Normal view

Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

Blogs

Blog

Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

In Flashpoint’s recent webinar, we examine the defining shifts shaping the 2026 threat landscape, from AI-driven attack automation to the growing role of identity in initial access. We analyze how infostealers, vulnerabilities, and ransomware activity are evolving, and where security teams should focus now.

SHARE THIS:
Default Author Image
May 8, 2026

In 2026, the threat landscape operates as a single, connected system. Identity, malware, and infrastructure are now part of the same attack chain, executed at a speed that compresses the time between access and impact.

What once required multiple stages and specialized tooling is now streamlined and automated.

Flashpoint recently hosted an on-demand webinar, “Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities,” where our intelligence team broke down the trends driving this shift. Drawing from primary source intelligence across forums, marketplaces, and closed communities, the session examined how modern attack chains are forming and evolving, as well as where defenders still have opportunities to intervene.

Here are the key takeaways you need to know to prioritize threats and protect your organization.

AI Is Being Operationalized Across the Attack Lifecycle

Artificial intelligence is now embedded across multiple stages of attacker workflows.

Flashpoint tracked more than 1.5 billion mentions of AI in illicit communities in 2025, with activity accelerating sharply toward the end of the year. These discussions center on how AI can be applied to real operations, including phishing, malware development, and fraud.

As Ian Gray, Vice President of Intelligence at Flashpoint, noted during the session, “Adversaries are extremely adept, and they’re constantly looking at how they can use the newest state-of-the-art tools—whether that’s commercial models or their own implementations—and how they can jailbreak them or adapt them to their workflows.”

One of the most notable developments is the use of agentic AI systems to automate tasks that were previously manual. These systems are being used to:

  • Test stolen credentials across VPNs, SaaS platforms, and cloud environments
  • Rotate infrastructure during active operations
  • Generate and refine attack inputs based on previous outcomes

Alongside this, threat actors are actively exploring ways to bypass safeguards in commercial AI tools, including:

  • Jailbreaking model restrictions
  • Embedding hidden instructions through prompt injection
  • Manipulating AI-powered features within enterprise applications

This activity reflects a sustained effort to integrate AI directly into attack execution rather than treating it as a standalone capability.

Identity Is Driving Initial Access

The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

As Gray explained, “Threat actors are finding a variety of ways to get into enterprise networks, and typically it’s through the human element. While humans can be trained or educated, it’s not something that can be patched in the traditional sense.”

This dynamic is already visible at scale.

Flashpoint observed 11.1 million infected devices and 3.3 billion stolen credentials in 2025. These credentials are extracted through infostealers and circulated across marketplaces, enabling direct access into enterprise environments.

In many cases, attackers are using:

  • Session cookies and tokens to bypass authentication flows
  • Browser fingerprints and system metadata to replicate legitimate user behavior
  • Valid credentials to access SaaS platforms, VPNs, and internal systems

Once access is established, activity often blends into normal user behavior, making detection more difficult. Compromised identities are also reused across multiple services, expanding the scope of potential exposure.

This pattern continues to appear in intrusion activity tied to SaaS platforms and third-party integrations, where access to one system can provide visibility into multiple environments.

Infostealers Are Enabling Scalable Access

Infostealers remain a primary driver of credential exposure.

Logs containing credentials, cookies, and system data are continuously harvested and made available through criminal marketplaces and subscription-based services. These logs are used directly or integrated into automated workflows that test and validate access at scale.

Gray pointed to how this plays out in practice: “Infostealers have really commoditized access. They harvest credentials, identify which ones are useful, and then test them at scale across VPNs, SaaS platforms, and cloud environments.”

The ecosystem continues to shift as law enforcement activity disrupts established players and new variants gain traction. Families such as Vidar, Lumma, and others maintain a strong presence due to accessibility and ongoing development.

In parallel, credential harvesting is feeding downstream activity, including:

  • Account takeover
  • Fraud operations
  • Data exfiltration and extortion

This linkage between initial access and follow-on activity is consistent across multiple reporting streams.

Vulnerability Exploitation Is Moving Faster

Vulnerability volume continues to increase alongside exploitation speed.

Flashpoint recorded more than 44,000 disclosed vulnerabilities in 2025, with over 14,000 tied to publicly available exploits. In several cases, exploitation activity followed disclosure within a day.

As Gray put it, “With vulnerabilities, it can feel like you’re trying to boil the ocean. There’s such a high volume of disclosures, but in reality, there’s a smaller set—those that are remotely exploitable, have proof-of-concept code, and are being actively used—that you need to focus on.”

Attacker focus is concentrated in areas that provide broad access or downstream impact, including:

  • Software supply chains and CI/CD environments
  • Open-source dependencies
  • Widely used enterprise platforms

Given the volume of disclosures, prioritization remains critical. Vulnerabilities that are remotely exploitable and paired with public exploit code present immediate risk, particularly when active discussion or exploitation is observed.

Ransomware Activity Continues to Shift

Ransomware activity increased by 53%, with continued changes in how operations are carried out.

Gray framed the shift this way: “Why even bother to develop ransomware? That takes time, resources, and overhead—when you can gain access through a compromised account or third-party platform and immediately move to extortion.”

In addition to traditional ransomware deployment, there is sustained activity centered on:

  • Data exfiltration followed by extortion
  • Use of compromised credentials for direct access
  • Targeting of third-party providers and SaaS platforms

Intrusions tied to help desks, identity workflows, and federated applications continue to appear in reporting, often involving social engineering or unauthorized access provisioning.

There is also ongoing activity related to insider recruitment, with threat actors seeking individuals who can provide direct access or privileged information.

Industries with higher operational dependencies, including manufacturing, technology, and healthcare, continue to be targeted due to the potential impact of disruption.

Translating Intelligence Into Action

The trends shaping 2026 are grounded in how attackers are currently operating across multiple domains.

As Gray emphasized, “You have to take into account vulnerabilities, exposures, infostealers, and identity compromise all at the same time. These aren’t separate problems anymore—they’re all part of the same attack chain.”

Security teams should focus on:

  • Identifying exposures with a high likelihood of exploitation
  • Monitoring for compromised credentials tied to organizational domains
  • Reviewing identity access and third-party integrations
  • Prioritizing vulnerabilities with active exploit availability
  • Tracking attacker activity across forums, marketplaces, and communication channels

These actions align with observed attacker behavior and provide a clearer path to prioritization.

Watch the Full Webinar and Explore the Data

The trends shaping 2026 are grounded in how attackers are already operating.

Flashpoint’s full webinar provides a deeper look at the data, along with practical guidance on how to translate intelligence into action.

Watch the on-demand session to see the full breakdown of these trends, or download the 2026 Global Threat Intelligence Report to explore the underlying data and analysis in more detail.

Request a demo today.

The post Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities appeared first on Flashpoint.

Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows

Blogs

Blog

Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows

In this post, we outline how cyber threat intelligence is evolving to support agentic AI-driven security operations, why MCP is emerging as a foundational standard, and how Flashpoint is operationalizing data for this new model.

SHARE THIS:
Default Author Image
May 7, 2026

Security teams are under more pressure than ever to move faster, see more, and act with confidence.

At the same time, the way cybersecurity investigations happen is evolving. The “human-in-the-loop” model is expanding: analysts increasingly direct AI agents that gather context, correlate signals across sources, and handle repetitive triage.

While AI is rapidly becoming a staple of modern security operations, a significant gap remains: most intelligence sources were originally designed for human consumption, not AI agents. Historically, threat intelligence platforms were built for analysts to log in and piece together disparate insights. While that model remains the gold standard for deep research, it can become a bottleneck in a high-velocity, agent-led workflow where AI assistants and automation pipelines are the primary investigators.

At Flashpoint, our Ignite threat intelligence platform was built to support deep investigative workflows, enabling analysts to search and connect intelligence across primary-source datasets and build a complete picture of emerging threats. That foundation remains critical.

But as workflows evolve, customers are increasingly looking to extend that same intelligence beyond the platform—into AI assistants, automation pipelines, and other environments where work is actively happening.

That raises an important question: How do you make high-value intelligence as usable for an AI agent as it is for a human analyst?

Today, we are outlining our approach to building the Flashpoint Model Context Protocol (MCP) Server, a strategic initiative that makes Flashpoint’s best-in-class intelligence accessible not only via our award-winning platform but also natively “AI-callable” within the agentic workflows of today and tomorrow.

What Is an MCP Server and Why Does It Matter in Cyber Threat Intelligence?

Model Context Protocol (MCP) is the standard for connecting AI systems to external data sources and tools. 

In practical terms, an MCP server provides a structured way for AI systems, like agents, assistants, copilots, and automation frameworks, to access and interact with data in real time.

For cyber threat intelligence, this represents a fundamental shift in how teams operate:

  • Faster investigations: AI agents can query and correlate data across disparate datasets in seconds.
  • Comprehensive coverage: By searching across all primary sources in parallel, teams eliminate the risk of missing critical intelligence. 
  • More seamless workflows: Analysts can stay within their agentic workflow without constant context switching.
  • Reduced integration overhead: Less need for custom engineering to connect intelligence into new environments.

Flashpoint MCP Server: A Foundation for AI-Native Threat Intelligence

Flashpoint has always differentiated itself on the quality and depth of our data, sourced directly from where threats emerge. Our goal is to ensure this intelligence is available wherever your analysts are working.

Currently, teams experimenting with AI assistants face significant friction: copying and pasting, relying on third-party bridges, or maintaining custom integrations.

We are building the Flashpoint MCP Server as a foundational access layer, the architectural connector that will power both external integrations and future AI experiences within the Flashpoint platform.

With this new layer, teams can:

  • Query intelligence in one workflow: Access intelligence reports, ransomware, vulnerabilities, communities, and Deep Dark Web, and technical indicators in a single research task rather than hopping tool-to-tool.
  • Ground AI agents in truth: Provide a direct, authenticated bridge to real-time, verified Flashpoint intelligence, ensuring AI responses are based on evidence rather than static training data or hallucinations.
  • Scale expert analysis: Use guided prompts and workflow templates to teach the AI exactly how to use our tools to conduct expert-level investigations across our datasets.

The threat intelligence industry is adopting MCP as the standard for how AI systems connect to data.

We’re building the Flashpoint MCP Server to ensure our intelligence is a foundational component of that ecosystem and usable wherever AI-driven workflows occur.

What to Expect from Flashpoint MCP Server

The initial release of the Flashpoint MCP Server in Spring 2026 is intentionally read-only and query-focused. This creates the production-grade foundation required to bring intelligence into the workflows customers are already building. It aligns with customer guidance about using agentic AI to solve the most pressing challenges they face today.

What Comes Next

Later this year, we will move from information retrieval to Action-Oriented Intelligence. This expansion will allow users not only to access data but also to act on it directly within their AI-driven workflows. As this ecosystem evolves, we plan to deliver:

  • Natural Language Orchestration: We are empowering analysts to interact with our data more intuitively. Through the MCP server, complex actions such as updating an investigation or identifying new threat sources are handled via natural-language orchestration. This ensures that the speed of an investigation is limited only by an analyst’s questions, not their mastery of a specific query syntax.
  • Flashpoint-Native Agents and Skills: We are developing specialized Flashpoint Agents and “skills” built on top of this server. These will be purpose-built to address specific workflows, such as ransomware monitoring or vulnerability triage, allowing teams to deploy out-of-the-box expertise without building their own agentic logic
  • Fusion of External and Internal Data: A critical advantage of the MCP framework is the ability to combine Flashpoint’s external threat intelligence with a customer’s internal environment data (SIEM, Cloud, IAM, Endpoint, etc.). This allows an agent to correlate global threat signals with your specific footprint to provide instant, individualized risk context. 
  • Embedded AI within Flashpoint Ignite: This same MCP infrastructure will serve as the shared engine for new, embedded AI experiences within Flashpoint Ignite. This ensures that the same natural-language power and automated data correlation fueling external agents are also natively available within our platform UI, creating a seamless investigative experience regardless of where an analyst chooses to work.

Built and Validated in Real Workflows

We believe in the power of this new architecture because we are already using it. The MCP Server is currently embedded in our own Flashpoint Intelligence Team’s workflow, helping our analysts research and respond to complex client RFIs. 

By applying this capability to our own high-stakes research first, we ensure that what we bring to market is grounded in real investigative needs, not just technical potential. 

Operationalizing the Best Data

The future of security operations won’t be defined solely by who has access to the most data or even the most AI agents; it will be defined by who can operationalize the best data directly within the workflows where decisions are made.

The Flashpoint MCP Server is our strategic commitment to that future—making the world’s best intelligence natively accessible, usable, and aligned with the way modern security teams work.

The Flashpoint MCP Server is currently in active development, with customer availability planned for late Spring 2026. 

Subscribe to the Flashpoint blog for more updates on Flashpoint MCP Server and the latest insights from the front lines of threat intelligence.  

Frequently Asked Questions

What is the Flashpoint MCP Server? 

The Flashpoint MCP Server enables Flashpoint’s threat intelligence to be directly callable by AI agents. It implements the Model Context Protocol (MCP), an open standard for connecting AI systems to external data, so any MCP-compatible agent, including Claude, Gemini, and Cursor, can query our datasets without bespoke API integration work.

Who is the MCP Server designed for?

The MCP Server is designed for technical, forward-leaning security teams and AI-native organizations. This includes SOC analysts, CTI practitioners, and security engineers who are already building or experimenting with AI agent workflows using tools like Gemini, Claude Code, or custom LLM-based assistants.

Which Flashpoint datasets are accessible via MCP?

The initial rollout (Spring 2026) provides access to Flashpoint’s core intelligence collections, including:

  • Intelligence Reports
  • Communities (Online forums, messaging platforms, closed digital communities)
  • Technical Indicators (IOCs)
  • Vulnerability Intelligence (CVEs)
  • Ransomware
  • Compromised Credentials and Infected Hosts
  • Strategic Entity Data

How does this differ from Flashpoint’s standard APIs?

While our standard APIs are designed for direct programmatic consumption, the MCP Server is optimized specifically for AI agents. It exposes intelligence as composable tools and guided prompts that AI agents can understand and use to perform complex, multi-step research tasks. 

How does this differ from the Flashpoint Ignite platform?

The Flashpoint MCP Server is not a replacement for Flashpoint’s award-winning Ignite platform; rather, it is a complementary access layer designed for a different type of user and workflow. While Ignite is a destination for deep research, the MCP server provides the infrastructure that enables that same intelligence to live in AI-native environments.

To learn more about Flashpoint’s MCP Server, schedule a demo today.

See Flashpoint in Action

The post Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows appeared first on Flashpoint.

2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders

Blogs

Blog

2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders

SHARE THIS:
Default Author Image
May 6, 2026

We are proud to share that Flashpoint has been named a Challenger in the inaugural 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence Technologies. 

“We see this recognition as a testament to Flashpoint’s ability to execute at the highest levels for the world’s most discerning threat intelligence customers, with our unique combination of primary source collection and human analysis at the core,” — Josh Lefkowitz, CEO at Flashpoint.

The Gartner Magic Quadrant provides organizations with a wide-angle view of vendors in the cyber threat intelligence market. By applying a graphical treatment and a uniform set of evaluation criteria, the Magic Quadrant helps organizations assess how well technology providers are executing their stated visions and performing against Gartner’s market view. Vendors are evaluated based on their Ability to Execute and Completeness of Vision:

  • Ability to Execute reflects the Gartner assessment of the vendor’s product and/or service, overall viability, sales execution and pricing, market responsiveness and record, marketing execution, customer experience, as well as operations.
  • Completeness of Vision comprises the Gartner view of the vendor’s overall market understanding, marketing strategy, sales strategy, offering (product) strategy, business model, vertical/industry strategy, innovation, and geographic strategy.

“We believe, and our customers consistently validate, that the future of threat intelligence lies at the critical intersection of intelligence depth and application,” says Lefkowitz. “That’s why Flashpoint pairs unmatched access to primary-source environments with the ability to operationalize that intelligence across security workflows, enabling organizations to make faster, more informed decisions.”

A complimentary copy of the Gartner® Magic Quadrant™ for Cyber Threat Intelligence Technologies is available to download here.

Market Dynamics and Growth of the Threat Intelligence Market

The threat intelligence market has expanded in both scope and strategic importance as organizations contend with a broader and more complex threat environment. What was once a supporting function within security operations is now expected to inform decisions across vulnerability management, fraud prevention, and enterprise risk. This shift has raised the bar for how intelligence is collected, analyzed, and applied.

