How China’s “Walled Garden” is Redefining the Cyber Threat Landscape
In our latest webinar, Flashpoint unpacks the architecture of the Chinese threat actor cyber ecosystem—a parallel offensive stack fueled by government mandates and commercialized hacker-for-hire industry.
For years, the global cybersecurity community has operated under the assumption that technical information was a matter of public record. Security research has always been openly discussed and shared through a culture of global transparency. Today, that reality has fundamentally shifted. Flashpoint is witnessing a growing opacity—a “Walled Garden”—around Chinese data. As a result, the competence of Chinese threat actors and APTs has reached an industrialized scale.
In Flashpoint’s recent on-demand webinar, “Mapping the Adversary: Inside the Chinese Pentesting Ecosystem,” our analysts explain how China’s state policies surrounding zero-day vulnerability research have effectively shut out the cyber communities that once provided a window into Chinese tradecraft. However, they haven’t disappeared. Rather, they have been absorbed by the state to develop a mature, self-sustaining offensive stack capable of targeting global infrastructure.
Understanding the Walled Garden: The Shift from Disclosure to Nationalization
The “Walled Garden” is a direct result of a Chinese regulatory turning point in 2021: the Regulations on the Management of Security Vulnerabilities (RMSV). While the gradual walling off of China’s data is the cumulative result of years of implementing regulatory and policy strategies, the 2021 RMSV marks a critical turning point that effectively nationalized China’s vulnerability research capabilities. Under the RMSV, any individual or organization in China that discovers a new flaw must report it to the Ministry of Industry and Information Technology (MIIT) within 48 hours. Crucially, researchers are prohibited from sharing technical details with third parties—especially foreign entities—or selling them before a patch is issued.
It is important to note that this mandate is not limited to Chinese-based software or hardware; it applies to any vulnerability discovered, as long as the discoverer is a Chinese-based organization or national. This effectively treats software vulnerabilities as a national strategic resource for China. By centralizing this data, the Chinese government ensures it has an early window into zero-day exploits before the global defensive community.
For defenders, this means that by the time a vulnerability is public, there is a high probability it has already been analyzed and potentially weaponized within China’s state-aligned apparatus.
The Indigenous Kill Chain: Reconnaissance Beyond Shodan
Flashpoint analysts have observed that within this Walled Garden, traditional Western reconnaissance tools are losing their effectiveness. Chinese threat actors are utilizing an indigenous suite of cyberspace search engines that create a dangerous information asymmetry, allowing them to peer at defender infrastructure while shielding their own domestic base from Western scrutiny.
While Shodan remains the go-to resource for security teams, Flashpoint has seen Chinese threat actors favor three IoT search engines that offer them a massive home-field advantage:
FOFA: Specializes in deep fingerprinting for middleware and Chinese-specific signatures, often indexing dorks for new vulnerabilities weeks before they appear in the West.
Zoomai: Built for high-speed automation, offering APIs that integrate with AI systems to move from discovery to verified target in minutes.
360 Quake: Provides granular, real-time mapping through a CLI with an AI engine for complex asset portraits.
In the full session, we demonstrate exactly how Chinese operators use these tools to fuse reconnaissance and exploitation into a single, automated step—a capability most Western EDRs aren’t yet tuned to detect.
Building a State-Aligned Offensive Stack
Leveraging their knowledge of vulnerabilities and zero-day exploits, the illicit Chinese ecosystem is building tools designed to dismantle the specific technologies that power global corporate data centers and business hubs.
In the webinar, our analysts explain purpose-built cyber weapons designed to hunt VMware vCenter servers that support one-click shell uploads via vulnerabilities like Log4Shell. Beyond the initial exploit, Flashpoint highlights the rising use of Behinder (Ice Scorpion)—a sophisticated web shell management tool. Behinder has become a staple for Chinese operators because it encrypts command-and-control (C2) traffic, allowing attackers to evade conventional inspection and deep packet analytics.
Strengthen Your Defenses Against the Chinese Offensive Stack with Flashpoint
By understanding this “Walled Garden” architecture, defenders can move beyond generic signatures and begin to hunt for the specific TTPs—such as high-entropy C2 traffic and proprietary Chinese scanning patterns—that define the modern Chinese threat actor.
How can Flashpoint help? Flashpoint’s cyber threat intelligence platform cuts through the generic feed overload and delivers unrivaled primary-source data, AI-powered analysis, and expert human context.
Other noteworthy stories that might have slipped under the radar: Apple updates platform security guide, LastPass detects new phishing wave, CISA withdraws from RSA Conference.
The French data protection authority fined the national employment agency €5 million (nearly €6 million) for failing to secure job seekers' data, which allowed hackers to steal the personal information of 43 million people. [...]
The early weeks of 2026 have already made one thing clear: Government cybersecurity is in a new phase, shaped not by incremental change, but by the rapid integration of AI into core public-sector missions. AI systems are now embedded in critical infrastructure, federal service delivery, research environments, as well as state and local operations. At the same time, nation-state adversaries are leveraging AI to accelerate intrusion, scale deception and manipulate trusted systems in ways not possible even a year ago.
As Senior Vice President of Public Sector at Palo Alto Networks, I see a decisive shift underway. Defending the public sector in 2026 means navigating a world where security depends on verifying identity, securing data and governing AI-driven systems that act without human intervention. Success now hinges on architectures that assume automation, operations that prioritize coordination, and governance frameworks capable of managing AI at mission scale.
Here are the developments that will define the year ahead.
Federal Government
1. AI-Native Security Must Become Integral to Federal Operations
AI in federal environments is no longer an experiment. Agencies are now designing workflows, SOC missions and cloud architectures around AI-driven detection and response. The emphasis is shifting from supplementing human analysts to building systems that maintain visibility, correlate threats, and respond autonomously when human capacity is limited. This builds on what we forecasted last year, when federal cybersecurity teams began using AI to replace manual workflows and drive down detection and response times.
The shift will be practical. Federal teams must plan to deploy AI systems that correlate logs, identify behavioral anomalies, prioritize threats, and suppress noise before analysts ever see an alert. Manual, ticket-based workflows will no longer meet federal timelines for investigation or reporting, particularly as adversaries automate more phases of attack.
2. Identity Emerges as the Central Federal Security Challenge
The biggest shift in 2026 will be the collapse between “identity” and “attack surface.” Deepfake technologies now operate in real time. AI-generated voices and video can impersonate senior leaders at a level undetectable by traditional controls. Machine identities continue to proliferate; they will outnumber human identities this year. And autonomous agents can initiate high-impact actions without human oversight. This reflects a broader crisis of authenticity now reshaping how enterprises defend identity itself.
Identity abuse will no longer be limited to credential theft. This turns identity into a systemic risk. One compromised identity (human, machine or agent) can cascade through automated systems with little friction. Federal programs will need to prioritize continuous identity verification, stronger proofing and governance frameworks that validate the legitimacy of both human and AI-driven activity.
