Normal view

Received — 18 June 2026 Recorded Future

State Digital Surveillance Risk Landscape

17 June 2026 at 02:00

Executive Summary

Insikt Group assesses that government digital surveillance activities pose a high or very high risk in 31 countries, where state actors exploit telecommunications infrastructure, homegrown and commercial spyware, and artificial intelligence (AI)-powered tools to monitor foreign nationals and business travelers with little to no legal accountability. A further 55 countries categorized as medium risk frequently deploy less-sophisticated surveillance capabilities to target political opposition and dissent –– highlighting the need for organizations to adopt appropriate mitigation measures in jurisdictions with limited oversight mechanisms and track records of surveillance targeting foreign entities or supporting domestic repression.

Insikt Group has identified five broad categories of digital surveillance capabilities built in-house or acquired by governments: network interception, endpoint compromise, platform-level access, public space surveillance, and data aggregation. The risk of a government abusing these capabilities is almost certainly higher in jurisdictions lacking independent oversight mechanisms or clear delineations of the legal, necessary, and proportional use of these capabilities, in line with international standards.

Foreign nationals and business travelers who fail to adequately understand and prepare for digital surveillance risks prior to traveling or conducting operations in a given location can face significant personal and organizational damages, including sensitive data breaches, IP theft, targeted intelligence operations, reputational harm, and increased risks from physical threats or detention.

As such, individuals traveling abroad and their respective organizations should implement mitigation measures to protect sensitive data, commensurate with the level of state surveillance risk in the destination country. These measures range from maintaining standard security hygiene in lower-risk environments to using sterile, non-corporate devices when operating in high-risk jurisdictions.

Key Findings

  • Insikt Group assesses that there are “high” or “very high” levels of digital surveillance risk in 31 countries due to their use of advanced surveillance capabilities against foreign businesses, travelers, and government critics, with limited to no oversight.
  • A further 74 countries have “medium” levels of digital surveillance risk. While 55 of these countries are not known to have deployed advanced surveillance capabilities, there is evidence that their governments have deployed less sophisticated surveillance measures for a variety of purposes, which may include monitoring political opposition, human rights activists, and journalists. The remainder (19) of countries in this category possess advanced surveillance capabilities, but are not known to typically use them in violation of national or international laws.
  • By exploiting control over telecommunications infrastructure and online platforms, governments can conduct mass, indiscriminate monitoring of traffic and user data. The risk of abuse of network interception and platform-level access is almost certainly greatest where judicial authorization requirements and procedural safeguards are weak.
  • The proliferation of commercial spyware, AI-powered public security infrastructure, and increasing collection of biometric and personal data almost certainly enables governments to build comprehensive digital profiles of individuals and leverage them for targeted surveillance operations.
  • Digital surveillance that is not subject to robust oversight and does not abide by the principles of legality, necessity, and proportionality very likely incurs heightened operational, reputational, and legal costs for organizations and individuals, including the loss of sensitive data, the proliferation of cyber vulnerabilities, and legal and physical risks.

Components of Surveillance Risk

Insikt Group regularly assesses risks to business travelers and foreign nationals from government-run digital surveillance operations in 193 countries using Recorded Future’s Country Risk analytic framework. Customers can access Country Risk analysis by querying for State Surveillance Notes in the Recorded Future Intelligence Operations Platform. State Surveillance Notes assess the overall level of state surveillance risk in a given country based on three primary categories:

  • Surveillance Capabilities: The ability of intelligence services, law enforcement agencies, or other state-affiliated or directed entities to undertake digital surveillance, and the scope of these digital surveillance capabilities. This category includes the capabilities of a variety of state and state-nexus actors, including specialized surveillance agencies with broad access to digital infrastructure, state-affiliated groups that deploy spyware for cyber espionage, and individual law enforcement units that carry out traditional wiretapping.
  • History of Digital Surveillance Operations: A government’s historical willingness to carry out unlawful, arbitrary, or overbroad digital surveillance operations. This can include surveillance that violates national law — such as government entities monitoring communications without appropriate authorization — but also covers surveillance that may be sanctioned under national legislation but violates international principles of legality, necessity, and proportionality.
  • Oversight Mechanisms: The existence and efficacy of judicial, legislative, or independent oversight bodies that approve and monitor a government’s digital surveillance operations for compliance with domestic and international law.

A comprehensive evaluation of state surveillance risk in a country requires a composite assessment that takes into account all three categories. For example, a country purchasing high-profile spyware may not, by itself, indicate a high level of risk to business travelers or foreign nationals, provided that the government has a good track record of respecting domestic and international privacy protections and has strong judicial and legislative oversight of intelligence and security agencies. In contrast, a country with less advanced capabilities, but strict control over internet infrastructure and few restrictions on the government’s ability to collect user data, likely poses a greater risk to travelers’ and foreign nationals’ data security.

Insikt Group assesses whether a country’s history of digital surveillance constitutes a risk to foreign nationals and travelers based on its alignment with international principles on privacy and digital rights. Article 12 of the United Nations (UN) Universal Declaration of Human Rights establishes that no individual “shall be subjected to arbitrary interference with his privacy, family, home, or correspondence”. A 2022 UN General Assembly resolution on privacy in the digital age states that

“unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, hacking and the unlawful use of biometric technologies, as highly intrusive acts, violate the right to privacy” and that states should ensure that any interference with this right is consistent with principles of “legality, necessity, and proportionality.”