Gartner describes this evolution as a move toward unified cyber risk intelligence (UCRI) — an approach that brings together diverse internal and external data sources with advanced analytical capabilities to improve decision-making. As noted in The Evolution of Threat Intelligence Is Unified Cyber Risk Intelligence, “the future of threat intelligence is unified cyber risk intelligence (UCRI)… defined by the convergence of multisignal collection and advanced analytical capabilities.” In our opinion, this model reflects the reality that no single source provides sufficient visibility, and that intelligence must be corroborated across environments to be actionable. 

At the same time, the scale of available data continues to increase, introducing new challenges around prioritization and context. Gartner notes that organizations “receive vast amounts of threat data, and filtering out false positives, redundant information and irrelevant alerts to extract actionable intelligence remains a significant challenge. This “noise” can overwhelm security teams and lead to important threats being missed.” This is where AI plays a growing role. Techniques such as machine learning and natural language processing are increasingly used to correlate signals, identify patterns, and surface relevant risks faster. As intelligence becomes more integrated across the enterprise, the ability to combine multisource collection with AI-driven analysis is shaping how organizations evaluate platforms and build modern threat intelligence programs.

How Security Teams Are Evaluating Threat Intelligence

From Flashpoint’s experience working with the most discerning security and intelligence teams, the value of a threat intelligence platform is measured in how it performs in practice — how quickly it surfaces relevant activity, how much context it provides, and how easily it supports decision-making across workflows.

We see three areas consistently shape how intelligence is evaluated, supported by a combination of human expertise and AI-driven analysis:

  • Access to high-signal environments: Intelligence is most useful when it reflects activity at its source. Access to closed forums, encrypted messaging platforms, and illicit marketplaces provides the context needed to understand how threats develop and move.
  • Context that supports prioritization: Vulnerability and threat data require context to be actionable. Understanding how activity is discussed and operationalized in real environments allows teams to focus on what requires attention.
  • Integration into operational workflows: Intelligence must fit into the systems and processes teams already rely on. Integration across SIEM, SOAR, and internal workflows allows intelligence to be applied consistently at scale.

These areas are closely tied to how Flashpoint has built its platform and how it supports organizations operating in complex threat environments.

Where Intelligence Comes From Matters

A large part of how intelligence performs in practice comes back to the source of the data itself.

We believe, and our customers continue to validate, that Flashpoint’s approach is centered on primary-source collection. That means accessing environments where threat activity is actively discussed, coordinated, and developed, including closed forums, encrypted messaging platforms, and illicit marketplaces. These environments require sustained access and ongoing validation, but they provide a level of visibility that is difficult to achieve through surface-level collection alone.

From our experience, working from these sources changes how intelligence is used. Activity can be observed earlier and understood with more context, with discussions, relationships, and intent preserved.

In practice, this allows teams to:

  • Identify emerging activity before it becomes widely visible
  • Maintain context across conversations, actors, and environments
  • Reduce time spent investigating low-value or unverified signals

Intelligence Has to Fit Into How Teams Actually Operate

Collection alone doesn’t determine whether intelligence is useful. We believe it also has to be delivered in a way that aligns with how teams work.

In our experience, most security teams already have established workflows tied to SIEMs, SOAR platforms, and internal processes. Intelligence that integrates into those workflows can be applied consistently across investigation and response.

In practice, we see this support:

  • Delivery of intelligence directly into existing systems
  • Consistent application across automated and analyst-driven workflows
  • Reduced friction between intelligence, investigation, and response

Over time, this consistency allows teams to build repeatable processes around intelligence rather than treating it as a separate function.

Context Drives Prioritization

The same dynamics apply to vulnerability intelligence.

From our experience, understanding which vulnerabilities exist is only one part of the problem. Determining which ones require attention in a given environment depends on context — how those vulnerabilities are being discussed, shared, or used in active threat activity.

We have seen first-hand that when vulnerability data is connected to real-world activity, teams can:

  • Prioritize remediation based on active threat relevance
  • Align vulnerability management with observed adversary behavior
  • Reduce reliance on static scoring as the sole decision driver

Applying This in Practice

For organizations evaluating providers, challenge intelligence sources, challenge collection agility, challenge exploit prioritization and above all ask yourself is this a partner with a long-term track record of navigating the world’s most complex threat environments?

To see how Flashpoint, the world’s largest private provider of threat intelligence can help you make better decisions, faster and with confidence, schedule a demo.

Gartner Disclaimer

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Flashpoint.

Gartner, Magic Quadrant for Cyber Threat Intelligence Technologies, Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, May 4, 2026.

Gartner, The Evolution of Threat Intelligence Is Unified Cyber Risk Intelligence, By Jonathan Nunez, 15 September 2025.

Gartner and Magic Quadrant are trademarks of Gartner, Inc., and/or its affiliates.

Begin your free trial today.

The post 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders appeared first on Flashpoint.

How to Build and Operationalize Priority Intelligence Requirements

Blogs

Blog

How to Build and Operationalize Priority Intelligence Requirements

In this post, we break down how to define, structure, and operationalize Priority Intelligence Requirements (PIRs) to improve focus, reduce noise, and drive more effective intelligence outcomes, with a companion starter kit to help apply these concepts in practice.

SHARE THIS:
Default Author Image
April 30, 2026

Security teams are inundated with data. Alerts, feeds, reports, and signals continue to grow in volume, but without clear direction, much of that information fails to translate into meaningful action.

Flashpoint recently hosted a webinar, “How to Build and Operationalize Priority Intelligence Requirements,” where our intelligence team walked through how organizations can bring structure to their intelligence programs. The session focused on how to define Priority Intelligence Requirements (PIRs), align them to business needs, and operationalize them across workflows. If you missed it, you can catch the on-demand recording here.

In this blog, we’ll recap the key takeaways from the webinar that you need to know to build, structure, and operationalize Priority Intelligence Requirements within your organization.

Priority Intelligence Requirements Create Focus

Priority Intelligence Requirements (PIRs) define what matters most to an organization’s intelligence function.

They serve as a framework for identifying the threats, risks, and questions that intelligence teams are responsible for answering. Without that structure, teams often default to reactive workflows—chasing alerts and producing reporting without clear alignment to business priorities.

PIRs establish that alignment by grounding intelligence work in specific, decision-driven questions.

These questions are typically tied to areas such as:

  • Threat actor activity targeting the organization or its sector
  • Exposure of sensitive data, credentials, or infrastructure
  • Risks tied to third-party vendors or supply chain dependencies
  • Emerging trends that may impact operations or security posture

When defined correctly, PIRs act as a filter that helps teams determine what to collect, analyze, and escalate.

Effective PIRs Start With the Business

One of the most common challenges highlighted in the webinar is that PIRs are often defined in isolation.

When intelligence requirements are not tied to business priorities, they tend to drift toward generic threat monitoring. This leads to reporting that is technically accurate, but operationally disconnected.

Effective PIR development starts with first understanding:

  • What decisions need to be made
  • Who is responsible for making them
  • What information is required to support those decisions

This requires direct engagement with stakeholders across security, risk, and business teams. In practice, that often includes leadership, legal, fraud, and operational teams.

The goal is to translate business concerns into intelligence questions that can be consistently answered over time.

Structuring PIRs for Actionability

Clear structure is essential to making PIRs usable.

Well-defined PIRs are specific enough to guide collection and analysis, but flexible enough to evolve as threats change. They are typically framed as direct questions that intelligence teams can answer with available data.

Examples of structured PIRs include:

  • Are threat actors actively targeting our organization or industry?
  • Has our data appeared in criminal marketplaces or forums?
  • Are our third-party vendors experiencing security incidents that could impact us?

This approach ensures that intelligence outputs remain focused on answering defined questions rather than producing general reporting.

It also enables consistency across teams, making it easier to track trends and measure changes over time.

Operationalizing PIRs Across Workflows

Defining PIRs is only the starting point. Their value comes from how they are integrated into day-to-day operations.

In the webinar, Flashpoint emphasized the importance of embedding PIRs across the intelligence lifecycle, including:

  • Collection: Prioritizing sources and datasets that align with defined requirements
  • Analysis: Structuring outputs around PIR-driven questions
  • Dissemination: Delivering intelligence to the stakeholders tied to each requirement
  • Feedback: Continuously refining PIRs based on evolving needs

This integration ensures that intelligence efforts remain consistent and aligned, even as threat conditions change.

It also reduces duplication of effort and helps teams avoid producing intelligence that does not support decision-making.

Measuring the Impact of Intelligence

PIRs provide a foundation for evaluating whether intelligence efforts are effective.

Without defined requirements, it is difficult to determine whether outputs are relevant or useful. PIRs create a benchmark against which teams can assess:

  • Whether key questions are being answered
  • Whether intelligence is reaching the right stakeholders
  • Whether outputs are informing real decisions

This shifts intelligence from a reporting function to a decision-support capability.

Over time, this approach helps organizations refine both their requirements and their workflows, improving efficiency and impact.

Dive Deeper | Watch the Full Webinar

Building and operationalizing Priority Intelligence Requirements is a foundational step toward a more focused and effective intelligence program.

Flashpoint’s on-demand webinar walks through this process in detail, including practical examples and guidance for implementation.

For teams looking to move from theory to implementation, the Priority Intelligence Requirements (PIR) Starter Kit provides a practical extension of this approach. The resource includes a structured framework for defining requirements, a catalog of adaptable PIR examples across key intelligence drivers, and a template to support documentation and governance.

Watch the full session and download the starter kit to begin building requirements that directly support decision-making and risk reduction.

Begin your free trial today.

The post How to Build and Operationalize Priority Intelligence Requirements appeared first on Flashpoint.

Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework

Blogs

Blog

Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework

In this post, we examine why intelligence requirements often fail to drive decisions and how to operationalize Priority Intelligence Requirements to align collection, analysis, and action.

SHARE THIS:
Default Author Image
April 13, 2026

In modern security operations, the “more is better” approach to threat intelligence has failed. Teams are drowning in alerts, not because the tools aren’t working, but because they lack a defined “North Star” to tell them which signals actually matter. 

To move from reactive monitoring to proactive defense, you need Priority Intelligence Requirements (PIRs). 

What is a Priority Intelligence Requirement (PIR)?
Definition: A Priority Intelligence Requirement is a decision-support question that identifies a critical knowledge gap. It defines what an organization needs to know, why it matters, and which specific business decision the information will support.

What Are the Biggest Challenges in Implementing PIRs?

Most teams buy intelligence tools, connect their sources, and immediately hit a wall: What should we actually be looking for?

Without a requirements-driven intelligence model, programs typically suffer from three critical points of friction that teams face every day: 

  1. Alert Parity: A low-level credential leak on a forum is treated with the same urgency as a targeted ransomware threat.
  2. The “So What?” Gap: Analysts produce reports that leadership finds “interesting” but not “actionable”.
  3. Analyst Burnout: Teams spend the majority of their time chasing “exploratory” data rather than defending the business. 

Requirements-driven intelligence changes the starting point. It moves the focus from “What data can we get?” to “What decisions do we need to make?”

The 3-Tier Intelligence Requirements Model: GIR, PIR, and SIR

To operationalize intelligence, you must understand its hierarchy. A PIR is the bridge between executive strategy and technical execution. We recommend structuring requirements across these three tiers:

  1. General Intelligence Requirements (GIRs): The “Why”)

These are the big-picture risks that keep your CISO or Board up at night. They focus on trends and long-term posture.

Example: “How is the ransomware landscape evolving for the healthcare sector in 2026?”

Outcome: Informs budgeting and annual security priorities.

  1. Priority Intelligence Requirements (PIRs): The “What”

This is the operational heart of your program. PIRs turn strategic concerns into specific, high-impact scenarios.

Example: “Which ransomware groups are actively targeting our specific supply chain partners?”

Outcome: Defines daily monitoring and escalation triggers.

  1. Specific Intelligence Requirements (SIRs): The “How”

SIRs are the tactical “boots on the ground” that power your PIRs with granular data.

Example: “Monitor for [Specific Malware Family] indicators or [Specific Actor] infrastructure associated with Group X.”Outcome: Drives threat hunting and automated detection logic.

Why Should You Focus on Building at the PIR Level?

While you need the full hierarchy, your primary effort should live at the PIR layer.

General IRs are often too high-level to automate, and SIRs (technical indicators) change too quickly to manage manually. PIRs are the “Stable Middle.” They are broad enough to capture business risk but specific enough to map to a workflow. By building your program around a library of PIRs, you create a system that is:

  • Machine-Readable: Easy to translate into platform automation.
  • Stakeholder-Aligned: Written in language that leadership understands.

Action-Oriented: Designed to trigger a specific response every time they are “answered.”

How To Audit Your PIRs (The Stress Test)

Before you commit resources to monitoring, run each requirement through this three-point filter:

  1. Is it tied to a decision? If we learn the answer today, what specifically changes in our defense?
  2. Does it have an owner? Which specific stakeholder is accountable for acting on this information?
  3. Is it time-bound? Is this requirement evergreen, or active during a defined risk window?

For a more comprehensive view of your full threat intelligence picture, take the Threat Intelligence Capability Assessment.

Frequently Asked Questions About Priority Intelligence Requirements

What is the difference between PIRs and general monitoring goals?
PIRs are decision-driven requirements tied to specific risks. Monitoring goals (like “watch the dark web”) describe activities without defining a clear outcome.

How often should PIRs be updated?
PIRs should be revisited when decisions are made, risks shift, incidents occur, or strategic priorities change.

Can small security teams implement PIR frameworks?
Yes. In fact, smaller teams often benefit most because requirements help prioritize limited resources.

How do you measure PIR effectiveness?
Indicators include reduced alert noise, clearer reporting alignment, faster investigations, and improved stakeholder satisfaction.

Join the Webinar: How to Build and Operationalize Priority Intelligence Requirements

Register to learn how to define actionable PIRs that stakeholders actually care about and align intelligence to real business decisions.

Register now for the webinar.

Note: Attendees will receive our exclusive “Priority Intelligence Requirements Starter Kit,” which features a practical workbook and a PIR library.

Begin your free trial today.

The post Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework appeared first on Flashpoint.

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

Blogs

Blog

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

In this post, we examine how threat actors use emojis across illicit communities, how these symbols function as a form of coded language, and why understanding this form of communication is increasingly critical for threat intelligence teams.

SHARE THIS:
Default Author Image
April 6, 2026

As threat actor activity continues to shift toward informal, fast-moving communication platforms such as Telegram and Discord, the way adversaries communicate is evolving. Emojis, often dismissed as casual or nontechnical, have become a meaningful part of that evolution.

Across illicit forums, messaging apps, and closed communities, emojis are used not just for expression, but for signaling intent, categorizing activity, and, in some cases, obscuring meaning from outsiders. For analysts, this introduces an additional layer of context that can influence how communications are interpreted, prioritized, and actioned.

Emojis as a Functional Layer of Communication

Within threat actor communities, emoji usage is often structured and repeatable.

Rather than replacing language entirely, emojis act as a functional overlay — reinforcing key concepts, highlighting important information, and accelerating communication in high-volume environments.

This is especially common in:

  • Telegram fraud channels
  • Phishing and carding communities
  • Service marketplaces and access broker groups

In these environments, speed and clarity matter. Emojis allow actors to quickly scan messages, identify relevant content, and engage without parsing long text-based posts.

Common Emoji Categories and What They Signal

Flashpoint analysis of illicit communities shows that emoji usage tends to cluster around a set of recurring categories. While meanings can vary slightly by group, several patterns appear consistently.

Financial Activity and Monetization

Emojis related to money are among the most frequently used.

Common examples include:

  • 💰 / 💸 — Profit, successful fraud, or payouts
  • 💳 — Credit cards, carding activity, or stolen payment data
  • 🏦 — Banks or financial institutions
  • 🪙 — Cryptocurrency-related activity

These symbols often appear in sales posts, fraud logs, or success claims, helping actors quickly identify opportunities tied to financial gain.

Access, Credentials, and Compromise

Another cluster of emoji usage centers on access and account compromise, where symbols are used to signal the availability of credentials, successful intrusions, or control over compromised systems.

Examples include:

  • 🔑 — Credentials or account access
  • 🔓 — Successful breach or unlocked account
  • 📥 / 📤 — Data exfiltration or transfer
  • 🗂 — Databases or collections of stolen data

In many cases, these emojis are used in combination with minimal text, allowing actors to advertise access or share results without detailed descriptions.

Tools, Automation, and Services

Emojis are also used to signal tooling and service offerings.