3. AI Systems Must Be Secure-by-Design
Stemming from the clear mandate in the AI Action Plan (and subsequent work by NIST to develop an AI/Cyber Profile on top of the existing Cybersecurity Framework) agencies will steadily integrate AI security into their deployment of AI technologies.
This imperative is critical as AI systems are susceptible to novel threats. Data poisoning of training sets, manipulated inputs and hidden instructions in untrusted datasets compromise the intelligence that agencies rely on for analysis, planning and mission support. To support the security of this AI-first moment, Palo Alto Networks was proud to make its AI security platform, Prisma® AIRS™, available through the GSA OneGov initiative.
4. Nation-State Operations Expand Through AI Automation
Adversaries will use AI to compress the time between reconnaissance, exploitation and lateral movement. We expect rapidly increasing the use of AI to chain vulnerabilities, tailor social engineering campaigns, and generated malware variants that adapt in real time.
The focus will broaden beyond IT networks. AI will be used to disrupt OT systems and target sensitive research environments. Foreign intelligence services will weaponize AI to blur the line between intrusion and information operations, producing hybrid campaigns that attack both systems and the legitimacy of institutions.
5. Autonomous SOC Capabilities Become Essential
Federal SOCs will evolve from human-centered command centers to hybrid operations where autonomous agents run major components of the detection and response mission. These agents will triage alerts, enforce containment, and initiate predefined responses.
This evolution comes with risk. AI agents with broad authority can be misused or manipulated if not properly governed. Agencies will need safeguards to track agent behavior, enforce least privilege on agents, and prevent misuse through runtime monitoring and “AI firewall” controls designed to stop malicious prompts and unauthorized actions. The same pressures are shaping enterprise security, where controls like AI firewalls and circuit breaker mechanisms are becoming standard practice. Automation will only strengthen federal security if paired with rigorous oversight and continuous validation of agent activity.
6. Shared and Federated SOC Structures Gain Momentum
As threats scale, agencies will increasingly operate through shared or federated security structures. Instead of isolated SOCs, agencies will adopt analytics layers capable of correlating activity across departments and exchanging findings in real time.
This shift will reduce redundancy and provide faster insight into nation-state campaigns that cross federal boundaries. Early adopters will establish shared analytic and response frameworks that allow agencies to coordinate without sacrificing mission-specific control. Civilian agencies will lead early adoption with broader participation across defense and national security stakeholders expected later in the year.
7. The Post-Quantum Deadline Becomes Immediate
In 2026, post-quantum cryptography planning will move to implementation. Accelerated advances in quantum computing and AI-based cryptanalysis will push agencies to transition from pilot efforts to mandated modernization.
Agencies will focus on discovering where vulnerable algorithms are used, replacing outdated libraries, and implementing crypto-agility so systems can evolve without major redesigns. Systems with unpatchable cryptographic components will be flagged for full replacement, forcing agencies to reconcile years of accumulated “crypto debt.”
8. Data Trust and Cloud Workload Protection Become Priority Missions
The rise of AI workloads will force agencies to rethink how they protect data. Infrastructure controls alone cannot detect when training data has been manipulated or when model outputs no longer reflect real-world conditions.
Agencies will unify developer and security workflows and use tools like Data Security Posture Management and AI security posture management (AI-SPM) to track data lineage and enforce protections at runtime. Enterprises are addressing the same issue by bringing development and security teams together under shared data governance models. Ensuring model trustworthiness will become a mission-support requirement, not just a security objective.
9. Platform Consolidation Becomes Necessary
Fragmented tools cannot support the visibility and oversight required for AI governance. Executives will push for platform consolidation to unify network, identity, cloud, endpoint and AI security. Integrated platforms will gain favor because they enable consistent policy enforcement and a single operational picture across increasingly automated environments.
State, Local and Educational Institutions
1. AI Adoption Splits SLED into Distinct Tiers
In 2026, disparities in funding and technical capacity will widen. Some states will deploy AI across security operations, citizen services and identity verification. Others will struggle to maintain legacy systems.
Well-resourced jurisdictions will reduce response times and improve resilience. Underfunded ones will remain exposed to ransomware and disruption. Without targeted modernization efforts, a national divide in SLED cybersecurity maturity will deepen.
2. Regional Models Become the Practical Path Forward
Silos are no longer sustainable. SLED organizations will rely on shared SOCs, regional threat intelligence hubs and coordinated incident response agreements. States will formalize partnerships to share expertise, reduce costs and defend interconnected systems. This evolution represents the maturation of the “team sport” mentality we predicted in 2025. These models reflect operational reality: Compromised data or infrastructure in one jurisdiction often creates immediate risk for its neighbors.
3. Higher Education Redesigns Its Security Baseline
Universities will classify cybersecurity alongside energy, research infrastructure and physical security as essential institutional functions. Secure browser adoption, stronger vendor oversight and centralized identity governance will become the norm.
AI research environments will receive increased scrutiny, and universities participating in federally funded research will face stricter compliance requirements to prevent data poisoning and model manipulation. Institutions with large research portfolios will prioritize securing lab environments where AI models are trained and evaluated.
4. K–12 Systems Enter a New Phase of Security Oversight
States will introduce new security mandates for K–12 environments, covering MFA, network segmentation, secure browsers, identity verification and foundational zero trust principles. AI-enabled ransomware will remain a threat. Smaller districts will adopt managed services or regional support structures as they confront growing operational and compliance demands. Districts that modernize identity controls and browser security will significantly reduce their exposure compared to those reliant on legacy tools. Building on the regulatory momentum we predicted in 2025, K–12 institutions will continue moving from defensive posture to proactive security adoption.
5. Local Governments Face Escalating AI-Driven Ransomware
Municipal governments remain high-value targets due to limited staffing and aging infrastructure. AI gives threat actors the ability to automate reconnaissance, craft targeted phishing messages, and identify vulnerabilities with little effort.
Attacks timed to public safety incidents or weather emergencies will increase, meaning local governments will need stronger identity controls, automated endpoint protection and access to managed detection and response. Operational continuity will depend on reducing time-to-detect and time-to-contain, capabilities that smaller municipalities cannot achieve without external support.
6. Managed Services and Platform Consolidation Become Standard
As technical demands grow, SLED organizations will move toward managed SOC models and consolidated vendor ecosystems. Platforms that integrate data protection, threat detection, identity governance and AI oversight will gain traction. Point tools without interoperability will decline. Budget-constrained environments will favor comprehensive platforms that reduce operational burden and simplify compliance.
7. Identity and Data Trust Become Central SLED Priorities
SLED organizations manage sensitive student records, election data and social services information. These environments are increasingly strained by the rapid growth of machine identities and AI-driven applications.
