to physical proximity of offices, data centers, and regional tech hubs

ICS / OT Environments

Operational technology environments face elevated risk due to the convergence of cyber and physical targeting.

Claims involving industrial control systems—paired with demonstrated attacks on energy and logistics infrastructure—suggest that disruption may extend beyond IT systems into physical operations.

Organizations operating ICS/SCADA environments should prioritize resilience over detection alone.

Key actions include:

  • Auditing and restricting remote access pathways
  • Enforcing phishing-resistant MFA for privileged users
  • Segmenting industrial networks from corporate IT environments
  • Validating response plans for destructive or manipulative scenarios
  • Conducting exercises that assume loss of visibility or control

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

The post Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains appeared first on Flashpoint.

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

Blogs

Blog

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.

SHARE THIS:
Default Author Image
March 11, 2026

The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.

Flashpoint’s 2026 Global Threat Intelligence Report

Flashpoint’s 2026 Global Threat Intelligence Report (GTIR) was developed to anchor security leaders — from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office — with the data required to navigate this year’s greatest threats, rife with infostealers, vulnerabilities, ransomware, and malicious insiders.

Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:

  • AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
  • 3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
  • From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
  • Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.

These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:

  1. A Clear Understanding of the New Convergence Between Identity and AI
    Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
  2. Intelligence on the “Franchise Model” of Global Extortion
    Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
  3. A Blueprint for Proactive Defense and Risk Mitigation
    Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.

As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”

Josh Lefkowitz, CEO & Co-Founder at Flashpoint

The Top Threats at a Glance

Our latest report identifies four driving themes shaping the 2026 threat landscape:

2026 Is the Era of Agentic-Based Cyberattacks

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.

2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.

Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint

Identity Is the New Exploit

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

The Patching Window Is Rapidly Closing

Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.

Ransomware Is Hacking the Person, Not the Code

As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.

Build Resilience in a Converged Landscape

The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.

Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.

Get Your Copy

The post Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report appeared first on Flashpoint.

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

13 February 2026 at 20:09

Blogs

Blog

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

In this post, we explore how the psychological traps of operational security can unmask even the most sophisticated actors.

SHARE THIS:
Default Author Image
February 13, 2026
Table Of Contents

The threat intelligence landscape is often dominated with talks of sophisticated TTPs (tactics, tools, and procedures), zero-day vulnerabilities, and ransomware. While these technical threats are formidable, they are still managed by human beings, and it is the human element that often provides the most critical breakthroughs in attributing these attacks and de-anonymizing the threat actors behind them.

In our latest webinar, “OPSEC Fails: The Secret Weapon for People-Centric OSINT”,  Flashpoint was joined by Joshua Richards, founder of OSINT Praxis. Josh shared an intriguing case study where an attacker’s digital breadcrumbs led to a life-saving intervention. 

Here is how OSINT techniques, leveraged by Flashpoint’s expansive data capabilities, can dismantle illegal threat actor campaigns by turning a technical investigation into a human one.

Leveraging OPSEC as a Mindset

In a technical context, OPSEC is a risk management process that identifies seemingly innocuous pieces of information that, when gathered by an adversary, could be pieced together to reveal a larger, sensitive picture.

In the webinar, we break down the OPSEC mindset into three core pillars that every practitioner, and threat actor, must navigate. When these pillars fail, the investigation begins.

  • Analyzing the Signature: Every human has a digital signature, such as the way they type (stylometry), the times they are active, and the tools they prefer.
  • Identity Masking & Persona Management: This involves ensuring that your investigative identity has zero overlap with your real life. A common failure includes using the same browser for personal use and investigative research, which allows cookies to bridge the two identities.
  • Traffic Obfuscation: Even with a VPN, certain behaviors such as posting on a dark web forum and then using that same connection to check personal banking can expose an IP address, linking it to a practitioner or threat actor.

“Effective OPSEC isn’t about the tools you use; it’s about what breadcrumbs you are leaving behind that hackers, investigation subjects, or literally anyone could find about you.”

Joshua Richards, founder of Osint Praxis

Leveraging the Mindset for CTI

Understanding the OPSEC mindset allows security teams to think like the target. When we know the psychological traps attackers fall in, we know exactly where to look for their mistakes.

AssumptionThe Mindset TrapThe Investigative Reality
Insignificant“I’m not a high-value target; no one is looking for me.”Automated Aggression: Hackers use scripts to scan millions of accounts. You aren’t “chosen”; you are “discovered” via automation.
Invisible“I don’t have a LinkedIn or X account, so I don’t have a footprint.”Shadow Data: Public birth records, property taxes, and historical data breaches create a footprint you didn’t even build yourself.
Invincible“I have 2FA and complex passwords; I’m unhackable.”Session Hijacking: Infostealer malware steals “session tokens” (cookies). This allows an actor to be you in a browser without ever needing your 2FA code.

During the webinar, Joshua shares a masterclass in how leveraging these concepts can turn a vague dark web threat into a real-world arrest. Check out the on-demand webinar to see exactly how the investigation started on Torum, a dark web forum, and ended with an arrest that saved the lives of two individuals.

Turn the Tables Using Flashpoint

The insights shared in this session powerfully illustrate that even the most dangerous threat actors are rarely as anonymous as they believe. Their downfall isn’t usually a failure of their technical prowess, but a failure of their mindset. By understanding these OSINT techniques, intelligence practitioners can transform a sea of digital noise into a clear path toward attribution.

The most effective way to dismantle threats is to bridge the gap between technical indicators and human behavior. Whether your teams are conducting high-stakes OSINT or protecting your own organization’s digital footprint, every breadcrumb counts. By leveraging Flashpoint’s expansive threat intelligence collections and real-time data, you can stay one step ahead of adversaries. Request a demo to learn more.

Request a demo today.

The post The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs appeared first on Flashpoint.

❌