Examples include:

  • 🤖 — Bots, automation tools, or malware
  • ⚙ — Configuration, setup, or infrastructure
  • 🧰 — Toolkits or bundled services
  • 📡 — Infrastructure, communication channels, or delivery mechanisms

These are commonly seen in phishing-as-a-service, SMS gateway services, and malware distribution communities.

Targets and Geography

Threat actors frequently use emojis to represent targets or regions.

Examples include:

  • 🏢 — Corporate or enterprise targets
  • 🎯 — Targeting or “hits”
  • 📍 — Specific targets, drop locations, or points of interest
  • 🌐 — Global campaigns
  • Country flags — Specific geographic targeting

This allows actors to signal targeting scope quickly, particularly in multilingual or international groups.

Urgency, Success, and Status

Some emojis are used to communicate momentum or importance.

Examples include:

  • 🔥 — High-value or trending activity
  • ✅ — Verified success or working method
  • 🚨 — Urgent update or active campaign
  • 📈 — Growth or increased results

These signals are particularly important in fast-moving channels where actors compete for attention.

Emojis as a Tool for Obfuscation

Beyond signaling, emojis are also used to evade detection.

Threat actors may substitute emojis for keywords associated with:

  • Fraud techniques
  • Financial activity
  • Specific platforms or services

For example, replacing “credit card” with 💳 or “bank” with 🏦 can help bypass basic keyword filters or reduce visibility in automated moderation systems.

When combined with slang, abbreviations, and multilingual phrasing, this creates a layered form of obfuscation that complicates large-scale monitoring efforts.

Building Identity and Reputation Through Emoji Patterns

Emoji usage is not just functional. It can also be behavioral.

Over time, actors often develop recognizable patterns in how they use emojis:

  • Consistent combinations in sales posts
  • Repeated formatting styles
  • Unique ways of structuring messages

These patterns can serve as lightweight identifiers, helping analysts:

  • Track the same actor across different channels
  • Identify reposted or syndicated content
  • Link activity between platforms

In ecosystems where aliases frequently change, these subtle patterns can provide additional attribution signals.

Cross-Language Communication in Global Threat Ecosystems

Illicit communities are inherently global, spanning multiple languages and regions.

Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text. This is particularly valuable in:

  • Large Telegram channels with international membership
  • Cross-border fraud operations
  • Decentralized marketplaces

For example, a combination of 💳 + 💰 + 🌍 can communicate “global carding opportunity” without requiring a shared language.

This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.

Context Still Determines Meaning

Despite these patterns, emoji usage is not universal or fixed.

The same emoji can carry different meanings depending on:

  • The platform (Telegram vs. Discord vs. forums)
  • The specific community
  • The surrounding text and context

For example, 🔥 may indicate “high value” in one group, but simply “active discussion” in another.

For analysts, this reinforces the need to treat emojis as contextual signals, not standalone indicators. Accurate interpretation depends on understanding the broader communication environment.

What This Means for Threat Intelligence Teams

Emoji usage reflects a broader shift in how threat actors communicate toward faster, more visual, and more adaptive forms of interaction.

Flashpoint assesses that incorporating emoji analysis into intelligence workflows can enhance:

  • Detection of emerging campaigns
  • Identification of high-value activity
  • Attribution and actor tracking
  • Interpretation of intent and sentiment

While emojis alone are not decisive indicators, they provide an additional layer of signal that can strengthen overall analysis.

Supporting Security Teams with Threat Intelligence

Understanding how threat actors communicate down to the symbols they use provides critical context for identifying and interpreting emerging threats.

Flashpoint delivers intelligence that helps organizations monitor illicit communities, track evolving communication patterns, and translate raw data into actionable insights. Within the Flashpoint platform, analysts can search across environments like Flashpoint Ignite and Echosec using emojis alongside keywords—enabling more precise discovery of relevant conversations, signals, and emerging activity that might otherwise be missed.

This approach allows teams to capture nuance in how threat actors communicate, improving detection, attribution, and overall situational awareness.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Begin your free trial today.

The post The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online appeared first on Flashpoint.

Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders

Blogs

Blog

Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders

Key insights from Forrester’s External Threat Intelligence Service Providers Landscape, Q1 2026 and what they mean for security teams.

SHARE THIS:
Default Author Image
March 30, 2026

Forrester recently published The External Threat Intelligence Service Providers Landscape, Q1 2026, an overview of 34 vendors in the external threat intelligence market — defining market maturity and outlining key dynamics and use cases.

For security and risk leaders, the report offers a clear picture of how the market is evolving and where organizations should focus as they evaluate and operationalize threat intelligence.

The Market Has Moved Beyond Undifferentiated Data Collection

One of the clearest takeaways from the report is how significantly the market has matured.

Threat intelligence is no longer simply about collecting indicators or monitoring feeds. The expectation is now:

  • Contextualized analysis
  • Relevance to specific business risks
  • Direct applicability to detection, response, and decision-making

In our experience, turning data into action is among the most pressing challenges for security leaders. At RSA Conference 2026, Flashpoint introduced new capabilities designed to address this gap by connecting adversary activity directly to business priorities, assets, and investigations.

Intelligence Is Only Valuable When It’s Operationalized

The report also calls out a central challenge: gaps in operationalizing intelligence and aligning it to business context.

Forrester notes, “Gaps in operationalizing intelligence and aligning it to business context are the primary challenge in this market. As the industry shifts from static IOCs to TTPs, scaling operational use becomes difficult when intelligence is not tightly integrated into existing detection, response, and investigation workflows.”

This reflects what we consistently see across teams:

  • Intelligence exists, but sits outside workflows
  • Insights don’t map cleanly to assets, users, or priorities
  • Teams spend time interpreting instead of acting

This alignment of collection and operationalization is defining the next phase of the market.

AI Is Accelerating, But Not Replacing, Intelligence Workflows

Another key theme is the role of AI.

The Forrester report points out, “The main trend in this market is agentic AI being embedded into threat intelligence workflows to improve effectiveness and efficiency… While AI is reshaping the threat intelligence industry, human expertise remains essential to interpret intelligence, apply it to an organization’s unique risk profile, and design, validate, govern, and maintain even highly automated systems over time.”

This balance is critical.

AI is improving how teams operate day to day. Our customers largely credit AI for optimizing:

  • Correlation across disparate signals
  • Speed of triage and enrichment
  • Detection engineering and threat hunting

At the same time, customers do not believe that it can replace:

  • Contextual understanding of adversaries
  • Business-specific risk interpretation
  • Decision-making under uncertainty

Security teams that treat AI as a force multiplier tend to see the most impact. We explore this further in our recent work on AI and threat intelligence.

Where Flashpoint Fits Into The Threat Intelligence Landscape

In The External Threat Intelligence Service Providers Landscape, Q1 2026, Flashpoint self-reported the extended use cases of fraud, financial abuse, counterfeiting, and piracy, threats targeting physical assets, and vulnerability and exposure prioritization as the top three use cases for which clients select them.

From our perspective, the direction outlined in the report closely aligns with how we see the market evolving. Flashpoint is designed to operationalize the capabilities described in the report by linking adversary activity to business context, assets, and decision-making workflows.

From our experience as the largest private provider of threat intelligence, effective threat intelligence today requires:

  • Primary source collection at scale: Direct access to adversary communications, illicit marketplaces, and closed communities — not just aggregated feeds
  • Contextualized, finished intelligence: Analysis that connects activity to real-world impact across assets, people, and operations
  • Operational integration: Intelligence that maps directly into workflows and investigations
  • Cross-domain visibility: Coverage that spans cyber, physical, and geopolitical risk — not treating them as separate problems

What Security Leaders Should Take Away

Based on our experience working with security teams, we see a few consistent priorities for those evaluating threat intelligence providers:

  1. Prioritize outcomes over inputs: The volume of data matters less than its relevance and usability
  2. Look for operational alignment: Intelligence should integrate into detection, response, and investigation workflows
  3. Evaluate context, not just coverage: Breadth of collection matters — but depth of analysis is what drives decisions
  4. Plan for convergence: Cyber, physical, and brand risks are increasingly interconnected
  5. Treat AI as an accelerator, not a replacement: Automation improves scale, but expertise drives impact

Final Thoughts

We believe Forrester’s overview reflects a market that is maturing quickly, but highlights the continued need for security teams to focus on turning intelligence into action.

For organizations evaluating providers, the question is not solely “Who has the most data?”

Organizations must also consider “Where does that data come from, and who can help us make better decisions, faster and with confidence?”

To see how Flashpoint supports this in practice, schedule a demo.

Required Disclaimer

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.

Begin your free trial today.

The post Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders appeared first on Flashpoint.

Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026

Blogs

Blog

Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026

At RSA Conference 2026, Flashpoint introduces new capabilities that enable security teams to move from visibility to defensible action by connecting adversary activity to business priorities, assets, and investigations.

SHARE THIS:
Default Author Image
March 23, 2026

Most organizations are not lacking visibility, but they are drowning in large volumes of information that are difficult to prioritize and even harder to tie back to clear action. In practice, this creates a familiar problem.

They can see what vulnerabilities exist.
They can track threat activity.
They can monitor alerts across their environment.

But the questions they struggle to answer are more important:

Which of these exposures actually matter?
What do we fix first — and why?
How does this activity translate to risk for the business?

As a result, teams fall back on patching cycles, compliance requirements, or best-effort prioritization and are left making decisions based on incomplete context.

This gap between data and decision-making has become one of the most persistent challenges in modern security operations.

At RSA Conference 2026, Flashpoint is sharing how we are addressing this gap directly — connecting adversary activity to assets, investigations, and defined business priorities so teams can make more consistent, defensible decisions.

“The industry has reached a tipping point where security teams are drowning in data that fails to align with their most important business requirements and decisions. Visibility alone is no longer a victory; it’s a baseline. By connecting underground adversary activity to an organization’s specific attack surface and strategic requirements, Flashpoint is raising the bar beyond passive observation. We are enabling defenders to stop asking ‘what do we own’ and start answering ‘what do we fix first, and why,’ turning raw data into an engine for risk reduction at speed.”

Josh Lefkowitz

What Flashpoint is Showcasing at RSA Conference 2026

Flashpoint is introducing a set of capabilities designed to connect threat intelligence directly to business risk, assets, and investigations:

  • Threat-informed External Attack Surface Management (EASM)
  • Business-Aligned Priority Intelligence Requirements (PIRs)
  • Managed Attribution browser for anonymous investigations

Together, these capabilities enable organizations to move beyond passive monitoring and toward intelligence-driven action.

What Is Threat-Informed External Attack Surface Management (EASM)

Most organizations maintain an inventory of their external assets, but prioritizing them is a persistent challenge. Traditional EASM tools identify what you own but often fail to answer the critical “so what?”. Without contextual risk, prioritization is often driven by static severity scores, patch cycles, or compliance requirements rather than real-world attacker behavior. As a result, teams are left managing stale data through manual CSV uploads and struggling to determine which exposures actually matter.

Flashpoint’s EASM module transforms this stream of exposure data into a prioritized action plan. It continuously discovers a customer’s external attack surface, including domains, subdomains, and IP addresses, and automatically maps this live inventory directly to Flashpoint’s industry-leading vulnerability intelligence.

This allows security teams to:

  • Maintain a Dynamic Inventory: Eliminate manual uploads and stale CMDB exports with an always-current map of internet-facing assets.
  • Contextualize Risk Immediately: Go beyond simple asset discovery by mapping the specific software running on each asset to known vulnerabilities, including pre-NVD findings.
  • Prioritize with Precision: Connect the asset to the actual risk, showing teams not just their external exposure, but where they are truly vulnerable and what needs to be fixed first.

By layering deep vulnerability intelligence onto live asset discovery, Flashpoint enables defenders to move from reactive analysis to proactive, intelligence-driven risk reduction.

Why Priority Intelligence Requirements (PIRs) Are Foundational

Many intelligence teams operate without a formal structure that defines what their work is intended to support.

In day-to-day operations, this results in:

  • Reactive investigation of incoming alerts
  • Reporting driven by the availability of information rather than the need
  • Difficulty demonstrating how intelligence outputs influence decisions

Priority Intelligence Requirements (PIRs) are designed to address this, but in many organizations, they are not integrated into operational workflows.

In May, Flashpoint is introducing in-platform Intelligence Requirements to formalize this structure and embed it directly into the way teams work.

Alerts, investigations, and reporting can be tied to defined requirements, allowing teams to:

  • Focus on activities that directly align with defined business risk priorities
  • Maintain consistency in what is tracked and reported
  • Provide a clearer justification for the intelligence work being done

This creates a more structured intelligence program. Instead of producing outputs based on what is observed, teams can align their work to defined objectives and decision-making needs.

Enabling Safe, Scalable Investigations with Managed Attribution

Accessing adversary-controlled environments such as forums, marketplaces, and encrypted platforms is a core part of many intelligence workflows.

However, doing so safely requires careful setup. Analysts typically need to:

  • Use isolated infrastructure
  • Manage attribution and identity exposure
  • Avoid introducing risk to internal systems

This creates operational overhead and can slow down or limit investigation.

The new anonymous browser capability within Flashpoint Managed Attribution is designed to address this by providing a non-persistent, isolated environment for research and immediate triage. This removes setup friction and allows analysts to move immediately from detection, to investigation, to deeper analysis in the same environment.

Analysts can:

  • Access underground communities
  • Open suspicious links or files
  • Engage with threat actors

Without exposing their identity or internal infrastructure.

By removing the need for manual setup, this allows analysts to move directly into investigation while maintaining operational security. 

See it at RSA Conference 2026

Security teams are being asked to do more than identify threats. They are expected to prioritize, act decisively, and justify those decisions.

That becomes difficult when the inputs — vulnerabilities, alerts, threat reporting — are not clearly connected to each other or to the business.

​​Intelligence needs to be tied to assets, aligned to defined priorities, and usable in day-to-day workflows. That’s the focus of Flashpoint’s updates this year.

At RSA Conference 2026, we’ll be walking through how this works in practice—how teams are connecting adversary activity to what they own, what matters, and what they do next. Flashpoint will be sharing more on these new innovations, including threat-informed EASM, in-platform Intelligence Requirements, and the Managed Attribution browser.If you’re attending, stop by Booth S-3341 to see how teams are moving from visibility to action. For a personalized demo, schedule a meeting with us.

Frequently Asked Questions

What is Flashpoint showcasing at RSA 2026? 

Flashpoint is showcasing how its primary-source threat data connects directly to business assets and priorities. At the booth, attendees can get a sneak peek of the upcoming in-platform Priority Intelligence Requirements (PIRs), which formalize how security teams tie investigations to business risk. Flashpoint will also be discussing the upcoming general availability of threat-informed EASM for asset discovery and risk prioritization, alongside the Flashpoint Managed Attribution browser, designed for secure underground research.

What is Flashpoint Threat-Informed EASM? 

Flashpoint External Attack Surface Management (EASM) goes beyond simple asset discovery by automatically mapping your external footprint to our industry-leading vulnerability intelligence. This allows teams to prioritize remediation by identifying which software versions are actually running on key assets, flagging critical risks often missed by public databases.

How do Flashpoint Priority Intelligence Requirements (PIRs) help security teams? 

Flashpoint PIRs provide a formal in-platform structure that ties security alerts and investigations to specific business risks. This helps teams move away from reactive “activity-based” work and toward “decision-based” intelligence that is defensible to executive stakeholders.

What are the benefits of the Flashpoint Managed Attribution browser? 

The Flashpoint Managed Attribution browser allows threat analysts to safely research the web using a disposable, anonymous environment. This prevents the analyst’s identity from being exposed and protects the corporate network from malware while conducting underground research.

How does Flashpoint’s new offering support a Continuous Threat Exposure Management (CTEM) framework?

Flashpoint facilitates the CTEM lifecycle by providing the primary source data necessary to move beyond traditional point-in-time scanning. EASM enables organizations to start focusing on the specific vulnerable software and high-risk exposures that threat actors are actively targeting.

Begin your free trial today.

The post Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026 appeared first on Flashpoint.

Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks

Blogs

Blog

Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks

In this post, we examine the disruptive cyber activity targeting Stryker, potential links to the Handala persona, and what the incident signals about evolving threats to healthcare supply chains.

SHARE THIS:
Default Author Image
March 12, 2026

Over the past several years, destructive cyber operations have increasingly expanded beyond traditional critical infrastructure targets. State-linked actors have demonstrated a growing willingness to disrupt organizations that sit at key logistical and supply chain nodes, where a single intrusion can generate cascading operational impacts across entire sectors.