Synthetic identities and AI-generated credentials will be used to infiltrate systems with limited oversight. Continuous identity verification, data lineage tracking and posture management will become essential to prevent fraud, service disruption and data manipulation. Identity assurance and data integrity will become the foundation of public trust at the state and local level.
Why the GSA OneGov Agreement Is a Game-Changer for Federal Cybersecurity
The mission to modernize government IT is accelerating at lightning speed, largely thanks to the transformative power of artificial intelligence (AI). Federal agencies are strategically leveraging AI to boost efficiency, enhance citizen services, and strengthen national security – a vision fully supported by the administration’s AI Action Plan.
At Palo Alto Networks, we are all-in on helping agencies deploy AI bravely and securely. Because the challenge isn't just about using AI for cyberdefense, but also about defending AI itself. We appreciate the U.S. General Services Administration (GSA) recognizing the critical need for scalable, efficient solutions.
That is precisely why the GSA OneGov Initiative is a massive, game-changing step forward. We are proud to be the first pure-play cybersecurity vendor to secure a OneGov agreement with the GSA. This strategic alliance simplifies and standardizes the process for agencies to access our world-class, AI-powered security platform, ensuring security is foundational to this crucial modernization mission.
The Wake-Up Call: The Silent Threat of AI Agent Corruption
If you needed a clear sign that AI has fundamentally shifted the cybersecurity landscape, our own Unit 42 research provides it. The new reality isn't just about hackers using AI in their attacks; it’s also about how internal AI provides another attack surface for threat actors.
The most insidious new threat we've observed is AI Agent Smuggling, where malicious attackers use AI agents to exploit other agents. Our Unit 42 research highlights two major vectors:
Indirect Prompt Injection: A security risk in LLMs where a user crafts input containing deceptive instructions to manipulate the model’s behavior, which can lead to unauthorized data access or unintended actions.
Agent Session Smuggling: Exploit vulnerabilities in agent-to-agent communication, injecting malicious instructions into a conversation, hiding them among otherwise benign client requests and server responses.
This confirms our core belief as stated in a recent secure AI by Design blog: The AI ecosystem (the models, data and infrastructure) is now a complex, expanding attack surface that traditional perimeter defenses were simply not designed to protect.
As I’ve said before, “If you’re deploying AI, you must deploy AI security.”
Secure AI by Design: A Strategic Alliance with GSA
The GSA’s OneGov Initiative aims to streamline procurement and drive down costs by leveraging the purchasing power of the entire federal government. This is more than an agreement; it’s a direct response to the call for a "secure-by-design" approach to federal AI adoption. This agreement simplifies and standardizes the process for agencies to access our world-class, AI-powered security platform, ensuring that security is foundational, not an afterthought. It provides industry leading AI security tools into the hands of our cyber defenders today.
Under the Hood: Technical Capabilities for the AI Ecosystem
To counter the autonomous threats we’re seeing, we provide a platform that protects the entire AI lifecycle, from the developer's keyboard to the data center.
1. Runtime Protection for AI Workloads
Securing the AI supply chain requires visibility across every stage, especially during runtime when models are processing sensitive data.
Prisma® AIRSdelivers comprehensive security for the entire AI lifecycle, in one unified platform. It allows organizations to deploy traditional apps as well as AI applications, models and agents with confidence by reducing risk from misuse, data loss and sophisticated AI-driven threats. Prisma AIRS provides a clear, connected view of assets in multicloud environments, so teams can eliminate silos, accelerate responses, as well as scale cloud and AI apps securely.
Our Cloud-Native Application Protection Platform (CNAPP) has achieved the FedRAMP High designation, making it the preferred Code to Cloud solution to secure the entire application lifecycle from development to runtime. Our industry-leading CNAPP eliminates silos to deliver comprehensive visibility and best-in-class protection across multicloud environments.
2. Protecting Users and Data at the Edge
Even the most advanced AI defenses are undermined if users accessing applications and data are left vulnerable outside corporate security boundaries. The explosive growth of generative AI tools and the unseen behavior of AI agents are amplifying data exposure risks.
Prisma SASE (secure access service edge) secures all users, apps, devices and data, no matter where they are and no matter where applications reside.
Prisma Access (FedRAMP High Authorized) and Prisma Browser(FedRAMP-Moderate Authorized) integrate security capabilities, like zero trust network access (ZTNA), secure web gateway (SWG) and cloud access security broker (CASB), to provide a unified policy framework and a consistent user experience.
This approach helps agencies outpace the speed of AI-driven threats, safeguarding critical data and simplifying operations for a frictionless user experience. It ensures that the human element interacting with the AI is protected by the most stringent security controls available.
Deploy AI Bravely
The GSA OneGov agreement is a pivotal moment that provides federal agencies with the cost-effective, streamlined access they need to deploy AI with confidence. By leveraging our unified, AI-powered platform, government organizations can stop reacting to threats and start building secure-by-design AI environments. We are committed to remaining a key partner in this strategic initiative and helping the government achieve its mission outcomes safely.
For more information and access to promotional offers for new contracts signed on or before January 31, 2028, federal agencies can visit the GSA OneGov website.
Modernizing Vulnerability Sharing for a New Class of Threats
In cybersecurity, vulnerability information sharing frameworks have long assumed that conventional threats exploit flaws in software or systems, and they can be resolved with patches or configuration updates. AI and machine learning (ML) models upend that premise as adversarial attacks, like poisoning and evasion, target the unique way AI models process information. Consequently, the risks for AI systems include tactics like model poisoning (from evasion attacks) in datasets and training, which are not conventional software vulnerabilities. These new vulnerabilities fall outside the scope of traditional cybersecurity taxonomies like the Common Vulnerabilities and Exposures (CVE) Program.
There is a need to bridge the gap between the existing cybersecurity vulnerability sharing structure and burgeoning efforts to catalog security risks to AI systems. Provisions in the White House AI Action Plan, which Palo Alto Networks supports, call for the creation of an AI Information Sharing and Analysis Center (AI-ISAC), reinforcing the importance of addressing that disconnect. This integration is essential, as leveraging the existing, widely adopted cybersecurity infrastructure will be the fastest path to ensuring these new standards are accepted and operationalized.
Established Construct for Vulnerability Management and Disclosure
The global cybersecurity community relies on a mature infrastructure for sharing standardized vulnerability intelligence. Central to this ecosystem is the CVE List, established in 1999 as the authoritative catalog of cybersecurity vulnerabilities. Through CVE IDs and a network of CVE Numbering Authorities (CNAs), this framework enables consistent vulnerability documentation and disclosure.
While this infrastructure has served the cybersecurity community effectively for over two decades, it was designed around traditional threat models that AI systems substantially upend. Attacks on AI systems represent a critical departure from traditional cybersecurity threats as they operate insidiously, subtly corrupting core reasoning processes, causing persistent, systemic failures, some of which only become evident over time. Most traditional cybersecurity tools are not equipped to recognize those breakdowns because they assume deterministic behavior and rules-based logic. AI systems defy those assumptions because AI is probabilistic, not deterministic. Consequently, attacks on AI models may remain hidden for extended periods.
Unlike traditional cybersecurity threats that target code, adversarial AI attacks target the underlying data and algorithms that govern how AI systems learn, reason and make decisions. Consider the following predominant adversarial attack methodologies on machine learning:
Poisoning attacks inject malicious data into training datasets, corrupting the model's learning process and creating deliberate vulnerabilities or degraded performance.
Inference-related attacks exploit model outputs to extract sensitive information or learn about its training data. This includes model inversion, which reconstructs sensitive data from the model's outputs, as well as membership inference, which identifies whether specific data points were used in training.
The expansion of existing security frameworks and programs is necessary to cover the enumeration, disclosure and downstream management of security risks to AI systems.
Advancing AI Security Through the AI Action Plan
In July, the Administration unveiled the AI Action Plan, an innovation-first framework balancing AI advancement with security imperatives. The Plan prioritizes Secure-by-Design AI technologies and applications, strengthened critical infrastructure cybersecurity and protection of commercial and government AI innovations.
Notably, it recommends establishing an AI Information Sharing and Analysis Center (AI-ISAC) to facilitate threat intelligence sharing across U.S. critical infrastructure sectors and encourages sharing known AI vulnerabilities, “tak[ing] advantage of existing cyber vulnerability sharing mechanisms.” These provisions affirm that AI security underpins American leadership in the field and, where possible, should be built upon existing frameworks.
Redefining Boundaries for AI Threats
To position the CVE Program for the AI-driven future, Palo Alto Networks is engaging directly with industry and program stakeholders to chart the path forward. Traditionally, the CVE Program serves as an ecosystem-wide central warning system. It provides a unified source of truths for security risks. A security risk catalog and identification system are needed for AI systems, as they currently fall outside the traditional scope of the CVE Program that has focused exclusively on vulnerabilities rather than on malicious components. The historical aperture of the current CVE Program excludes harmful artifacts, such as backdoored AI models or poisoned datasets, which represent fundamentally different attack vectors, in turn creating security blind spots.
Securing AI’s Promise
The United States leads in AI innovation and must equally lead in securing it. As momentum builds behind the AI Action Plan and the establishment of the AI-ISAC, we have a critical window to shape information sharing frameworks of the future. The goal is to ensure that cybersecurity and AI security infrastructure advance in unison with the technology itself. Integrating new AI vulnerability standards into trusted frameworks like the CVE Program aligns with industry focus and needs. Through proactive, coordinated action, we can unlock AI’s full promise while safeguarding the models that are embedded in the critical systems on which our nation depends.
Other noteworthy stories that might have slipped under the radar: Jaguar Land Rover sales crash, hundreds of gen-AI data policy violations, and Chinese cyberattacks against Taiwan intensified.
Kensington and Westminster councils investigating whether data has been compromised as Hammersmith and Fulham also reports hack
Three London councils have reported a cyber-attack, prompting the rollout of emergency plans and the involvement of the National Crime Agency (NCA) as they investigate whether any data has been compromised.
The Royal Borough of Kensington and Chelsea (RBKC), and Westminster city council, which share some IT infrastructure, said a number of systems had been affected across both authorities, including phone lines. The councils shut down several computerised systems as a precaution to limit further possible damage.
In the midst of the Israel-Hamas War, which erupted with a surprising and devastating attack on October 7, 2023 that resulted in the deaths of more than 1,300 Israelis, it is becoming increasingly apparent that the dynamics of this complex conflict extend beyond the actions of Hamas alone. While Hamas took the lead in launching the initial assault, there is evidence, outlined in this article, that numerous other militant and terrorist groups worked in concert with Hamas, which continues to shape the trajectory of the ongoing conflict.
Based on frontline reportage, open-source intelligence, including social media and message platforms, and Flashpoint collections surrounding the events on October 7, we explore the roles and actions of additional militant and terrorist factions, shedding light on their collective impact in the evolving Israel-Hamas War.
We will update this article as the situation in Israel, Gaza, and the Middle East develops.
Militant and Terrorist Groups Involved in October 7 Attack on Israel
Izz al-Din al-Qassam Brigades (كتائب الشهيد عز الدين القسام)
Operation Al-Aqsa Tufan (Flood) involved coordinated attacks from the Gaza Strip into bordering areas in Israel on October 7, coinciding with a major Jewish holiday and marking the beginning of the 2023 Israel–Hamas war. The attack included a rocket barrage of thousands of missiles, vehicle-transported incursions into Israeli territory, kidnappings, including at a music festival, and significant civilian casualties. It has been described as one of the bloodiest days in Israel’s history and the deadliest for Jews since the Holocaust. Founded in the late 1980s, Izz al-Din al-Qassam Brigades is the militant wing of the terrorist organization Hamas. It has been designated as a terrorist organization by several countries, including the United States, Israel, and the European Union.
Palestinian Islamic Jihad (الجهاد الإسلامي الفلسطيني)
As we previously reported, Hamas and PIJ communicate often with followers via Telegram. On the day after the October 7 attacks, PIJ, in one of its main channels, posted that “the elite of Al-Quds Brigades is entering the border to support al-Qassam Brigades fighters (Hamas) and supply them with weapons.” It has also been reported that PIJ took part in the October 7 attacks alongside Hamas.
On October 17, a rocket hit the Al Ahli Arab Hospital in Gaza, killing hundreds of Palestinian civilians. In a statement, Israeli Defense Forces said that “[Palestinian] Islamic Jihad is responsible for the failed rocket launch which hit the hospital in Gaza.” PIJ has denied the allegation in a statement, reportedly calling it “false and baseless.”
Palestinian Islamic Jihad (PIJ) is a Palestinian terrorist organization that is designated by several countries, including the United States, Israel, and the European Union. It was founded in the late 1970s with the goal of establishing an Islamic Palestinian state and has carried out attacks against Israel.
Al-Aqsa Martyrs Brigade (كتائب شهداء الأقصى)
The Al-Aqsa Martyrs Brigade is a Palestinian militant organization affiliated with Fatah, a major Palestinian political party, that has carried out attacks and other activities against Israel. One of the key players in Palestinian politics today, Al-Aqsa Martyrs brigade was founded in the late 1950s and has historically been associated with the Palestine Liberation Organization (PLO). The group was designated a Foreign Terrorist Organization by the US Department of State in 2002.