Healthcare supply chains are particularly exposed to this dynamic. Large medical technology providers, pharmaceutical distributors, and logistics partners often support hundreds or thousands of downstream healthcare providers, making them attractive targets for adversaries seeking to create disruption without directly attacking hospitals themselves.

On March 11th, medical technology company Stryker disclosed that a cyberattack had disrupted portions of its global network infrastructure, affecting Microsoft systems used across the organization. In public statements and regulatory filings, the company indicated that the incident impacted internal operations and that the full scope of the disruption and timeline for restoration remain under investigation. At the time of writing, the company stated it had not identified evidence of ransomware or conventional malware, suggesting the activity may involve alternative attack methods or infrastructure abuse.

Separately, reporting has noted that the Handala persona — a hacking group widely assessed to be linked to Iranian state actors — appeared on some company login pages during the incident, further raising questions about possible attribution.

Yesterday’s cyberattack against Stryker reflects several dynamics that Flashpoint analysts have been tracking across disruptive cyber operations. Flashpoint analysts are monitoring technical indicators and reporting associated with destructive activity targeting the organization and assessing potential links to threat actors previously associated with disruptive campaigns targeting Western organizations.

While the full scope of the incident remains unclear, the activity highlights several trends that threat intelligence teams are tracking closely.

Observed Activity Linked to the Handala Persona

Flashpoint analysts are monitoring indicators associated with the Handala threat persona in relation to the incident.

Handala has maintained an online presence that presents itself as a politically motivated hacktivist movement. However, based on targeting patterns, messaging, and operational behavior observed over the past year, Flashpoint assesses that the persona is likely linked to Iranian state actors rather than an independent hacktivist collective. In public Telegram posts and website manifestos monitored by Flashpoint analysts, Handala framed the Stryker attack as retaliation for recent kinetic strikes in the Middle East. By operating behind a persona styled as a grassroots, pro-Palestinian resistance movement, Iranian state-nexus actors are able to conduct destructive cyber operations against Western organizations while maintaining a degree of plausible deniability.

“From our perspective tracking Handala over the past year, the group has done an effective job presenting itself as a grassroots resistance movement. However, the tactics and targeting we observe are far more consistent with activity linked to Iranian state actors than with independent hacktivism. What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure — potentially weaponizing Microsoft Intune — to carry out destructive activity at scale.”

Kathryn Raines, Cyber Threat Intelligence Team Lead for Flashpoint National Security Solutions

Flashpoint analysts have previously documented how Iranian state-linked actors are increasingly integrating cyber operations into broader geopolitical and military campaigns. For additional context on this trend, see our recent analysis of how cyber activity is evolving alongside the current regional conflict.

Unlike financially motivated cybercriminal groups, Handala-associated activity has historically emphasized disruption, psychological impact, and geopolitical signaling. Operations attributed to the persona frequently align with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value.

While attribution for the Stryker incident has not been definitively established, the activity is consistent with patterns previously associated with the persona.

Potential Abuse of Enterprise Management Infrastructure

Flashpoint analysts are reviewing indications that attackers may have leveraged enterprise device management infrastructure, including Microsoft Intune, to trigger wiping actions across managed devices. This method explains Stryker’s initial public statements indicating that “no evidence of malware or ransomware.” Because Intune is a trusted, native Microsoft administrative tool, an attacker weaponizing it to issue mass remote wipe commands would not trigger traditional endpoint detection and response (EDR) or antivirus alerts. To the victim’s security sensors, no malicious files are being dropped; therefore, the activity would appear to be a highly privileged IT administrator executing a standard, albeit catastrophic, compliance policy. This living off the land (LotL) approach represents a massive blind spot for traditional security architectures

If confirmed, this technique represents an evolution in destructive cyber operations.

Rather than relying exclusively on custom malware designed specifically for wiping systems, attackers may increasingly attempt to abuse legitimate administrative tools already embedded in enterprise environments. Compromise of a centralized management console could allow an adversary to execute commands across large numbers of endpoints simultaneously.

This approach can significantly expand the potential impact of a compromise while reducing the need for specialized destructive malware.

Targeting Supply Chain Nodes in Critical Sectors

As a major provider of equipment used in surgical suites and emergency rooms, Stryker occupies an important position within the healthcare ecosystem. Disruption affecting organizations in this category can create second-order operational impacts across healthcare providers that depend on their products and services.

“The attack on Stryker highlights a troubling shift we’re increasingly seeing in destructive cyber operations. Rather than targeting hospitals or frontline healthcare providers directly, adversaries may focus on critical suppliers and logistics providers where disruption can cascade across the entire healthcare ecosystem. A single intrusion at a key node in the supply chain has the potential to create widespread operational impact far beyond the initial target.”

Josh Lefkowitz, CEO, Flashpoint

Flashpoint analysts have increasingly observed state-linked cyber activity targeting logistical nodes and supply chain providers, rather than only frontline institutions such as hospitals. From an operational perspective, this strategy allows adversaries to generate broader disruption while potentially avoiding the immediate scrutiny associated with direct attacks on healthcare facilities.

Ongoing Monitoring

Flashpoint analysts continue to monitor developments related to this incident and are evaluating additional indicators as they emerge.

Several factors will shape the broader assessment of the activity in the coming days:

  • Confirmation of the mechanism used to carry out destructive actions
  • The scale of affected systems or devices
  • Additional evidence linking the activity to known threat actors or state-linked groups
  • Whether the activity represents a single incident or part of a broader campaign

Incidents involving destructive cyber activity targeting critical supply chain organizations underscore the increasing intersection between geopolitical tensions, cyber operations, and operational resilience.

Flashpoint will continue to track this activity and provide updates as more information becomes available.

Supporting Security Teams with Threat Intelligence

Understanding how adversaries operate — including the tradecraft used to weaponize enterprise infrastructure and target supply chain dependencies — is essential for defending critical organizations.

Flashpoint delivers actionable intelligence that helps security teams detect emerging threats, contextualize adversary activity, and respond faster to disruptive campaigns targeting critical sectors. Schedule a demo to learn more.

Begin your free trial today.

The post Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks appeared first on Flashpoint.

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

SHARE THIS:

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through May 4.

Latest Update: Escalation Across Maritime, Cyber, and Economic Domains (Last 24–48 Hours)

The conflict has entered a phase of direct maritime and economic confrontation, with both kinetic and cyber activity intensifying in parallel.

Following the collapse of diplomatic efforts, the United States has formally initiated a naval blockade of Iranian ports, while Iran has responded by deploying midget submarines and reportedly mining key transit routes in the Strait of Hormuz. These developments signal a shift from pressure on infrastructure to direct control over regional shipping and energy flows.

At the same time, cyber operations have escalated beyond disruption into claims of large-scale destructive activity targeting industrial and government systems across the Gulf. While some of these claims remain unverified, the volume and nature of activity indicate a sustained effort to degrade both public-sector and commercial infrastructure.

Timeline of Key Developments

May 4
~06:00 UTC
CENTCOM announces the commencement of “Project Freedom” to secure maritime transit through the Strait of Hormuz.
~08:30 UTC
The IRGC Navy declares a new operational control sector in the Strait, warning that vessels failing to coordinate transit will be “stopped with force”.
10:15 UTC
Iran launches a barrage of four cruise missiles toward the UAE; three are intercepted by UAE air defenses while one falls into the sea.
11:00 UTC
A drone strike targets an ADNOC oil tanker in the Gulf.
13:45 UTC
The South Korean Ministry of Foreign Affairs confirms a South Korean vessel was struck in its engine room while transiting the Strait.
15:30 UTC
Handala Hack announces “Operation Premature Death,” releasing the names and ranks of 400 US Navy officers.
17:00 UTC
IRGC releases footage purportedly showing strikes on US vessels; CENTCOM dismisses these claims as false.

What This Means

This phase of the conflict reflects a shift toward combined economic and operational pressure:

  • Maritime control is now central: The blockade and countermeasures in the Strait of Hormuz introduce sustained risk to global shipping, energy transport, and supply chains.
  • Cyber operations are aligning with physical objectives: Activity targeting industrial systems and government infrastructure suggests an intent to create downstream operational disruption, not just visibility or signaling.
  • Private-sector exposure continues to expand: Western-linked infrastructure—particularly in energy, logistics, and cloud environments—remains within scope of both kinetic and cyber targeting.

Immediate Outlook (Next 48–72 Hours)

Further escalation is highly likely.

Iranian retaliatory activity may target US or Israeli assets in the near term, while continued pressure on maritime routes is expected to sustain volatility in global energy markets. At the same time, divergence among Western partners may create additional operational uncertainty, particularly for organizations relying on regional stability for logistics, infrastructure, or personnel movement.

How the Conflict Evolved

Since the opening strikes on February 28, the conflict has progressed through a series of rapid shifts—each expanding both the scope of targeting and the systems under pressure. What began as a tightly scoped military operation has developed into a sustained, multi-domain conflict affecting regional infrastructure, global markets, and private-sector operations.

This evolution is best understood not as a linear escalation, but as a sequence of overlapping phases that introduced new targets, new tactics, and new forms of risk.

Phase 1: Decapitation and Immediate Regional Spillover

(February 28)

The conflict began with a coordinated US–Israeli campaign targeting senior Iranian leadership and missile infrastructure. The objective was clear: degrade Iran’s ability to project force through its ballistic and air defense systems.

That containment window was brief.

Within hours, Iran launched retaliatory strikes across the Gulf, targeting US and allied military installations in Kuwait, Qatar, and Bahrain. Civilian and commercial systems were immediately affected, including flight disruptions in Dubai and early instability in maritime routes near the Strait of Hormuz.

From the outset, the conflict was regional—not bilateral—and it unfolded across military, commercial, and civilian environments simultaneously.

Phase 2: Regional Expansion and Civilian Exposure

(March 1–3)

Within the first 72 hours, the battlespace widened significantly.

Air operations extended directly over Tehran, signaling degradation of Iranian defensive capabilities. At the same time, new fronts emerged, including Hezbollah activity along Israel’s northern border. Targeting patterns began to shift, with incidents affecting civilian-adjacent infrastructure such as hotels, diplomatic sites, and transit hubs.

This period also marked the early alignment of cyber and information activity with kinetic operations. While still limited in impact, these efforts reflected a broader strategy: shaping disruption beyond the battlefield.

Phase 3: Infrastructure and System-Level Targeting

(March 5–10)

By early March, the conflict moved beyond military objectives and into the systems that sustain state and economic activity.

Energy infrastructure, power grids, logistics hubs, and financial systems became consistent points of pressure. Strikes on refineries and industrial complexes—combined with increasing instability in the Strait of Hormuz—introduced immediate consequences for global energy markets and supply chains.

This phase marked a structural shift. The conflict was no longer defined by territorial or military outcomes alone. It began to affect availability, access, and continuity across critical systems.

Phase 4: Commercial and Private-Sector Targeting

(March 11–13)

The targeting set expanded again—this time explicitly incorporating the private sector.

Iranian-aligned channels began publicly identifying Western technology, cloud, and financial firms as operational targets. In parallel, cyber activity moved deeper into enterprise environments, with disruptions affecting global companies and financial institutions.

At the same time, physical operations reinforced this shift:

  • Commercial shipping was targeted near the Strait of Hormuz
  • Banking operations were disrupted or preemptively shut down
  • Industrial facilities and refineries were forced offline

At this stage, economic pressure was no longer a byproduct of conflict—it had become a deliberate objective.

Phase 5: Hybrid Operations and Distributed Pressure

(Mid–Late March)

As kinetic operations continued, the conflict took on a more distributed and persistent character.

Cyber operations evolved in both scale and intent, expanding from disruption into data destruction, extortion, and psychological operations. Activity linked to groups such as Handala and broader proxy ecosystems demonstrated increasing coordination and willingness to target both regional and international entities.

At the same time, physical targeting patterns shifted toward long-term degradation:

  • Industrial production sites were struck
  • Ports and logistics corridors faced sustained pressure
  • Aviation hubs and transit infrastructure became recurring targets

This phase blurred traditional boundaries. Military, cyber, economic, and information operations were no longer distinct lines of effort—they were operating in parallel against overlapping targets.

A Conflict Without a Single Center of Gravity

By the end of March, the conflict had stabilized into a sustained, multi-domain environment defined by persistence rather than decisive escalation.

Military exchanges continue across multiple fronts, but the broader impact is shaped by pressure on:

  • Energy production and transport
  • Maritime and aviation corridors
  • Financial systems and commercial operations
  • Digital infrastructure and enterprise environments

Rather than converging toward resolution, the conflict has distributed risk across systems that extend well beyond the immediate region.

Phase 6: Economic Warfare Formalized and Maritime Escalation

(Late March – Early April)

By late March and into early April, economic pressure became formalized as a central objective of the conflict.

Maritime activity in and around the Strait of Hormuz shifted from disruption to active enforcement. Threats to commercial shipping intensified, while both state and proxy actors signaled a willingness to restrict or halt transit entirely. At the same time, targeting patterns expanded further into energy infrastructure, including gas production and refining capacity across the Gulf.

These developments introduced a new level of systemic risk. With a significant portion of global seaborne crude tied to the region, even partial disruption began to influence global pricing, supply planning, and downstream operations far beyond the Middle East.

Phase 7: Ceasefire Fracture and Persistent Hybrid Operations

(Early–Mid April)

Attempts at de-escalation introduced a new layer of complexity rather than stability.

While diplomatic efforts produced temporary pauses in kinetic activity, underlying objectives remained unresolved. In some cases, these pauses created space for continued operations in other domains. Cyber activity, in particular, showed no meaningful reduction, with Iranian-aligned groups continuing campaigns targeting infrastructure, government systems, and private-sector entities.

At the same time, friction points, especially in Lebanon, remained active. The exclusion of key actors from ceasefire terms contributed to continued localized escalation, reinforcing the decentralized nature of the conflict.

This period demonstrated that pauses in military activity do not equate to reduced risk across the broader threat landscape.

Phase 8: Direct Economic Targeting and Globalization of Risk

(Mid April and Beyond)

Following the breakdown of ceasefire dynamics, the conflict moved into a phase defined by direct economic targeting and broader international involvement.

US and allied actions began to focus more explicitly on constraining Iran’s financial and energy systems, while Iranian responses expanded to include threats against Western-affiliated commercial entities, academic institutions, and infrastructure beyond the immediate region.

At the same time, indicators of internationalization became more pronounced:

  • External actors providing military and technical support across sides
  • Cyber operations extending into Western and allied networks
  • Increased risk to global supply chains, energy markets, and financial systems

By this stage, the conflict was no longer confined to regional dynamics. It had evolved into a sustained pressure campaign with global economic and operational implications.

The Escalating Cyber and Information Front

From the earliest hours of the conflict, cyber operations have moved in parallel with kinetic activity—sometimes reinforcing it, and at other times extending its reach beyond the physical battlespace.

What has changed over time is not just the volume of activity, but the role cyber operations play within the broader campaign.

Early Phase: Disruption and Narrative Control

In the opening days, cyber activity focused primarily on disruption and influence.

Coordinated campaigns linked to pro-IRGC and pro-Russian-aligned groups targeted government websites, defense contractors, and public-facing services with distributed denial-of-service (DDoS) attacks and defacements. At the same time, information operations began to take shape, including the manipulation of widely used platforms such as the BadeSaba prayer app, where push notifications were leveraged to deliver messaging at scale.

These efforts were designed to create confusion, shape perception, and amplify the impact of concurrent military operations rather than cause lasting operational damage.

Expansion: Coordinated Campaigns and Infrastructure Access

As the conflict expanded regionally, cyber operations became more coordinated and more ambitious in scope.

Campaigns operating under banners such as #OpIsrael brought together loosely affiliated actors targeting infrastructure across Israel, the Gulf, and allied states. Claims during this period included access to industrial control systems, water infrastructure, and surveillance networks. While not all claims were independently verified, the consistency of targeting pointed to a broader intent: probing critical systems while signaling capability.

At the same time, verified activity—particularly from groups such as MuddyWater—demonstrated continued intrusion into aerospace, defense, and financial networks, reinforcing that espionage objectives remained active alongside disruption efforts.

Escalation: Enterprise Targeting and Data Destruction

By mid-March, cyber activity shifted again—this time toward enterprise environments and private-sector targets.

Incidents linked to groups such as Handala reflected a move beyond disruption into destructive operations. Reported activity included large-scale data wiping, exfiltration, and coordinated doxxing campaigns targeting individuals and organizations tied to Israeli or Western interests.

Equally significant was the reported use of “living-off-the-land” techniques, where attackers leveraged legitimate administrative tools within cloud environments to execute destructive actions. This approach reduces reliance on traditional malware and complicates detection, particularly for organizations dependent on signature-based defenses.