Above: Screengrab from October 7 showing a video of a man wearing a headband with the Al-Aqsa Martyrs Brigade emblem. The video, posted in an official Al-Aqsa Martys Brigade Telegram channel, shows the man speaking alongside a gravely injured Israeli soldier. The message hashtag translates to “#Scenes_of_enemy_soldiers_capture” (Image: Flashpoint)
Democratic Front for the Liberation of Palestine (الجبهة الديمقراطية لتحرير فلسطين)
The Democratic Front for the Liberation of Palestine (DFLP) is a Palestinian political and militant organization founded in 1969, known for its left-wing and Marxist ideologies. It has historically aimed for the liberation of Palestine and the establishment of an independent Palestinian state through both militaristic and political means. While a member of the Palestine Liberation Organization (PLO), it has not been as prominent as other Palestinian factions like Fatah or Hamas in recent years.
Above: Pictures posted by an official Democratic Front for the Liberation of Palestine showing armed militants reportedly inside Israeli territory on October 7. (Image: Flashpoint)
Palestinian Mujahideen Movement (حركة المجاهدين الفلسطينيين)
The Palestinian Mujahideen Movement is a Palestinian militant organization that emerged in the early 1970s with the goal of resisting Israeli occupation and achieving Palestinian self-determination through various armed activities and operations against Israeli forces. However, it is not as widely recognized or prominent as Palestinian terrorist groups like Hamas or the Palestinian Islamic Jihad (PIJ).
Above: Screengrab of an official Palestinian Mujahideen Movement channel showing an image of Dr. Asaad Abu Sharia, the General of the Palestinian Mujahideen Movement, congratulating the “heroes…who stormed the positions and settlements of [Israel].”
We have shared this Telegram message in lieu of the many messages shared in the same channel the day prior, October 7, that showed graphically violent images of what appears to be soldiers in IDF uniforms. (Image: Flashpoint)
Popular Resistance Committees (لجان المقاومة الشعبية)
The Popular Resistance Committees (PRC), whose military wing is referred to as Al-Nasser Salah al-Deen Brigades (ألوية الناصر صلاح الدين), are a coalition of various Palestinian factions and armed groups in the Gaza Strip. They were formed in the early 2000s during the Second Intifada, a period of intense Palestinian-Israeli conflict. The PRC includes members from different political and militant backgrounds and has carried out attacks against Israel. While not as prominent as terrorist organizations like Hamas or the Palestinian Islamic Jihad (PIJ), the PRC has played a role in the ongoing Israeli-Palestinian conflict, as evidenced by the events of October 7, 2023.
Above: Screengrab of communications within the official Al-Nasser Salah al-Din Brigades Telegram channel from October 7, alongside photos of allegedly confiscated military equipment and IDs belonging to captured Israeli soldiers. (Image: Flashpoint)
Those who could join the fight
Lebanese Hezbollah (حزب الله اللبناني)
Though not directly involved in the October 7 attacks, Lebanese Hezbollah and Israel have exchanged assaults in connection with the ongoing Israel-Hamas War since October 8.
Also known as Hezbollah, Lebanese Hezbollah is a Shiite Islamist political and militant organization based in Lebanon. It was founded in the early 1980s with support from Iran, following the Israeli invasion of Lebanon. Hezbollah’s primary goal is to resist Israel and promote Shiite interests in Lebanon and the wider region. The group was designated a Foreign Terrorist Organization by the US Department of State in 1997, the same year as Hamas and PIJ.
Lions’ Den (عرين الأسود)
Saraya al-Quds Military spokesman Abu Hamza has calledfor Lions’ Den and Jenin Brigade, another Palestinian militant group, to join the fight.
The Lions’ Den is a Palestinian militant group in the Israeli-occupied West Bank, formed in August 2022. Comprising members from various Palestinian militant and terrorist organizations, including Hamas and Palestinian Islamic Jihad, along with disaffected Fatah members, it resonates with some young Palestinians frustrated by the Israeli occupation, settlements, settler violence, and the perceived ineffectiveness of the Palestinian Authority. They have engaged in various West Bank attacks, funded in part by Hamas.
These profiles represent the most meaningful actors on the digital and physical frontlines of the Israel-Hamas War at the moment. Flashpoint has seen an expansion of participants as the conflict unfolds and expands into new physical and digital theaters. We will therefore update this article as the situation continues to develop.
Telegram, with its 700 million-plus-strong user base, has evolved into a pivotal communication hub for Hamas and Palestinian Islamic Jihad (PIJ). Its robust privacy and encryption protocols safeguard communications while also providing a covert operational space for militant groups and cybercriminals. The platform’s role in open-source intelligence (OSINT) is vital, offering real-time insights into unfolding global events, such as the ongoing military conflict between Hamas and Israel, and becoming an essential tool for intelligence professionals navigating the multifaceted landscape of contemporary warfare. Organizations with regional interests should perceive Telegram as a crucial asset in understanding their risk apertures and navigating through conflict complexities.
In the context of recent global conflicts, including the Russia-Ukraine war and the Hamas-Israel conflict, platforms like Telegram have demonstrated their significance by providing real-time updates, documenting potential war crimes, and offering a platform for anti-war narratives amidst governmental censorship. Both scenarios underscore Telegram’s evolving role in modern warfare, influencing narratives and strategies, and providing a digital battlefield for organizations and intelligence professionals to navigate and anticipate conflict dynamics.
This digital battlefield, while shaping the narratives and strategies in contemporary conflicts, abruptly collided with reality on October 7, when the virtual orchestrations of Hamas transformed into a tangible, devastating surprise attack on Israel.
Hamas militants launched an unexpected, devastating attack on Israel on October 7, resulting in hundreds of casualties and numerous hostages. Over 2,000 rockets were fired into Israel, causing significant casualties and prompting Prime Minister Benjamin Netanyahu to declare war on Hamas, mobilizing the military and reserves. The assault, occurring on the fiftieth anniversary of the 1973 Egypt and Syria attack and during the Jewish holiday, Shemini Atzeret, took Israel by surprise.
Reports state that the attack resulted in hundreds dead and more than 500 injuries, the kidnappings of Israeli soldiers, and vehicle takeovers, while Hezbollah celebrated the assault. The US Embassy in Jerusalem issued an alert and initiated shelter-in-place protocols for its personnel. Militants breached the Gaza-Israel barrier using various methods, and Hamas commander Mohammed Deif urged Palestinians and Arabs to join the operation, raising fears of a wider conflict.
At around 5:30 a.m. UTC, Hamas posted in one of its main Telegram channels, that the Commander-in-Chief of Al-Qassam Brigades announced the beginning of Hamas’s Al-Aqsa Tufan (Flood) and the firing of over 5,000 rockets aimed at Israel. Shortly thereafter, reports show that air raid sirens sounded in Jerusalem around 6:30 a.m. local time, signaling an attack and instructing citizens to take cover.
Hamas Telegram post announcing the start of Al-Aqsa Tufan (Image: Flashpoint)
This message represents one of 1,145 messages sent over Hamas’s main Telegram channel on October 7. For context, the day prior, 373 messages were sent over the same channels, showing more than a 3X spike in chatter from October 6.