At this stage, cyber operations were no longer operating at the edges of the conflict. They were directly targeting the systems organizations rely on to operate.

Persistence Through Ceasefire: Cyber as a Continuous Pressure Mechanism

Subsequent developments demonstrated that cyber activity is not tied to the tempo of kinetic operations.

During periods of diplomatic pause, Iranian-aligned groups continued to operate with little observable reduction in activity. Public statements from groups such as Handala explicitly reinforced this posture, framing cyber operations as independent from military timelines.

At the same time, targeting patterns shifted rather than paused. Activity expanded to include:

  • Western and allied government systems
  • Critical infrastructure, including water and energy sectors
  • Commercial platforms and authentication systems

This reflects a broader strategic advantage: cyber operations allow actors to maintain pressure, test defenses, and shape outcomes without requiring direct military engagement.

Current State: Distributed, Adaptive, and Blended Operations

At present, cyber activity reflects a blend of objectives:

  • Espionage, particularly against defense and government networks
  • Disruption, including DDoS and service degradation
  • Destruction, through data wiping and system compromise
  • Psychological operations, leveraging public platforms and data exposure

These activities are carried out by a mix of state-linked groups, proxy actors, and loosely affiliated hacktivist networks, often operating with overlapping targets and messaging.

The result is a distributed and adaptive threat environment in which attribution is complex, timelines are compressed, and the boundary between state and non-state activity is increasingly blurred.

What This Signals

Cyber operations in this conflict are not a supporting element—they are a persistent layer of pressure that operates alongside and, at times, independently from physical conflict.

For organizations, this introduces a different type of risk:

  • Activity may continue even when kinetic conditions stabilize
  • Targeting may shift quickly across sectors and geographies
  • Detection becomes more difficult as attackers rely on legitimate tools and blended tradecraft

While cyber operations extend the reach of the conflict, the most immediate systemic pressure is emerging through physical and economic chokepoints—particularly in energy production and maritime transit.

Strategic Chokepoints and Systemic Risk

As the conflict expanded, physical targeting patterns converged around a small number of systems that carry disproportionate global impact: energy production, maritime transit, and regional mobility infrastructure.

Energy Infrastructure as a Primary Lever

Energy systems have emerged as one of the most consistently targeted elements of the conflict.

Strikes on refineries, gas facilities, and industrial complexes—combined with explicit threats against major Gulf energy assets—reflect a deliberate effort to constrain production and introduce volatility into global markets. Incidents affecting facilities in Saudi Arabia and the UAE, along with threats tied to Iran’s own production infrastructure, indicate that both sides view energy disruption as a means of exerting strategic pressure.

The scale of exposure is significant. A substantial portion of global seaborne crude transits through the region, and even partial disruption has immediate downstream effects on pricing, supply planning, and industrial operations.

This dynamic introduces a level of sensitivity that extends well beyond the region. Energy is a transmission mechanism for global economic impact.

Maritime Transit and the Strait of Hormuz

The Strait of Hormuz has remained the central chokepoint throughout the conflict.

From the earliest days, threats to shipping were used to signal escalation. Over time, those threats evolved into direct action, including strikes on commercial vessels, increased naval activity, and the positioning of maritime assets capable of restricting transit.

In later stages, this pressure became more formalized, with both state and proxy actors signaling a willingness to enforce constraints on shipping aligned with opposing interests. The result has been sustained disruption to maritime traffic, increased insurance and routing costs, and reduced throughput across one of the world’s most critical energy corridors.

For organizations dependent on global supply chains, the implications are immediate:

  • Longer transit times
  • Higher costs
  • Reduced predictability in delivery schedules

Even without a complete shutdown, sustained pressure on the Strait introduces ongoing friction into global trade flows.

Aviation and Regional Mobility

Airspace and aviation infrastructure have also been repeatedly affected.

Early in the conflict, flight suspensions and airport disruptions were driven by proximity to kinetic activity. As the conflict progressed, aviation hubs themselves became targets. Incidents near major transit centers—particularly in the Gulf—demonstrate both the vulnerability and strategic importance of these nodes.

Aviation serves as a critical connector for personnel movement, logistics, and high-value cargo. Disruption at major hubs does not remain localized; it cascades across international routes, affecting scheduling, capacity, and access.

In combination with maritime constraints, this creates a compounding effect: fewer viable routes, increased congestion elsewhere, and limited flexibility for organizations attempting to move people or goods.

Expansion to Commercial and Financial Systems

Over time, economic pressure extended beyond physical infrastructure into commercial and financial environments.

Public warnings and targeting signals began to include:

  • Banking institutions and financial districts
  • Commercial office locations tied to Western firms
  • Technology and cloud infrastructure hubs

In parallel, operational impacts became visible. Banking services were disrupted or preemptively suspended in parts of the Gulf, while threats against commercial centers introduced new considerations for business continuity and personnel safety.

This expansion reflects a shift in how the conflict defines “infrastructure.” It is no longer limited to energy or transport, as it also includes the systems that enable economic activity itself.

Business and Security Implications

As the conflict has expanded into energy systems, maritime corridors, aviation hubs, and commercial infrastructure, enterprise exposure is no longer limited to organizations with a direct regional footprint.

The targeting patterns observed throughout this conflict indicate that the systems underpinning global operations—logistics, cloud infrastructure, financial services, and workforce mobility—are all within scope.

For organizations, this introduces sustained operational friction rather than isolated disruption. Planning assumptions should shift accordingly.

Personnel and Physical Security

Exposure to physical risk has expanded beyond military installations into commercial environments.

Incidents affecting transit hubs, diplomatic facilities, and Western-linked commercial districts, combined with public warning lists identifying specific office locations in Jordan and the UAE, indicate that personnel operating in previously low-profile environments may now fall within the threat envelope.

This shift requires a more dynamic approach to workforce security.

Organizations should:

  • Reassess travel posture across the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia
  • Elevate security protocols at offices, hotels, and logistics sites
  • Reinforce operational security practices, including routine variation and reduced visibility of affiliation
  • Monitor diplomatic advisories and local threat reporting in near real time
  • Reevaluate occupancy and travel policies for personnel in named commercial and financial districts

Supply Chain, Energy, and Commercial Operations

Disruption is not limited to physical logistics. It now extends into the broader commercial operating environment.

Pressure on maritime transit through the Strait of Hormuz, combined with strikes on energy infrastructure and disruptions to financial services, creates a layered risk model: goods may not move, payments may not process, and operations may not continue as planned.

Organizations should plan for sustained instability rather than short-term interruption.

Priorities should include:

  • Modeling extended disruption to Gulf shipping routes
  • Identifying alternative logistics pathways, including overland options
  • Stress-testing supplier dependencies tied to energy inputs and regional ports
  • Preparing for price volatility and delivery delays
  • Assessing exposure to regional banking, payment processing, and financial services continuity

Cloud and Technology Infrastructure

The conflict has demonstrated that commercial technology infrastructure is not insulated from physical or cyber spillover.

The reported impact to cloud environments in the Gulf, combined with targeting signals directed at major technology providers, indicates that infrastructure supporting global applications may be exposed to localized disruption.

At the same time, strikes on regional communication and defense systems introduce additional risk to connectivity and resilience.

Organizations should:

  • Validate geographic redundancy for critical workloads
  • Confirm recovery timelines for regionally hosted environments
  • Review third-party dependencies tied to Gulf-based infrastructure
  • Ensure leadership understands cascading risks from localized outages
  • Evaluate exposure tied to physical proximity of offices, data centers, and regional tech hubs

ICS / OT Environments

Operational technology environments face elevated risk due to the convergence of cyber and physical targeting.

Claims involving industrial control systems—paired with demonstrated attacks on energy and logistics infrastructure—suggest that disruption may extend beyond IT systems into physical operations.

Organizations operating ICS/SCADA environments should prioritize resilience over detection alone.

Key actions include:

  • Auditing and restricting remote access pathways
  • Enforcing phishing-resistant MFA for privileged users
  • Segmenting industrial networks from corporate IT environments
  • Validating response plans for destructive or manipulative scenarios
  • Conducting exercises that assume loss of visibility or control

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

The post Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains appeared first on Flashpoint.

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

Blogs

Blog

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.

SHARE THIS:
Default Author Image
March 11, 2026

The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.

Flashpoint’s 2026 Global Threat Intelligence Report

Flashpoint’s 2026 Global Threat Intelligence Report (GTIR) was developed to anchor security leaders — from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office — with the data required to navigate this year’s greatest threats, rife with infostealers, vulnerabilities, ransomware, and malicious insiders.

Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:

  • AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
  • 3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
  • From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
  • Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.

These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:

  1. A Clear Understanding of the New Convergence Between Identity and AI
    Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
  2. Intelligence on the “Franchise Model” of Global Extortion
    Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
  3. A Blueprint for Proactive Defense and Risk Mitigation
    Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.

As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”

Josh Lefkowitz, CEO & Co-Founder at Flashpoint

The Top Threats at a Glance

Our latest report identifies four driving themes shaping the 2026 threat landscape:

2026 Is the Era of Agentic-Based Cyberattacks

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.

2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.

Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint

Identity Is the New Exploit

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

The Patching Window Is Rapidly Closing

Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.

Ransomware Is Hacking the Person, Not the Code

As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.

Build Resilience in a Converged Landscape

The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.

Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.

Get Your Copy

The post Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report appeared first on Flashpoint.

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

13 February 2026 at 20:09

Blogs

Blog

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

In this post, we explore how the psychological traps of operational security can unmask even the most sophisticated actors.

SHARE THIS:
Default Author Image
February 13, 2026
Table Of Contents

The threat intelligence landscape is often dominated with talks of sophisticated TTPs (tactics, tools, and procedures), zero-day vulnerabilities, and ransomware. While these technical threats are formidable, they are still managed by human beings, and it is the human element that often provides the most critical breakthroughs in attributing these attacks and de-anonymizing the threat actors behind them.

In our latest webinar, “OPSEC Fails: The Secret Weapon for People-Centric OSINT”,  Flashpoint was joined by Joshua Richards, founder of OSINT Praxis. Josh shared an intriguing case study where an attacker’s digital breadcrumbs led to a life-saving intervention. 

Here is how OSINT techniques, leveraged by Flashpoint’s expansive data capabilities, can dismantle illegal threat actor campaigns by turning a technical investigation into a human one.

Leveraging OPSEC as a Mindset

In a technical context, OPSEC is a risk management process that identifies seemingly innocuous pieces of information that, when gathered by an adversary, could be pieced together to reveal a larger, sensitive picture.

In the webinar, we break down the OPSEC mindset into three core pillars that every practitioner, and threat actor, must navigate. When these pillars fail, the investigation begins.

  • Analyzing the Signature: Every human has a digital signature, such as the way they type (stylometry), the times they are active, and the tools they prefer.
  • Identity Masking & Persona Management: This involves ensuring that your investigative identity has zero overlap with your real life. A common failure includes using the same browser for personal use and investigative research, which allows cookies to bridge the two identities.
  • Traffic Obfuscation: Even with a VPN, certain behaviors such as posting on a dark web forum and then using that same connection to check personal banking can expose an IP address, linking it to a practitioner or threat actor.

“Effective OPSEC isn’t about the tools you use; it’s about what breadcrumbs you are leaving behind that hackers, investigation subjects, or literally anyone could find about you.”

Joshua Richards, founder of Osint Praxis

Leveraging the Mindset for CTI

Understanding the OPSEC mindset allows security teams to think like the target. When we know the psychological traps attackers fall in, we know exactly where to look for their mistakes.

AssumptionThe Mindset TrapThe Investigative Reality
Insignificant“I’m not a high-value target; no one is looking for me.”Automated Aggression: Hackers use scripts to scan millions of accounts. You aren’t “chosen”; you are “discovered” via automation.
Invisible“I don’t have a LinkedIn or X account, so I don’t have a footprint.”Shadow Data: Public birth records, property taxes, and historical data breaches create a footprint you didn’t even build yourself.
Invincible“I have 2FA and complex passwords; I’m unhackable.”Session Hijacking: Infostealer malware steals “session tokens” (cookies). This allows an actor to be you in a browser without ever needing your 2FA code.

During the webinar, Joshua shares a masterclass in how leveraging these concepts can turn a vague dark web threat into a real-world arrest. Check out the on-demand webinar to see exactly how the investigation started on Torum, a dark web forum, and ended with an arrest that saved the lives of two individuals.

Turn the Tables Using Flashpoint

The insights shared in this session powerfully illustrate that even the most dangerous threat actors are rarely as anonymous as they believe. Their downfall isn’t usually a failure of their technical prowess, but a failure of their mindset. By understanding these OSINT techniques, intelligence practitioners can transform a sea of digital noise into a clear path toward attribution.

The most effective way to dismantle threats is to bridge the gap between technical indicators and human behavior. Whether your teams are conducting high-stakes OSINT or protecting your own organization’s digital footprint, every breadcrumb counts. By leveraging Flashpoint’s expansive threat intelligence collections and real-time data, you can stay one step ahead of adversaries. Request a demo to learn more.

Request a demo today.

The post The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs appeared first on Flashpoint.

N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation

11 February 2026 at 16:46

Blogs

Blog

N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation

In this post we explore the data-driven shrinkage of the Time to Exploit (TTE) window from 745 days to just 44, and examine why N-day vulnerabilities have become the “turn-key” weapon of choice for modern threat actors.

SHARE THIS:
Default Author Image
February 11, 2026

The race between defenders and threat actors has entered a new, more volatile phase: the rapidly accelerating exploitation of N-day vulnerabilities. Different from zero-days, N-day vulnerabilities are known security flaws that have been publicly disclosed but remain unpatched or unmitigated on an organization’s systems.

Historically, enterprises operated under the assumption of a “patching grace period,” the designated window of time allowed for a vendor to test and deploy a fix before a system is considered non-compliant or at high risk. However, this window is effectively collapsing, with Flashpoint finding that N-days now represent over 80% of all Known Exploited Vulnerabilities (KEVs) tracked over the past four years.

The Collapse of the Time to Exploit (TTE) Window

The most sobering trend for security operations (SecOps) and exposure management teams is the dramatic reduction in Time to Exploit (TTE). In 2020, the average TTE, the time between a vulnerability’s disclosure and its first observed exploitation, was 745 days. By 2025, Flashpoint found that this window has now plummeted to an average of just 44 days.

202520242023202220212020
Average TTE44115296405518745

This contraction represents a strategic shift in adversary tempo. Attackers are no longer waiting for complex, bespoke exploits; they are moving at breakneck speeds to weaponize public disclosures.

N-Days Provide a “Turn-Key” Exploit Advantage

Adversaries have gained a significant advantage through the rapid weaponization of researcher-published Proof-of-Concept (PoC) code. When a fully functional exploit is released alongside a vulnerability disclosure, it becomes a “turn-key” solution for attackers. By combining these ready-made exploits with internet-wide scanning tools like Shodan or FOFA, even unsophisticated threat actors can conduct mass exploitation across large segments of the internet in hours.

A prime example of this path of least resistance approach was observed in the leaked internal chat logs of the BlackBasta ransomware group. Analysis revealed that of the 65 CVEs discussed by the group, 54 were already known KEVs. Rather than spending resources on original zero-day research, threat actors are simply leveraging known, yet unpatched and exploitable vulnerabilities for their campaigns.

Defensive Software is a Primary Target for N-Days

The very software designed to protect enterprise firewalls, VPN gateways, and edge networking devices is consistently the most targeted category for both N-day and zero-day exploitation.

Because cybersecurity devices must be internet-facing to function, they provide a constant, unauthenticated attack surface. In 2025 alone, Flashpoint observed 37 N-days and 52 zero-days specifically targeting security and perimeter software. The requirement for these systems to remain open to external traffic means they will continue to be disproportionately targeted by advanced persistent threat (APT) groups and cybercriminals alike.

Attributing N-Day Attacks

While tracking the “how” of an attack is critical, tracking who is responsible remains a fragmented challenge for the industry. Attribution is often hampered by naming fatigue, where different vendors assign their own designated unique monikers to the same actor. For instance, the widely known threat actor group Lazarus has over 40 distinct designations across the industry, including “Diamond Sleet,” “NICKEL ACADEMY,” and “Guardians of Peace”.

Despite these naming complexities, global activity patterns remain clear. China remains the most active nation-state actor in the vulnerability exploitation space, consistently outpacing Russia, Iran, and North Korea in both the volume and scope of their campaigns.