October 8: Violence escalates
The conflict intensifies with continued assaults and counter-assaults from both Israel and Hamas. The death toll rises sharply on both sides, and the situation garners international attention and condemnation. Hamas issues a threat to execute Israeli hostages, prompting further international outrage. The U.S. confirms that several American citizens have been killed in the attacks and expresses its unwavering support for Israel. Various nations and international leaders continue to condemn the violence and express solidarity with Israel.
On October 8, Palestinian Islamic Jihad posted that “the elite of Al-Quds Brigades is entering the border to support Al-Qassam Brigades fighters and supply them with weapons.” (Image: Flashpoint)
On Sunday, 1,129 posts were sent between PIJ and its followers on Telegram, with messages such as above sharing updates of the assault.
October 9: Broadening battlefields
The conflict takes a new turn as rockets are fired from Lebanon toward Israel, prompting Israeli forces to retaliate against Lebanese territories. The U.S. updates the number of American citizens killed in the attacks and acknowledges that Americans are among those taken hostage by Hamas. Israeli Defense Minister Yoav Gallant orders a “complete siege” on Gaza and promises a robust and unrestrained response to the ongoing attacks, vowing to eliminate any threats against Israel.
Telegram post from a major Hamas channel linking to a video of Abu Obaida, the spokesperson for the al-Qassam Brigades, in which he signals further violence to Israelis, particularly hostages (Image: Flashpoint).
Throughout Monday, Telegram activity from Hamas and PIJ fell by almost half compared to the day prior. Within the first 72 hours of the Israeli-Hamas War, Flashpoint observed a total of 5,472 Telegram posts shared by both Hamas and PIJ across their main channels.
Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism
Social media and messaging platforms like Telegram continue to play a key role in understanding events, rumors, and ideas as they unfold in the Russia-Ukraine war
The once-cordial relationship between Vladimir Putin and Yevgeny Prigozhin, commonly known as “Putin’s chef,” has soured completely, marking one of the most compelling storylines in Russia’s now 16-month-long invasion of Ukraine. This particular conflict, however, played out in Russia on June 23 and lasted a scintillating ~36 hours, ending in a schism whose implications continue to reverberate across the world, especially in Russia.
Mentions count in Flashpoint collections for variations on searches for Prigozhin and the Wagner Group. (Image: Flashpoint)
Social media and messaging platforms like Telegram continues to play a key role in helping individuals and organizations alike understand events, rumors, and ideas as they unfolded, often in real time. As we describe in this article, and as we highlighted in our popular report on the role of open-source intelligence (OSINT) in the Russia-Ukraine War, organizations are rightfully viewing OSINT as a key element of their intelligence and security operations and leveraging it to understand organizational risk as it relates to the cyber, physical, and informational battlefields of this war.
Let’s zoom in on two crucial days—June 23 and June 24—of the conflict between Putin and Prigozhin and examine the importance of OSINT in understanding the events, then and now.
Flashpoint’s physical security intelligence platform showing results for a global search seeking mentions of Prigozhin across OSINT-related collections.
June 23: Wagner Accuses MOD of Missile Strike, Potential Military Coup Brews
On June 23, Yevgeny Prigozhin, the founder of the paramilitary company Wagner Group, accused Russia’s Ministry of Defence (MOD) and its leader, Sergei Shoigu, of conducting a missile strike on his mercenaries. Prigozhin claimed that the strike resulted in numerous fatalities. He characterized the MOD as “evil” and called for those responsible to be held accountable. It was unclear whether this move should be classified as a coup, insurrection, mutiny, or hardline bargaining tactic at the time.
In retaliation, Prigozhin has appeared to openly advocate for armed resistance against the MOD, adding fuel to an already tense stand-off. Prigozhin warned that “the next move will be ours,” and that those who are responsible for the deaths of the Wagner troops killed today, as well as the deaths of many tens of thousands of Russian soldiers, will be “punished” and “justice” will be “returned,” both to Russia’s armed forces and all of Russia. The MOD has rejected these accusations, claiming that they “do not correspond to reality” and labeling them as an “informational provocation.”
"All the video frames distributed on social networks on behalf of Yevgeny #Prigozhin about the alleged 'strike by the Russian Defense Ministry on the rear camps of the PMC Wagner” do not correspond to reality and are an informational provocation. pic.twitter.com/pBIPdFEdLc
The current events, particularly the Wagner Group turning on Putin, can be traced back to the devastating fighting at Bakhmut, where the Wagner Group suffered heavy losses. This battle resulted in significant costs and losses for Russia.
June 24: Prigozhin’s March To Moscow
On June 24, Prigozhin announced that Wagner Group, the private military company (PMC) he leads, would cease its march on Moscow, ending what has been widely regarded as an armed insurrection and potential coup attempt targeting Russia’s military and government leadership.
In an interesting twist, Belarusian President Lukashenko stepped in, providing a means for Wagner to continue operating in a “legal” manner. This intervention prompted the move of Wagner Group and Prigozhin to Belarus. This is particularly noteworthy as PMCs are technically illegal under Article 359 of the 1996 Russian Criminal Code. As a result of the negotiations, the sides agreed that a “bloodbath” on Russian territory should be averted and de-escalatory steps should be taken. Prigozhin agreed that Wagner would halt its advance on Moscow, which Prigozhin claims Wagner got within 200 kilometers of, and turn back to “go in the opposite direction to [their] field camps.” In return, Wagner personnel would be granted “security guarantees.”
Related Blog
Timeline of Russia’s Invasion of Ukraine: Cyber and Physical Warfare
Prigozhin claims that Wagner had not spilled “a single drop of blood of our fighters” since the start of their march on Russia the day prior. However, Prigozhin claims that Russia’s military had attempted to fire at the PMC during their march, reportedly downing at least one and potentially multiple Russian military helicopters. There are also reports of a fire at a fuel depot in Voronezh, which may have been hit by a Russian helicopter.
Screengrab of a video posted on a pro-Wagner Telegram channel showing Wagner supporters in Rostov as they demonstrate support to departing Wagner troops. (Image: Telegram)
Wagner troops seized control of multiple military and administrative buildings in the Russian city of Rostov-on-Don early on Saturday morning and had since reportedly reached Voronezh, which lies 500 kilometers north of the city and on the way to Moscow. On June 24, Russian media reported that Wagner was preparing to leave Rostov-on-Don.
Since then, the Kremlin has said that Prigozhin would not have to face charges in Russia, but he has been dubbed a “traitor” by Putin. As of this publishing, Prigozhin is allegedly in Belarus, according to the country’s President, Lukashenko, who brokered the deal on Prigozhin behalf.