Obstacles for Enterprise Security: Asset Blindness and the CVE Dependency Trap

Why are organizations struggling to keep pace? The primary factor isn’t a lack of effort, but a lack of visibility.

1. The Asset Inventory Gap

The single greatest breakthrough an enterprise can achieve is not a new AI tool, but a complete asset inventory. Most large organizations are lucky to have an accurate inventory of even 25% of their total assets. Without knowing what you own, vulnerability scans can take days or weeks to return results that the adversary is already using to probe your network.

2. The CVE Blindspot

Most traditional security tools are CVE-dependent. However, thousands of vulnerabilities are disclosed every year that never receive an official CVE ID. These “missing” vulnerabilities represent a massive blindspot for standard scanners. Intelligence-led exposure management requires looking beyond the CVE ecosystem into proprietary databases like Flashpoint’s VulnDB™, which tracks over 105,000 vulnerabilities that public sources miss.

Move Towards Intelligence-Led Exposure Management Using Flashpoint

To survive in an era where weaponization can happen in under 24 hours, organizations must shift from reactive patching to a threat-informed and proactive security approach. This means:

  • Prioritizing by Exploitability and Threat Actor Activity: Focus on vulnerabilities that are remotely exploitable and have known public exploits, rather than just high CVSS scores.
  • Adopting an Asset-Inventory Approach: Moving away from slow, periodic scans in favor of continuous asset mapping that allows for immediate triage.
  • Operationalizing Intelligence: Embedding real-time threat data directly into SOC and IR workflows to reduce the “mean time to action”.

The goal of exposure management is to look at your organization through the adversary’s lens. By understanding which N-days threat actors are actually discussing and weaponizing in the wild, defenders can finally start to close the window of exposure before a potential compromise can occur.

Flashpoint’s vulnerability threat intelligence can help your organization go from reactive to proactive. Request a demo today and gain access to quality vulnerability intelligence that enables intelligence-led exposure management.

Request a demo today.

The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation appeared first on Flashpoint.

Cyber and Physical Risks Targeting the 2026 Winter Olympics

Blogs

Blog

Cyber and Physical Risks Targeting the 2026 Winter Olympics

In this post we analyze the multi-vector threat landscape of the 2026 Winter Olympics, examining how the Games’ dispersed geographic footprint and high digital complexity create unique potential for cyber sabotage and physical disruptions.

SHARE THIS:
Default Author Image
February 5, 2026

The Milano-Cortina 2026 Winter Olympics represent a historic milestone as the first Games co-hosted by two major cities. However, the event’s expansive geographic footprint—covering 22,000 square kilometers across northern Italy—presents a complex security environment. From the metropolitan centers of Milan to the alpine peaks of Cortina d’Ampezzo, security forces are contending with a multi-vector threat landscape.

Kinetic and Physical Security Challenges

The geographically dispersed nature of the Milano-Cortina 2026 Winter Games also creates unique physical security challenges. Because venues are spread across thousands of square kilometers of the Alps, securing transit corridors and ensuring rapid emergency response across different Italian regions—including Lombardy, Veneto, and Trentino—is an incredible logistical hurdle. New tunnels, increased train services, and extended bus routes have been welcomed but create new potential targets for physical disruption by threat actors or protestors.

Terrorist and Extremist Threats

Flashpoint has not identified any terrorist or extremist threats to the Winter Olympic Games. However, lone threat actors in support of international terrorist organizations or domestic violence extremists remain a persistent threat due to the large number of attendees expected and the media attention that this event will attract.

Authorities in northern Italy are investigating a series of sabotage attacks on the national railway network that coincided with the opening of the 2026 Winter Olympic Games. The coordinated incidents—which included arson at a track switch, severed electrical cables, and the discovery of a rudimentary explosive device—caused delays of over two hours and temporarily disabled the vital transport hub of Bologna.

Protests

Flashpoint analysts identified several protests targeting the 2026 Winter Olympics:

  • US Presence and ICE Backlash: Hundreds of demonstrators have participated in protests in central Milan to demand that US ICE agents withdraw from security roles at the upcoming Winter Olympics.
  • Anti-Olympic and Environmental Activism: The most organized opposition comes from the Unsustainable Olympics Committee. They have already staged marches in Milan and Cortina, with more planned for February.
  • Pro-Palestinian Groups: Organizations such as BDS Italia are actively campaigning to boycott the games, demanding that Israel not be permitted to participate. Other pro-Palestinian groups have attempted to disrupt the Torch Relay in several cities and are expected to hold flash mob-style demonstrations in Milan’s Piazza del Duomo during the Opening Ceremony.
  • Labor Strikes: Italy frequently experiences transport strikes, which often fall on Fridays. Because the Opening Ceremony is on Friday, February 6, unions are leveraging this for maximum impact. An International Day of Protest has been coordinated by port and dock workers across the Mediterranean for February 6.

On February 7, a massive protest of approximately 10,000 people near the Olympic Village in Milan descended into violence as a peaceful march against the Winter Games ended in clashes with Italian police. While the majority of demonstrators initially focused on the environmental destruction caused by Olympic infrastructure, a smaller group of masked protestors engaged security forces with flares, stones, and firecrackers.

Cyber Threats Facing the 2026 Winter Olympics

The Milano-Cortina 2026 Winter Olympics will be among the most digitally complex global events, making it a prime target for cyberattacks. The greatest risks stem from familiar tactics such as phishing, spoofed websites, and business email compromise, which exploit human trust rather than technical flaws. With billions of viewers and a vast network of cloud services, vendors, and connected systems, the games create an expansive attack surface under intense operational pressure.

Italy blocked a series of cyberattacks targeting its foreign ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo, with officials attributing the attempts to Russian sources. Foreign Minister Antonio Tajani confirmed the attacks were prevented just days before the Games’ official opening, which began with curling matches on February 4. 

Past Olympic Games show a clear pattern of heightened cyber activity, including phishing campaigns, distributed denial-of-service (DDoS) attacks, ransomware, and online scams targeting both organizers and the public. A mix of cybercriminals, advanced persistent threats, and hacktivists is expected to exploit the event for financial gain, espionage, or publicity. Experts emphasize that improving security awareness, verifying digital interactions, and strengthening supply chain defenses are critical, as the most damaging incidents often arise from ordinary threats amplified by scale and urgency.

Staying Safe at the 2026 Winter Games

The security success of Milano-Cortina 2026 relies on the integration of real-time intelligence, advanced technological safeguards, and public vigilance. As the Games proceed, the intersection of cyber-sabotage and physical protest remains the most likely source of operational disruption.

To stay safe at this year’s Games, participants should:

  1. Download Official Apps: Install the Milano Cortina 2026 Ground Transportation App and the Atm Milano app for real-time updates on transit, road closures, and “guaranteed” travel windows during strikes.
  2. Plan Around Friday Strikes: Be aware that transport strikes (Feb 6, 13, and 20) typically guarantee services only between 6:00 AM – 9:00 AM and 6:00 PM – 9:00 PM. Plan your venue transfers accordingly.
  3. Secure Your Digital Footprint: Avoid public Wi-Fi at major venues. Use a VPN and ensure Multi-Factor Authentication (MFA) is active on all your ticketing and banking accounts.
  4. Stay Clear of Protests: While most demonstrations are expected to be peaceful, they can cause sudden police cordons and transit delays.
  5. Respect the Drone Ban: Unauthorized drones are strictly prohibited over Milan and venue clusters. Leave yours at home to avoid heavy fines or interception by security units.

Stay Safe Using Flashpoint

While there are no current indications of imminent threats of extreme violence targeting the Milano-Cortina 2026 Winter Olympics, the event’s vast geographic footprint and digital complexity demand constant vigilance. Securing an event that spans 22,000 square kilometers requires more than just a physical presence; it necessitates a multi-faceted approach that bridges the gap between digital and kinetic risks.

To effectively navigate the intersection of cyber-sabotage, civil unrest, and logistical challenges, organizations and attendees must adopt a comprehensive strategy that integrates real-time intelligence with proactive security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

Request a demo today.

The post Cyber and Physical Risks Targeting the 2026 Winter Olympics appeared first on Flashpoint.

Flashpoint’s Threat Intelligence Capability Assessment

Blogs

Blog

Flashpoint’s Threat Intelligence Capability Assessment

In this post we introduce a new free assessment designed to pinpoint intelligence gaps, top strategic priorities for progress, and prioritized practical actions to drive real impact.

SHARE THIS:
Default Author Image
February 5, 2026

Many organizations today have some form of threat intelligence. Far fewer have a threat intelligence function that is structured, measurable, and trusted across the business. Experienced security professionals know that volume does not equal value—having more feeds, more alerts, or more dashboards doesn’t automatically translate into better intelligence. In reality, teams need clear visibility into the source of their intelligence data, how it aligns to their most important risks, and whether it’s actually influencing decisions.

Without this baseline, organizations struggle to answer fundamental questions: 

  • Are we collecting intelligence that reflects our real risk exposure?
  • Are we missing upstream threats—or over-prioritizing noise?
  • Is our intelligence tailored to our environment, or largely generic?
  • Is it reaching the right teams at the right moment to drive action?

These blind spots create friction across security operations—and make it difficult to improve with confidence.

How is Your Intelligence Working Across Your Environment?

That’s why Flashpoint created the Threat Intelligence Capability Assessment out of a simple observation: the most successful intelligence functions aren’t defined by the size of their budget or the number of feeds they ingest. They are defined by how intelligence flows across the full threat intelligence lifecycle:

  1. Requirements & Tasking: How clear are your intelligence priorities, and how directly are they tied to real business risk?
  2. Collection & Discovery: Is your visibility broad, deep, and flexible enough to keep pace with changing threats?
  3. Analysis & Prioritization: How effectively are signals, context, and impact being connected to inform decisions?
  4. Dissemination & Action: Is intelligence reaching the teams and leaders who need it, when they need it?
  5. Feedback & Retasking: How consistently are priorities reviewed, refined, and adjusted based on outcomes?

By examining each stage independently, our assessment reveals where intelligence accelerates decisions and where it quietly breaks down.

Why This Assessment is Different

Most maturity assessments focus on inputs: tooling, headcount, or abstract maturity labels.

Flashpoint’s Threat Intelligence Capability Assessment takes a different approach. It evaluates how intelligence actually functions across the full intelligence lifecycle— from requirements and tasking through feedback and retasking—and what that means in practice for day-to-day operations.

Rather than stopping at a score, the assessment helps organizations:

  1. Understand what their stage means in real operational terms
  2. Identify constraints and patterns that may be limiting impact
  3. Focus on top strategic priorities for progress
  4. Take immediate, practical actions to strengthen intelligence workflows
  5. Apply a 90-day planning framework to turn insight into execution

Critically, The Threat Intelligence Capability Assessment is grounded in operational reality, not vendor theory, and is designed to be applied by function, recognizing that intelligence maturity is rarely uniform across an organization.

“As cyber threats grow in scale, complexity, and impact, organizations need a clear understanding of how effectively intelligence supports their ability to detect high-priority risks and respond with speed. This assessment helps teams move beyond a score to understand what’s holding them back, where to focus next, and how to turn intelligence into action.”

Josh Lefkowitz, CEO and co-founder of Flashpoint

Where Do You Stand?

This assessment isn’t about simply measuring where you are today—it’s about identifying holding you back, and where targeted improvements can deliver the greatest return.  

After taking Flashpoint’s quick 5 minute assessment, security leaders can evaluate each component of their intelligence program—such as SOCs (Security Operations Center), vulnerability teams, fraud teams, and physical security—and benchmark them to surface potential gaps and needed improvements.
Whether your program is at the developing, maturing, advanced, or leader stage, the goal is the same: to move from intelligence as a supporting activity to intelligence as a driver of proactive operations.

  • Developing: The early stages of building a dedicated intelligence function. Work is largely reactive—driven primarily by escalations or stakeholder questions—and may be reliant on open sources, vendor feeds, internal alerts, or ad-hoc investigations.
  • Maturing: Processes have moved beyond reactive workflows and are beginning to operate with a consistent structure. There are documented priority intelligence requirements and teams are intentionally building depth across sources, workflows, and reporting.
  • Advanced: In this stage, intelligence functions shape how your organization understands, prioritizes, and responds to threats. Requirements are well-defined, visibility spans multiple layers of the threat ecosystem, and analysts apply structured tradecraft that produces actionable intelligence.
  • Leader: Intelligence functions are a core component of organizational risk strategy. Outputs are trusted and used across the business to inform high-stakes decisions, shape long-range planning, and provide early warning across cyber, fraud, physical, brand, and geopolitical domains.

A Practical Roadmap, Not a Judgment

No matter which stage you are currently in, advancing an intelligence function requires deeper visibility into relevant ecosystems, stronger analytic rigor, and the ability to act on intelligence at the moment it matters. To move the needle, organizations need clear requirements, direct visibility into where threats originate, structured tradecraft, and intelligence that drives decisions.

Flashpoint helps teams accelerate progress with the data, expertise, and workflows that strengthen intelligence programs at every stage—without requiring a new operational model. Take the assessment now to see where your intelligence program stands. Or, learn more about how Flashpoint helps intelligence teams progress faster, reduce fragmentation, and sustain momentum toward intelligence-led operations, delivered through the Flashpoint Ignite Platform.

Request a demo today.

The post Flashpoint’s Threat Intelligence Capability Assessment appeared first on Flashpoint.

Protecting the Big Game: A Threat Assessment for Super Bowl LX

Blogs

Blog

Protecting the Big Game: A Threat Assessment for Super Bowl LX

This threat assessment analyzes potential physical and cyber threats to Super Bowl LX.

SHARE THIS:
Default Author Image
February 4, 2026
Superbowl LIX Threat Assessment | Flashpoint Blog
Table Of Contents

Each year, the Super Bowl draws one of the largest live audiences of any global sporting event, with tens of thousands of spectators attending in person and more than 100 million viewers expected to watch worldwide. Super Bowl LX, taking place on February 8, 2026 at Levi’s Stadium, will feature the Seattle Seahawks and the New England Patriots, with Bad Bunny headlining the halftime show and Green Day performing during the opening ceremony.

Beyond the game itself, the Super Bowl represents one of the most influential commercial and media stages in the world, with major brands investing in some of the most expensive advertising time of the year. The scale, visibility, and economic significance of the event make it an attractive target for threat actors seeking attention, disruption, or financial gain, underscoring the need for heightened security awareness.

Cybersecurity Considerations

At this time, Flashpoint has not observed any specific cyber threats targeting Super Bowl LX. Despite the absence of overt threats, it remains possible that threat actors may attempt to obtain personal information—including financial and credit card details—through scams, malware, phishing campaigns, or other opportunistic cyber activity.

High-profile events such as the Super Bowl have historically been leveraged as bait for cyber campaigns targeting fans and attendees rather than league infrastructure. In October 2024, the online store of the Green Bay Packers was hacked, exposing customers’ financial details. Previous incidents also include the February 2022 “BlackByte” ransomware attack that targeted the San Francisco 49ers in the lead-up to Super Bowl LVI.

Although Flashpoint has not identified any credible calls for large-scale cyber campaigns against Super Bowl LX at this time, analysts assess that cyber activity—if it occurs—is more likely to focus on fraud, impersonation, and social engineering directed at ticket holders, travelers, and high-profile attendees.

Online Sentiment

Flashpoint is currently monitoring online sentiment ahead of Super Bowl LX. At the time of publishing, analysts have identified pockets of increasingly negative online chatter related primarily to allegations of federal immigration enforcement activity in and around the event, as well as broader political and social tensions surrounding the Super Bowl.

Online discussions include calls for protests and boycotts tied to perceived Immigration and Customs Enforcement (ICE) involvement, as well as controversy surrounding halftime and opening ceremony performers. While sentiment toward the game itself and associated events remains largely positive, Flashpoint continues to monitor for escalation in rhetoric that could translate into real-world activity.

Potential Physical Threats

Protests and Boycotts

Flashpoint analysts have identified online chatter promoting protests in the Bay Area in response to allegations that Immigration and Customs Enforcement (ICE) agents will conduct enforcement operations in and around Super Bowl LX. A planned protest is scheduled to take place near Levi’s Stadium on February 8, 2026, during game-day hours.

At this time, Flashpoint has not identified any calls for violence or physical confrontation associated with these actions. However, analysts cannot rule out the possibility that demonstrations could expand or relocate, potentially causing localized disruptions near the venue or surrounding infrastructure if protesters gain access to restricted areas.