Concluding thoughts
In today’s dynamic geopolitical climate, staying ahead of the curve necessitates more than just monitoring mainstream media. Open-source intelligence collections have emerged as a game-changing tool for keeping abreast of the latest events in Ukraine and Russia, which can help various organizations and sectors sift through vast amounts of information, quickly filter out the noise, and deliver the most salient insights in real-time. The recent events in Russia showcase the value of this intelligence resource in offering a multifaceted perspective on ground realities.
Get Flashpoint on your side
Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.
What Is Open Source Intelligence: The Importance of OSINT in Your Organization’s Threat Landscape
In order to gain the upper hand, security strategies must include a diverse means of gathering intelligence, both for a predictive and reactive approach. Open-source intelligence has become crucial to completing this picture
A modern security professional’s job is becoming more and more complex, and it’s no surprise considering the influx of unexpected places where threats are beginning to surface. In order to gain the upper hand, your security strategy must include a diverse means of gathering intelligence, both for a predictive and reactive approach. In an era where content is being created at an exponential rate – 90% of the world’s data was created in the last 2 years alone – the future of security must be intelligence-led.
A major source of intelligence that cannot be overlooked is the vast amount of publicly available information (PAI) being produced by consumers, hackers, newsmakers, and bloggers every single day. Globally, almost every person and organization is communicating across multiple platforms and networks, as well as handling personal and corporate needs virtually – such as shopping, travel planning, and data management. Finding like-minded communities and audiences online is the goal; however, wherever you have people congregating, especially if there is potential for monetary gain, the risk of nefarious behavior rises. This has created an increased need for open-source intelligence (OSINT) and OSINT platforms.
What is OSINT?
Open-source intelligence, or OSINT, refers to the process of gathering information from public, legal data sources to serve a specific function. Some open sources might include social media, blogs, news, and the dark web.
The concept of OSINT very basically works like this:
Public information exists → data is gathered → information is analyzed for intelligence.
The purpose of seeking information from public data varies on the type of insights you wish to gather. Many industries and professionals look to open sources to uncover workplace security threats, protect executives, prevent loss, manage assets, gauge brand sentiment, and monitor conversations for creating marketing strategies. Intelligence professionals use certain types of OSINT and OSINT platforms for investigations, prosecution, evidence gathering, and events monitoring.
What is finished intelligence?
Finished intelligence, or ‘cooked’ data, is raw data that has undergone processing to gain context and become actionable. The collection, processing, and analysis of raw data are foundational steps along the threat intelligence lifecycle.
In other words, raw data is unaltered from its original source. This could look like a network’s traffic data logs, dark web discussions, or even public social media posts.
Finished intelligence would look like a report summarizing the context interpreted from relevant raw data points and suggested security responses.
Finished intelligence services allow organizations to skip the raw data collection and analysis steps, which are time-consuming and require skilled analysts. Those steps are instead supported by automation and machine learning capabilities, and/or third-party analyst teams.
The main goal of finished intelligence is to operationalize the process so organizations can respond faster to active threats and invest less time and resources in gathering and contextualizing large volumes of raw data. The result is a finished intelligence report that the client can immediately act on. While expensive, finished intelligence solutions can be ideal for private sector organizations seeking a “comprehensive” security solution.
What can OSINT tools do?
OSINT tools can identify and separate entities within a data set (parsing), and organize and display those entities by category to glean meaning and avoid redundancies (normalizing). OSINT tools can also index raw data so that it’s quickly and easily searchable and filtered for relevancy.
Access to publicly available online data is often free, but the true value lies in what can be analyzed and extracted from the data. Organizations using OSINT for security and intelligence require the ability to detect key information quickly and efficiently. They can do so by using robust OSINT tools.
The vast amount of online data is overwhelming to sift through, and with the complex ways today’s online threat actors conduct themselves, the vulnerabilities to organizations are becoming more elusive. Open-source data, when gathered, enriched, and monitored effectively, can be extremely valuable for predicting, analyzing, and reviewing incidents at every stage of their occurrence. But where to begin?
Where you look for information depends on what you want to find. Running a Google search is a simple form of OSINT, but when you are responsible for the safety and security of a particular person, place, or asset, you need to be casting a keen eye over multiple sources. Criminal behavior tends to be hidden, and it is unlikely a surface web search will take you there.
What threats can OSINT help with?
The emergence of intelligence-led security is a direct result of the varied and growing range of on-the-ground threats that are being plotted, planned, discussed, and executed online. As our physical and digital realities are becoming more and more interlaced, individuals and organizations are creating more informational weaknesses and thereby more opportunities for an ever-widening range of attacks and other threats to occur.
OSINT tools can be invaluable for handling internal processes such as:
Brand protection
Workplace and facilities safety issues
Real-time event monitoring
Executive protection and force protection
Natural disasters and incident response
OSINT for enterprise security
Global enterprises are operating in the age of digital transformation. This has plenty of benefits for companies, helping improve customer experience, productivity, and resource management. But along with these benefits, wider technology adoption also means increasing opportunities for compromise.
This stands true for almost any industry with an online presence—including finance, retail, and transportation, which make up some of the world’s most cyber-targeted industries. Digital transformation also affects physical security and cyber-enabled threats as criminals adopt anonymized online communication channels. What do these risks look like?
Cyber threats
Data breaches targeting corporate and customer information
OSINT tools support enterprise security teams in identifying and responding to these risks. Social media networks provide real-time updates from on-the-ground threats near executives and other physical assets like offices, employees, and corporate events. Paste sites, forums, and marketplaces across the deep and dark web often publish the earliest indicators of data breaches and executive-targeted doxxing. Anonymized discussions on these covert sites help security teams identify fraud, insider threats, and cyber-attack strategies directly from the source.
Combined with other risk management feeds and tools, OSINT platforms provide security teams with more context and earlier risk indicators so they can respond faster and avoid blind spots.
But many organizations face challenges in responding to risk quickly and effectively, especially as more enterprise teams—from marketing to IT and compliance—require OSINT.
According to a 2021 report by Forrester Research, 42% of corporate decision-makers are currently improvising when it comes to risk management. Almost 70% claim that risk information is siloed across their departments and only 29% are confident in their risk management technologies.
What do security teams need from OSINT platforms to address information gaps?
Broad data coverage
There are thousands of different online sources out there, from social media platforms to the deep and dark web, where relevant risk data is hiding. Many risk management tools focus only on one data source type—such as social media or the dark web—to help security teams find relevant risk information. A more ideal solution combines a variety of these sources within one platform so teams don’t have to juggle more tools than are necessary. This can just lead to information gaps and slower responses.
Simplicity and usability
Not everyone who needs access to online risk data has a technical background. OSINT solutions should be accessible to anyone in an organization without the click-heavy processes and complex interfaces that are typical of IT-based risk management software. Personnel should be able to easily and quickly separate the most pertinent data and view it in a digestible format.
Speed-to-information
OSINT tools that prioritize real-time data allow security teams to get critical insights faster. This gives organizations a much better chance of avoiding or mitigating threats from all angles.
Collaboration features
For risks where cross-department visibility is necessary, OSINT solutions should offer permission settings and collaboration features that allow teams to view each other’s activities or tackle a security threat together when there is overlap.
Integrations
Many global organizations already have a suite of risk management tools. OSINT solutions should be able to easily integrate with third-party solutions, whether they include a UI or funnel data directly into existing systems.
OSINT for national security: What national security initiatives does OSINT support?
Counter-terrorism and counter extremism
Foreign jihadist groups like the Islamic State and Al-Qaeda are no longer solely responsible for the threat of terrorism and extremism. Domestic extremist movements based on conspiracy theories, right-wing ideology, and discriminatory worldviews now also pose serious national security threats. Public online spaces are leveraged similarly for both extremist types, playing a huge role in spreading propaganda, recruitment, financing, and sometimes planning. This data helps governments understand how extremist groups operate so they can then predict public safety risks and protect citizens and assets from domestic and global terrorism.
Addressing misinformation and disinformation
National security threats have expanded to include online influence campaigns, which can compromise democratic processes and lead to real-world security risks. Disinformation (which is engineered to deliberately deceive) and misinformation (false information that is not necessarily spread with malicious intent) is widely prevalent online. Monitoring online spaces is crucial for tracking disinformation campaigns so governments can mitigate their impact and keep the public safer and more informed.
Cybersecurity
Breaching government data is financially and politically lucrative for lone-wolf attackers, organized hacking groups, and nation-state actors. Sophisticated technologies are available to a greater diversity of adversaries than ever before. Persistent online threats include breaches and cyber espionage targeting classified data, network attacks disrupting critical infrastructure, and botnets enabling malware attacks and information warfare. Paste sites, discussion forums, and marketplaces on the deep and dark web often provide early indicators of breaches, malware, and attack techniques. Combining this open-source data with other cybersecurity feeds helps intelligence teams more confidently predict, mitigate, and investigate cyber compromise.
Transportation security
National transportation networks, including airports, seaports, and highways, make up a country’s critical infrastructure. When this infrastructure is compromised, governments and security teams need to stay prepared and alerted to prevent damage to assets, data, and human life. Online data plays a crucial role in providing the intelligence required for informed transportation security planning and incident response. For intelligence teams, social media networks and deep and dark web content can:
Provide the earliest alerts for location-based threats near airports, seaports, and other transportation hubs
Inform security teams about tactics used to bypass security systems or commit attacks, particularly at airports
Monitor for threats directly targeted at the security/public sector organizations themselves
Stay alert to vulnerable data that could compromise a transportation network’s digital or physical security
Addressing national and global crises
When a national crisis occurs, governments must make timely, informed decisions to protect their data, assets, and citizens. As we’ve seen with the COVID-19 pandemic, adversaries co-opt real-world events in their strategies. Whether it’s a natural disaster, public health crisis, or terrorist attack, intelligence teams need to know how and where the crisis is occurring and how to allocate response resources. Online spaces are often the earliest sources of information to provide this context—for example, social media users often post public updates and images from the scene of a crisis. Aligning this data with other feeds can help provide a faster and more informed response.
Intelligence professionals require specialized software to collect this information and generate actionable intelligence. Commercial OSINT tools help intelligence teams gather open-source data more efficiently and align with a team’s unique requirements. Because intelligence teams often work with their own interfaces and tooling, they often require direct access to raw data that can be plugged into their existing systems.
How do OSINT platforms address data overload?
The intelligence community is increasingly challenged by growing volumes of online data available for collection, processing, analysis, and triage. The western world is also facing a data analyst shortage coupled with a growing demand for military AI. As a result, data scientists in the public sector tend to handle more complex tasks, developing tooling and data sets to support lower-level analysts on intuitive platforms.
Intelligence teams are also challenged by a lack of access to some emerging online sources. For example, fringe networks (like alt-tech platforms, deep and dark web imageboards and paste sites, etc.) do not offer their own API or are unavailable through commercial API providers. To gather data from these sources, analysts are often required to create dummy accounts, make group requests, and navigate networks manually. This requires a significant amount of HUMINT resources that could be allocated to other areas of the intelligence cycle.
To address these challenges, OSINT tools must:
Improve data coverage by providing access to relevant sources, including fringe web spaces, that are not commonly available through commercial, off-the-shelf vendors.
Leverage machine learning capabilities. AI is a major priority for governments, helping analysts process and contextualize intelligence more efficiently.
Be intuitive and user-friendly for lower-level intelligence analysts, providing more efficient workflows and better speed-to-information.
Types of OSINT tools
There are many types of OSINT tools on the market, both free and paid. The truth is, no single OSINT tool is 100% effective as a standalone solution. Rather, combining a variety of solutions is the best practice. Remember that the best OSINT tools will have a geographical element, providing a digital window to view data by location. The tools you choose will depend on the specific needs of your organization. Here are some types of OSINT tools to consider:
Social media monitoring
Our OSINT Platform allows organizations to use online information to gain situational awareness on the ground. Security teams utilize predictive intelligence and real-time crisis management, as well as brand monitoring and post-incident review.
Deep and dark web monitoring
The Flashpoint product suite includes targeted, automated collection systems that capture information from the deep and dark web, enabling your security and intelligence teams to identify and prioritize relevant threats and leverage their intelligence to act quickly.
Email hacks
Have I Been Pwned? is a free online resource to check if your email address has been put at risk due to a data breach.
Twitter monitoring
TweetDeck allows you to view multiple timelines in one user view. TweetDeck allows a user to create specific filters such as specific activity and geographical locations.
Internet archives
Wayback Machine is an internet archive tool, like a library, of historical data. This tool allows the user to search the history of archived websites, metadata, text contents, and TV news captions.
Link analysis
Maltego is a graphical link analysis tool that accelerates and simplifies complex investigations by allowing users to build visualizations and connections between disparate data sets.
Conclusion
Business is happening online, and today’s security strategies need to be informed by the masses of social data being created every day. Gathering, filtering, and analyzing this information requires the advanced capabilities of OSINT platforms.
Both amateur and professional criminals are using sophisticated strategies and seemingly innocuous networks to conduct illicit business. More and more media networks are being infiltrated and used outside their intended purposes. Evolving threats require predictive and intelligence-led security strategies. Security teams must gather intelligence from every corner that they can. Open source threat intelligence software is essential for any enterprise using public data sources to inform their decision-making.
Not only can OSINT help protect against hidden intentional attacks such as information leaks, theft, and fraud, but it also has the ability to gain real-time and location-based situational awareness to help protect people at work, at events, institutions, or even the shopping mall. The right OSINT toolkit will give your security and intelligence teams the upper hand.
BB King//* The state of Ohio recently validated a webapp pentest finding that sometimes goes overlooked. It relates to the details of administrative functions, how they can be abused, and […]
Login