In addition, Flashpoint has identified online calls to boycott the Super Bowl tied to both the alleged ICE presence and controversy surrounding the event’s halftime and opening ceremony performers. Flashpoint has not identified any chatter indicating that players, NFL personnel, or affiliated organizations plan to boycott or disrupt the game or related events.

Terrorist and Extremist Threats

Flashpoint has not identified any direct or credible threats to Super Bowl LX or its attendees from violent extremists or terrorist groups at this time. However, as with any high-profile sporting event, lone actors inspired by international terrorist organizations or domestic violent extremist ideologies remain a persistent risk due to the scale of attendance and global media attention.

Super Bowl LX is designated as a SEAR-1 event, necessitating extensive interagency coordination and heightened security measures. Law enforcement presence is expected to be significant, with layered security protocols, strict access control points, and comprehensive screening procedures in place throughout Levi’s Stadium and surrounding areas. Contingency planning for crowd management, emergency response, and evacuation scenarios is ongoing.

Mitigation Strategies and Executive Protection

Given the absence of specific, identified threats, mitigation strategies for key personnel attending Super Bowl LX focus on general best practices. Security teams tasked with executive protection should remove sensitive personal information from online sources, monitor open-source and social media channels, and establish targeted alerts for potential threats or emerging protest activity.

Physical security teams and protected individuals should also familiarize themselves with venue layouts, emergency exits, nearby medical facilities, and law enforcement presence, and remain alert to changes in crowd dynamics or protest activity in the vicinity of the event.

The nearest medical facilities are:

  • O’Connor Hospital (Santa Clara Valley Healthcare)
  • Kaiser Permanente Santa Clara Medical Center
  • Santa Clara Valley Medical Center
  • Valley Health Center Sunnyvale

Several of these facilities offer 24/7 emergency services and are located within a short driving distance of the stadium.

The primary law enforcement facility near the venue is:

  • Santa Clara Police Department

As a SEAR-1 event, extensive coordination is expected among local, state, and federal law enforcement agencies throughout the Bay Area.

    Stay Safe Using Flashpoint

    Although there are no indications of any credible, immediate threats to Super Bowl LX or attendees at this time, it is imperative to be vigilant and prepared. Protecting key personnel in today’s threat environment requires a multi-faceted approach. To effectively bridge the gap between online and offline threats, organizations must adopt a comprehensive strategy that incorporates open source intelligence (OSINT) and physical security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

    Request a demo today.

    How China’s “Walled Garden” is Redefining the Cyber Threat Landscape

    Blogs

    Blog

    How China’s “Walled Garden” is Redefining the Cyber Threat Landscape

    In our latest webinar, Flashpoint unpacks the architecture of the Chinese threat actor cyber ecosystem—a parallel offensive stack fueled by government mandates and commercialized hacker-for-hire industry.

    SHARE THIS:
    Default Author Image
    January 30, 2026

    For years, the global cybersecurity community has operated under the assumption that technical information was a matter of public record. Security research has always been openly discussed and shared through a culture of global transparency. Today, that reality has fundamentally shifted. Flashpoint is witnessing a growing opacity—a “Walled Garden”—around Chinese data. As a result, the competence of Chinese threat actors and APTs has reached an industrialized scale.

    In Flashpoint’s recent on-demand webinar, “Mapping the Adversary: Inside the Chinese Pentesting Ecosystem,” our analysts explain how China’s state policies surrounding zero-day vulnerability research have effectively shut out the cyber communities that once provided a window into Chinese tradecraft. However, they haven’t disappeared. Rather, they have been absorbed by the state to develop a mature, self-sustaining offensive stack capable of targeting global infrastructure.

    Understanding the Walled Garden: The Shift from Disclosure to Nationalization

    The “Walled Garden” is a direct result of a Chinese regulatory turning point in 2021: the Regulations on the Management of Security Vulnerabilities (RMSV). While the gradual walling off of China’s data is the cumulative result of years of implementing regulatory and policy strategies, the 2021 RMSV marks a critical turning point that effectively nationalized China’s vulnerability research capabilities. Under the RMSV, any individual or organization in China that discovers a new flaw must report it to the Ministry of Industry and Information Technology (MIIT) within 48 hours. Crucially, researchers are prohibited from sharing technical details with third parties—especially foreign entities—or selling them before a patch is issued.

    It is important to note that this mandate is not limited to Chinese-based software or hardware; it applies to any vulnerability discovered, as long as the discoverer is a Chinese-based organization or national. This effectively treats software vulnerabilities as a national strategic resource for China. By centralizing this data, the Chinese government ensures it has an early window into zero-day exploits before the global defensive community. 

    For defenders, this means that by the time a vulnerability is public, there is a high probability it has already been analyzed and potentially weaponized within China’s state-aligned apparatus.

    The Indigenous Kill Chain: Reconnaissance Beyond Shodan

    Flashpoint analysts have observed that within this Walled Garden, traditional Western reconnaissance tools are losing their effectiveness. Chinese threat actors are utilizing an indigenous suite of cyberspace search engines that create a dangerous information asymmetry, allowing them to peer at defender infrastructure while shielding their own domestic base from Western scrutiny.

    While Shodan remains the go-to resource for security teams, Flashpoint has seen Chinese threat actors favor three IoT search engines that offer them a massive home-field advantage:

    • FOFA: Specializes in deep fingerprinting for middleware and Chinese-specific signatures, often indexing dorks for new vulnerabilities weeks before they appear in the West.
    • Zoomai: Built for high-speed automation, offering APIs that integrate with AI systems to move from discovery to verified target in minutes.
    • 360 Quake: Provides granular, real-time mapping through a CLI with an AI engine for complex asset portraits.

    In the full session, we demonstrate exactly how Chinese operators use these tools to fuse reconnaissance and exploitation into a single, automated step—a capability most Western EDRs aren’t yet tuned to detect.

    Building a State-Aligned Offensive Stack

    Leveraging their knowledge of vulnerabilities and zero-day exploits, the illicit Chinese ecosystem is building tools designed to dismantle the specific technologies that power global corporate data centers and business hubs.

    In the webinar, our analysts explain purpose-built cyber weapons designed to hunt VMware vCenter servers that support one-click shell uploads via vulnerabilities like Log4Shell. Beyond the initial exploit, Flashpoint highlights the rising use of Behinder (Ice Scorpion)—a sophisticated web shell management tool. Behinder has become a staple for Chinese operators because it encrypts command-and-control (C2) traffic, allowing attackers to evade conventional inspection and deep packet analytics.

    Strengthen Your Defenses Against the Chinese Offensive Stack with Flashpoint

    By understanding this “Walled Garden” architecture, defenders can move beyond generic signatures and begin to hunt for the specific TTPs—such as high-entropy C2 traffic and proprietary Chinese scanning patterns—that define the modern Chinese threat actor.

    How can Flashpoint help? Flashpoint’s cyber threat intelligence platform cuts through the generic feed overload and delivers unrivaled primary-source data, AI-powered analysis, and expert human context.

    Watch the on-demand webinar to learn more, or request a demo today.

    Request a demo today.

    The post How China’s “Walled Garden” is Redefining the Cyber Threat Landscape appeared first on Flashpoint.

    The Five Phases of the Threat Intelligence Lifecycle

    Blogs

    Blog

    The Five Phases of the Threat Intelligence Lifecycle: A Strategic Guide

    The threat intelligence lifecycle is a fundamental framework for all fraud, physical, and cybersecurity programs. It is useful whether a program is mature and sophisticated or just starting out.

    Share:
    Default Author Image
    January 29, 2026

    What is the Core Purpose of the Threat Intelligence Lifecycle?

    The threat intelligence lifecycle is a foundational framework for all fraud, physical security, and cybersecurity programs at every stage of maturity. It provides a structured way to understand how intelligence is defined, built, and applied to support real-world decisions.

    At a high level, the lifecycle outlines how organizations move from questions to insight to action. Rather than focusing on tools or outputs alone, it emphasizes the practices required to produce intelligence that is relevant, timely, and trusted. This iterative, adaptable methodology consists of five stages that guide how intelligence requirements are set, how information is collected and analyzed, how insight reaches decision-makers, and how priorities are continuously refined based on feedback and changing risk conditions.

    The Five Phases of the Threat Intelligence Lifecycle

    Key Objectives at Each Phase of the Threat Intelligence Lifecycle

    1. Requirements & Tasking: Define what intelligence needs to answer and why. This phase establishes clear priorities tied to business risk, assets, and stakeholder needs, providing direction for all downstream intelligence activity.
    2. Collection & Discovery: Gather relevant information from internal and external sources and expand visibility as threats evolve. This includes identifying new sources, closing visibility gaps, and ensuring coverage aligns with defined intelligence requirements.
    3. Analysis & Prioritization: Transform collections into insight by connecting signals, context, and impact. Analysts assess relevance, likelihood, and business significance to determine which threats, actors, or exposures matter most.
    4. Dissemination & Action: Deliver intelligence in formats that reach the right stakeholders at the right time. This phase ensures intelligence informs operations, response, and decision-making, not just reporting.
    5. Feedback & Retasking: Continuously review outcomes, stakeholder input, and changing threats to refine requirements and adjust collection and analysis. This feedback loop keeps the intelligence program aligned with real-world risk and operational needs.

    PHASE 1: Requirements & Tasking

    The first phase of the threat intelligence lifecycle is arguably the most important because it defines the purpose and direction of every activity that follows. This phase focuses on clearly articulating what intelligence needs to answer and why.

    As an initial step, organizations should define their intelligence requirements, often referred to as Priority Intelligence Requirements (PIRs). In public sector contexts, these may also be called Essential Elements of Information (EEIs). Regardless of terminology, the goal is the same: establish clear, stakeholder-driven questions that intelligence is expected to support.

    Effective requirements are tied directly to business risk and operational outcomes. They should reflect what the organization is trying to protect, the threats of greatest concern, and the decisions intelligence is meant to inform, such as reducing operational risk, improving efficiency, or accelerating detection and response.

    This process often resembles building a business case, and that’s intentional. Clearly defined requirements make it easier to align intelligence efforts with organizational priorities, establish meaningful key performance indicators (KPIs), and demonstrate the value of intelligence over time.

    In many organizations, senior leadership, such as the Chief Information Security Officer (CISO or CSO), plays a key role in shaping requirements by identifying critical assets, defining risk tolerance, and setting expectations for how intelligence should support decision-making.

    Key Considerations in Phase 1

     Which assets, processes, or people present the highest risk to the organization?

    — What decisions should intelligence help inform or accelerate?

    — How should intelligence improve efficiency, prioritization, or response across teams?

    — Which downstream teams or systems will rely on these intelligence outputs?

    PHASE 2: Collection & Discovery

    The Collection & Discovery phase focuses on building visibility into the threat environments most relevant to your organization. Both the breadth and depth of collection matter. Too little visibility creates blind spots; too much unfocused data overwhelms teams with noise and false positives.

    At this stage, organizations determine where and how intelligence is collected, including the types of sources monitored and the mechanisms used to adapt coverage as threats evolve. This can include visibility into phishing activity, compromised credentials, vulnerabilities and exploits, malware tooling, fraud schemes, and other adversary behaviors across open, deep, and closed environments.

    Effective programs increasingly rely on Primary Source Collection, or the ability to collect intelligence directly from original sources based on defined requirements, rather than consuming static, vendor-defined feeds. This approach enables teams to monitor the environments where threats originate, coordinate, and evolve—and to adjust collection dynamically as priorities shift.

    Discovery extends collection beyond static source lists. Rather than relying solely on predefined feeds, effective programs continuously identify new sources, communities, and channels as threat actors shift tactics, platforms, and coordination methods. This adaptability is critical for surfacing early indicators and upstream activity before threats materialize internally.

    The processing component of this phase ensures collected data is usable. Raw inputs are normalized, structured, translated, deduplicated, and enriched so analysts can quickly assess relevance and move into analysis. Common processing activities include language translation, metadata extraction, entity normalization, and reduction of low-signal content.

    Key Considerations in Phase 2

     Where do you lack visibility into emerging or upstream threat activity?

    — Are your collection methods adaptable as threat actors and platforms change?

    — Do you have the ability to collect directly from primary sources based on your own intelligence requirements, rather than relying on fixed vendor feeds?

    — How effectively can you access and monitor closed or high-risk environments?

    — Is collected data structured and enriched in a way that supports efficient analysis?

    PHASE 3: Analysis & Prioritization

    The Analysis & Prioritization phase focuses on transforming processed data into meaningful intelligence that supports real decisions. This is where analysts connect signals across sources, enrich raw findings with context, assess credibility and relevance, and determine why a threat matters to the organization.

    Effective analysis evaluates activity, likelihood, impact, and business relevance. Analysts correlate threat actor behavior, infrastructure, vulnerabilities, and targeting patterns to understand exposure and prioritize response. This step is critical for moving from information awareness to actionable insight.

    As artificial intelligence and machine learning continue to mature, they increasingly support this phase by accelerating enrichment, correlation, translation, and pattern recognition across large datasets. When applied thoughtfully, AI helps analysts scale their work and improve consistency, while human expertise remains essential for judgment, context, and prioritization especially for high-risk or ambiguous threats.

    This phase delivers clarity and a defensible view of what requires attention first and why.

    Key Considerations in Phase 3

     Which threats pose the greatest risk based on likelihood, impact, and business relevance?

    — How effectively are analysts correlating signals across sources, assets, and domains?

    — Where can automation or AI reduce manual effort without sacrificing analytic rigor?

    — Are analysis outputs clearly prioritized to support downstream action?

    PHASE 4: Dissemination & Action

    Once analysis and prioritization are complete, intelligence must be delivered in a way that enables action. The Dissemination & Action phase focuses on translating finished intelligence into formats that are clear, relevant, and aligned to how different stakeholders make decisions.

    This phase is dedicated to ensuring the right information reaches the right teams at the right time. Effective dissemination considers audience, urgency, and operational context, whether intelligence is supporting detection engineering, incident response, fraud prevention, vulnerability remediation, or executive decision-making.

    Finished intelligence should include clear assessments, confidence levels, and recommended actions. These recommendations may inform incident response playbooks, ransomware mitigation steps, patch prioritization, fraud controls, or monitoring adjustments. The goal is to remove ambiguity and enable stakeholders to act decisively.

    Ultimately, intelligence only delivers value when it drives outcomes. In this phase, stakeholders evaluate the intelligence provided and determine whether, and how, to act on it.

    Key Considerations in Phase 4

     Who needs this intelligence, and how should it be delivered to support timely decisions?

    — Are findings communicated with appropriate context, confidence, and clarity?

    — Do outputs include clear recommendations or actions tailored to the audience?

    — Is intelligence integrated into operational workflows, not just distributed as static reports?

    PHASE 5: Feedback & Retasking

    The Feedback & Retasking phase closes the intelligence lifecycle loop by ensuring intelligence remains aligned to real-world needs as threats, priorities, and business conditions change. Rather than treating intelligence delivery as an endpoint, this phase focuses on evaluating impact and continuously refining what the intelligence function is working on and why.

    Once intelligence has been acted on, stakeholders assess whether it was timely, relevant, and actionable. Their feedback informs updates to requirements, collection priorities, analytic focus, and delivery methods. Mature programs use this input to adjust tasking in near real time, ensuring intelligence efforts remain focused on the threats that matter most.

    Improvements at this stage often center on shortening retasking cycles, reducing low-value outputs, and strengthening alignment between intelligence producers and decision-makers. Over time, this creates a more adaptive and responsive intelligence function that evolves alongside the threat landscape.

    Key Considerations in Phase 5 

    —  How frequently are intelligence priorities reviewed and updated?

    — Which intelligence outputs led to decisions or action—and which did not?

    — Are stakeholders able to provide structured feedback on relevance and impact?

    — How quickly can requirements, sources, or analytic focus be adjusted based on new threats or business needs?

    — Does the feedback loop actively improve future intelligence collection, analysis, and delivery?

    Assessing Your Threat Intelligence Lifecycle in Practice

    Understanding the threat intelligence lifecycle is one thing. Knowing how effectively it operates inside your organization today is another.

    Most teams don’t struggle because they lack intelligence activities; they struggle because those activities aren’t consistently aligned, operationalized, or adapted as needs change. Requirements may be defined in one area, while collection, analysis, and dissemination evolve unevenly across teams like CTI, vulnerability management, fraud, or physical security.

    To help organizations move from conceptual understanding to practical evaluation, Flashpoint developed the Threat Intelligence Capability Assessment.

    The assessment maps directly to the lifecycle outlined above, evaluating how intelligence functions across five core dimensions:

    • Requirements & Tasking – How clearly intelligence priorities are defined and tied to real business risk
    • Collection & Discovery – Whether visibility is broad, deep, and adaptable as threats evolve
    • Analysis & Prioritization – How effectively analysts connect signals, context, and impact
    • Dissemination & Action – How intelligence reaches operations and decision-makers
    • Feedback & Retasking – How frequently priorities are reviewed and adjusted

    Based on responses, organizations are mapped to one of four stages—Developing, Maturing, Advanced, or Leader—reflecting how intelligence actually flows across the lifecycle today.

    Teams can apply insights by function or workflow, using the results to identify where intelligence is working well, where friction exists, and where targeted changes will have the greatest impact. Each participant also receives a companion guide with practical guidance, including strategic priorities, immediate actions, and a 90-day planning framework to help translate lifecycle insight into execution.

    Take the Threat Intelligence Capability Assessment to evaluate how your program aligns to the lifecycle and where to focus next.

    See Flashpoint in Action

    Flashpoint’s comprehensive threat intelligence platform supports intelligence teams across every phase of the threat intelligence lifecycle, from defining clear requirements and expanding visibility into relevant threat ecosystems, to analysis, prioritization, dissemination, and continuous retasking as conditions change.

    Schedule a demo to see how Flashpoint delivers actionable intelligence, analyst expertise, and workflow-ready outputs that help teams identify, prioritize, and respond to threats with greater clarity and confidence—so intelligence doesn’t just inform awareness, but drives timely, measurable action across the organization.

    Frequently Asked Questions (FAQs)

    What are the five phases of the threat intelligence lifecycle?

    The threat intelligence lifecycle consists of five repeatable phases that describe how intelligence moves from intent to action:

    Requirements & Tasking, Collection & Discovery, Analysis & Prioritization, Dissemination & Action, and Feedback & Retasking.

    Together, these phases ensure that intelligence is driven by real business needs, grounded in relevant visibility, enriched with context, delivered to decision-makers, and continuously refined as threats and priorities change.

    PhasePrimary Objective
    Requirements & TaskingDefining intelligence priorities and tying them to real business risk
    Collection & DiscoveryGathering data from relevant sources and expanding visibility as threats evolve
    Analysis & PrioritizationConnecting signals, context, and impact to determine what matters most
    Dissemination & ActionDelivering intelligence to operations and decision-makers in usable formats
    Feedback & RetaskingReviewing outcomes and adjusting priorities, sources, and focus over time

    How do intelligence requirements guide security operations?

    Intelligence requirements—often formalized as Priority Intelligence Requirements (PIRs)—define the specific questions intelligence teams must answer to support the business. They provide the north star for what to collect, analyze, and report on.

    Clear requirements help teams:

    • Focus: Reduce noise by prioritizing intelligence aligned to real risk
    • Measure: Track whether intelligence outputs are driving decisions or action
    • Align: Ensure security, fraud, physical security, and risk teams are working toward shared outcomes

    Without clear requirements, intelligence efforts often default to reactive collection and generic reporting that struggle to deliver impact.

    Why is the feedback phase of the intelligence lifecycle necessary for a proactive defense?

    Feedback & Retasking turns the intelligence lifecycle from a linear process into a continuous improvement loop. It ensures intelligence stays aligned with changing threats, business priorities, and operational needs.

    Through regular review and stakeholder input, teams can:

    • Identify which intelligence outputs led to action and which did not
    • Retire low-value sources or reporting formats
    • Adjust requirements, collection, and analysis as new threats emerge

    This phase is essential for moving from static reporting to intelligence-led operations, where priorities evolve in near real time and intelligence continuously improves its relevance and impact.

    The post The Five Phases of the Threat Intelligence Lifecycle appeared first on Flashpoint.

    The Top Threat Actor Groups Targeting the Financial Sector

    Blogs

    Blog

    The Top Threat Actor Groups Targeting the Financial Sector

    In this post, we identify and analyze the top threat actors that have been actively targeting the financial sector between 2024 and 2026.

    SHARE THIS:
    Default Author Image
    January 6, 2026

    Between 2024 and 2026, Flashpoint analysts have observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period.

    However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud.

    Why Finance?

    The financial sector has long been one of the most attractive targets for threat actors, consistently ranking among the most targeted industries globally.

    These institutions manage massive volumes of sensitive data—from high-value financial transactions and confidential customer information to vast sums of capital, making them especially lucrative for threat actors seeking financial gain. Additionally, the urgency and criticality of financial operations increases the chances that victim organizations will succumb to extortion and ransom demands.

    Even beyond direct financial incentives, the financial sector remains an attractive target due to its deep interconnectivity with other industries.This means that malicious actors may simply target financial institutions to gain information about another target organization, as a single data breach can have far-reaching and cascading consequences for involved partners and third parties.

    The Threat Actors Targeting the Financial Sector

    To understand the complexities of the financial threat landscape, organizations need a comprehensive understanding of the key players involved. The following threat actors represent some of the most prominent and active groups targeting the financial sector between April 2024 and April 2025:

    RansomHub

    Despite being a relatively new Ransomware-as-a-Service (RaaS) group that emerged in February 2024, RansomHub quickly rose to prominence, becoming the second-most active ransomware group in 2024. Notably, they claimed 38 victims in the financial sector between April 2024 and April 2025. Their known TTPs include phishing and exploiting vulnerabilities. RansomHub is also known to heavily target the healthcare sector.

    Akira

    Active since March 2023, Akira has demonstrated increasingly sophisticated tactics and has targeted a significant number of victims across various sectors. Between April 2024 and April 2025, they targeted 34 organizations within the financial sector. Evidence suggests a potential link to the defunct Conti ransomware group. Akira commonly gains initial access through compromised credentials, Virtual Private Network (VPN) vulnerabilities, and Remote Desktop Protocol (RDP). They employ a double extortion model, exfiltrating data before encryption.

    LockBit Ransomware

    A long-standing and highly prolific RaaS group operating since at least September 2019, LockBit continued to be a major threat to the financial sector, claiming 29 publicly disclosed victims between April 2024 and April 2025. LockBit utilizes various initial access methods, including phishing, exploitation of known vulnerabilities, and compromised remote services.

    Most notably, in June 2024, LockBit claimed it gained access to the US Federal Reserve, stating that they exfiltrated 33 TB of data. However, Flashpoint analysts found that the data posted on the Federal Reserve listing appears to belong to another victim, Evolve Bank & Trust.

    FIN7

    This financially motivated threat actor group, originating from Eastern Europe and active since at least 2015, focuses on stealing payment card data. They employ social engineering tactics and create elaborate infrastructure to achieve their goals, reportedly generating over $1 billion USD in revenue between 2015 and 2021. Their targets within the financial sector include interbank transfer systems (SWIFT, SAP), ATM infrastructure, and point-of-sale (POS) terminals. Initial access is often gained through phishing and exploiting public-facing applications.

    Scattering Spider

    Emerging in 2022, Scattered Spider has quickly become known for its rapid exploitation of compromised environments, particularly targeting financial services, cryptocurrency services, and more. They are notorious for using SMS phishing and fake Okta single sign-on pages to steal credentials and move laterally within networks. Their primary motivation is financial gain.

    Lazarus Group

    This advanced persistent threat (APT) group, backed by the North Korean government, has demonstrated a broad range of targets, including cryptocurrency exchanges and financial institutions. Their campaigns are driven by financial profit, cyberespionage, and sabotage. Lazarus Group employs sophisticated spear-phishing emails, malware disguised in image files, and watering-hole attacks to gain initial access.

    Top Attack Vectors Facing the Financial Sector

    Between April 2024 and April 2025, our analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections. How are these prolific threat actor groups gaining a foothold into financial data and systems? Examining Flashpoint intelligence, malicious actors are capitalizing on third-party compromises, initial access brokers, insider threats, amongst other attack vectors:

    Third-Party Compromise

    Ransomware attacks targeting third-party vendors can have a direct and significant impact on financial institutions through data exposure and compromised credentials. The Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024 serves as a stark reminder of this risk.

    Initial Access Brokers (IABs)

    Initial Access Brokers specialize in gaining initial access to networks and selling these access credentials to other threat groups, including ransomware operators. Their tactics include phishing, the use of information-stealing malware, and exploiting RDP credentials, posing a significant risk to financial entities. Between April 2024 and April 2025, analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections.

    Insider Threat

    Malicious insiders, whether recruited or acting independently, can provide direct access to sensitive data and systems within financial institutions. Telegram has emerged as a prominent platform for advertising and recruiting insider services targeting the financial sector.

    Deepfake and Impersonation

    The increasing sophistication and accessibility of AI tools are enabling new forms of fraud. Deepfakes can bypass traditional security measures by creating convincing audio and video impersonations. While still evolving, this threat vector, along with other impersonation tactics like BEC and vishing, presents a growing concern for the financial sector. Within the past year, analysts observed 1,238 posts across fraud-related Telegram channels discussing impersonation of individuals working for financial institutions.

    Defend Against Financial Threats Using Flashpoint

    The financial sector remains a high-value target, facing a persistent and evolving array of threats. Understanding the tactics, techniques, and procedures (TTPs) of these top threat actors, as well as the broader threat landscape, is crucial for financial institutions to develop and implement effective security strategies.

    Flashpoint is proud to offer a dedicated threat intelligence solution for banks and financial institutions. Our platform combines comprehensive data collection, AI-powered analysis, and expert human insight to deliver actionable intelligence, safeguarding your critical assets and operations. Request a demo today to see how our intelligence can empower your security team.

    Request a demo today.

    Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy

    Blogs

    Blog

    Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy

    In this post, we break down the 91,321 instances of insider activity observed by Flashpoint™ in 2025, examine the top five cases that defined the year, and provide the technical and behavioral red flags your team needs to monitor in 2026.

    SHARE THIS:
    Default Author Image
    January 15, 2026

    Every organization houses sensitive assets that threat actors actively seek. Whether it is proprietary trade secrets, intellectual property, or the personally identifiable information (PII) of employees and customers, these datasets are the lifeblood of the modern enterprise—and highly lucrative commodities within the illicit underground.

    In 2025, Flashpoint observed 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related illicit activity. This underscores a critical reality—it is far more efficient for threat actors to recruit an “insider” to circumvent multi-million dollar security stacks than it is to develop a complex exploit from the outside. 

    An insider threat, any individual with authorized access, possesses the unique ability to bypass traditional security gates. Whether driven by financial gain, ideological grievances, or simple human error, insiders can potentially compromise a system with a single keystroke. To protect our customers from this internal risk, Flashpoint monitors the illicit forums and marketplaces where these threats are being solicited. 

    In this post, we unpack the evolving insider threat landscape and what it means for your security strategy in 2026. By analyzing the volume of recruitment activity and the specific industries being targeted, organizations can move from a reactive posture to a proactive defense.

    By the Numbers: Mapping the 2025 Insider Threat Landscape

    Last year, Flashpoint collected and researched:

    • 91,321 posts of insider solicitation and service advertising
    • 10,475 channels containing insider-related illicit activity
    • 17,612 total authors

    On average, 1,162 insider-related posts were published per month, with Telegram continuing to be one of the most prominent mediums for insiders and threat actors to identify and collaborate with each other. Analysts also identified instances of extortionist groups targeting employees at organizations to financially motivate them to become insiders.

    Insider Threat Landscape by Industry

    The telecommunications industry observed the most insider-related activity in 2025. This is due to the industry’s central role in identity verification and its status as the primary target for SIM swapping—a fraudulent technique where threat actors convince employees of a mobile carrier to link a victim’s phone number to a SIM card controlled by the attacker. This allows the threat actor to receive all the victim’s calls and texts, allowing them to bypass SMS-based two-factor authentication.

    Insider Threat data from January 1, 2025 to November 24, 2025

    Flashpoint analysts identified 12,783 notable posts where the level of detail or the specific target was particularly concerning.

    Top Industries for Insiders Advertising Services (Supply):

    1. Telecom
    2. Financial
    3. Retail
    4. Technology

    Top Industries for Threat Actors Soliciting Access (Demand):

    1. Technology
    2. Financial
    3. Telecom
    4. Retail

    6 Notable Insider Threat Cases of 2025

    The following cases highlight the variety of ways insiders impacted enterprise systems this year, ranging from intentional fraud to massive technical oversights.

    Type of IncidentDescription
    MaliciousApproximately nine employees accessed the personal information of over 94,000 individuals, making illegal purchases using changed food stamp cards.   
    NonmaliciousAn unprotected database belonging to a Chinese IoT firm leaked 2.7 billion records, exposing 1.17 TB of sensitive data and plaintext passwords. 
    MaliciousAn insider at a well-known cybersecurity organization was terminated after sharing screenshots of internal dashboards with the Scattered Lapsus$ Hunters threat actor group.
    MaliciousAn employee working for a foreign military contractor was bribed to pass confidential information to threat actors.
    MaliciousA third-party contractor for a cryptocurrency firm sold customer data to threat actors and recruited colleagues into the scheme, leading to the termination of 300 employees and the compromise of 69,000 customers.
    MaliciousTwo contractors accessed and deleted sensitive documents and dozens of databases belonging to the Internal Revenue Service and US General Services Administration.

    Catching the Warning Signs Early

    Potential insiders often display technical and nontechnical behavior before initiating illicit activity. Although these actions may not directly implicate an employee, they can be monitored, which may lead to inquiries or additional investigations to better understand whether the employee poses an elevated risk to the organization.

    Flashpoint has identified the following nontechnical warning signs associated with insiders:

    • Behavioral indicators: Observable actions that deviate from a known baseline of behaviors. These can be observed by coworkers or management or through technical indicators. Behavioral indicators can include increasingly impulsive or erratic behavior, noncompliance with rules and policies, social withdrawal, and communications with competitors.
    • Financial changes: Significant and overlapping changes in financial standing—such as significant debt, financial troubles, or sudden unexplained financial gain—could indicate a potential insider threat. In the case of financial distress, an employee can sell their services to other threat actors via forums or chat services, thus creating additional funding streams while seeming benign within their organization.
    • Abnormal access behavior: Resistance to oversight, unjustified requests for sensitive information beyond the employee’s role, or the employee being overprotective of their access privileges might indicate malicious intent.
    • Separation on bad terms: Employees who leave an organization under unfavorable circumstances pose an increased insider threat risk, as they might want to seek revenge by exploiting whatever access they had or might still possess after leaving.
    • Odd working hours: Actors may leverage atypical after-hours work to pursue insider threat activity, as there is less monitoring. By sticking to an atypical schedule, threat actors maintain a cover of standard work activity while pursuing illicit activity simultaneously.
    • Unusual overseas travel: Unusual and undocumented overseas travel may indicate an employee’s potential recruitment by a foreign state or state-sponsored actor. Travel might be initiated to establish contact and pass sensitive information while avoiding raising suspicions in the recruit’s home country.

    The following are technical warning signs:

    • Unauthorized devices: Employees using unauthorized devices for work pose an insider threat, whether they have malicious intent or are simply putting themselves at higher risk of human error. Devices that are not controlled and monitored by the organization fall outside of its scope of operational security, while still carrying all of the sensitive data and configuration of the organization.
    • Abnormal network traffic: An unusual increase in network traffic or unexplained traffic patterns associated with the employee’s device that differ from their normal network activity could indicate malicious intent. This includes network traffic employing unusual protocols, using uncommon ports, or an overall increase in after-hours network activity.
    • Irregular access pattern: Employees accessing data outside the scope of their job function may be testing and mapping the limits of their access privileges to restricted areas of information as they evaluate their exfiltration capabilities for their planned illicit actions.
    • Irregular or mass data download: Unexpected changes in an employee’s data handling practices, such as irregular large-scale downloads, unusual data encryption, or uncharacteristic or unauthorized data destinations, are significant indicators of an insider threat.

    Insider Threats: What to Expect in 2026

    As 2026 unfolds, insider threat actors will continue to be a major threat to organizations. Ransomware groups and initial access threat actors will continue recruiting interested insiders and exploiting human vulnerabilities through social engineering tactics. Following Telegram’s recent bans on many illicit groups and channels, Flashpoint assesses that threat actors are likely to migrate to different platforms, such as Signal, where encrypted chats make their activity harder to monitor.

    As AI technologies continue to advance, organizations will be better equipped to identify and mitigate insider risks. At the same time, threat actors will likely increasingly abuse AI and other tools to access sensitive information. 
    Is your organization equipped to spot the warning signs? Request a demo to learn more and to mitigate potential risk from within your organization.

    Request a demo today.

    The post Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy appeared first on Flashpoint.

    ❌