“Legality,” in this formulation, requires that surveillance or interception be prescribed by “a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.” Surveillance must also be necessary to further the purposes identified in corresponding law, take the least intrusive form required to do so, and be proportionate in scope to the interest being protected.

Key Components of State Digital Surveillance Risk

Capabilities

Surveillance History

Oversight

What technologies support a government’s ability to conduct surveillance?

Do capabilities enable mass surveillance or data collection?

Who are the primary providers of surveillance technologies?

Which government entities have access to these surveillance capabilities?

Who is monitored, and under what conditions?

Do authorities surveil activists, journalists, foreign diplomats, or business representatives?

Does surveillance align with international and domestic law?

Are government security and intelligence entities linked to rights violations?

Does surveillance require prior judicial authorization?

Do judicial, legislative, or expert oversight bodies review surveillance programs’ compliance with domestic and international law?

Are oversight bodies independent, impartial, and effective?

Table 1: State surveillance risk level is a function of not only a jurisdiction’s surveillance capabilities, but also its history of deployment of those capabilities and oversight mechanisms (Source: Recorded Future)

Applying these criteria, and based on data collected from 2024 to 2026, Insikt Group has assessed the level of risk associated with state digital surveillance in 193 countries:

  • Six countries (3%) –– Belarus, China, Iran, Myanmar, North Korea, and Russia –– are “very high risk,” denoting evidence of advanced surveillance capabilities, a lack of independent oversight, regular surveillance targeting foreign businesses and travelers, and widespread suppression of political opposition or dissent.
  • 25 countries (13%) are “high risk,” indicating evidence of moderate to advanced surveillance capabilities, limited independent oversight, and the use of surveillance tools to repress domestic political opposition, activism, or reporting critical of the government.
  • 74 countries (38%) are “medium risk,” either indicating evidence of advanced surveillance capabilities that are not typically used in violation of national or international laws (19 countries), or evidence of less advanced capabilities that are frequently employed to suppress political dissent and activism (55 countries). While countries in this risk tier may have established systems for oversight or judicial review, government surveillance operations do not always abide by their purview.
  • 65 countries (34%) are “low risk,” indicating evidence of moderate to advanced surveillance capabilities exercised under strong oversight with established records of avoiding unlawful or arbitrary surveillance (39 countries), or evidence of limited surveillance capabilities (26).
  • 23 countries (12%) are “very low risk,” indicating minimal ability to conduct digital surveillance, well-established oversight mechanisms, and no indications of surveillance abuses.
A map of the world color-coded by state digital surveillance risk levels, ranging from medium to very high,
Figure 1: State surveillance risks by country from medium to very high risk based on data collected from 2024 to 2026 (Source: Recorded Future)

The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine

16 June 2026 at 02:00

Four Critical Source Types. One Platform. Recorded Future is the Only Threat Intelligence Vendor that Collects and Analyzes Across Four Types of Data Sources.

When a critical vulnerability emerges, most organizations scramble for answers.

What’s being exploited?
Who’s targeting it?
Are we exposed?

During the emergence of the React2Shell vulnerability, one Recorded Future customer didn’t rely on speculation. Using Recorded Future’s IP scanning intelligence, they identified which IPs were actively scanning for exploitation, analyzed the exact request patterns being used, and immediately assessed their own exposure.

Instead of reacting to headlines, they acted on real-time intelligence.

In the first article in our series covering our unique data sourcing model, we looked at why source scale and diversity are essential for maximum threat protection. Now we’ll explain the four source types in more detail to see how, together, they empower our customers to prioritize, pinpoint, and act faster to stop threats.

This is the power of Recorded Future’s technical collection engine.

Technical intelligence at internet scale

Recorded Future continuously collects and analyzes telemetry from across the internet, including:

  • Network traffic analysis across billions of daily network intelligence records (with over 200 points of presence (PoP))
  • Internet-wide scanning and infrastructure monitoring
  • Malware detonation and behavioral analysis
  • Vulnerability exploitation tracking

This technical intelligence provides direct visibility into attacker infrastructure, behavior, and intent.

Finding what others miss

Technical collection becomes most valuable when it reveals what’s hidden.

In one investigation, Recorded Future identified suspicious traffic on a specific port through its Malicious Traffic Analysis. This insight led a security team to uncover additional command-and-control communication that had been missed due to incomplete logging, expanding the scope of the compromise.

This isn’t just detection—it’s discovery.

Deep malware intelligence through sandboxing

Understanding malware requires more than static indicators.

Recorded Future processes over 1.5 million malware samples daily through its sandbox, enabling deep behavioral analysis of:

  • Command-line execution
  • Process activity
  • Network communication
  • Exploit techniques

This allows analysts to move beyond “Is this malicious?” to:

  • How does it behave?
  • What infrastructure does it use?
  • How can we detect it elsewhere?

Customers consistently highlight this capability as transformative.

In one case, a security analyst identified a unique command-line artifact within sandbox results. By pivoting on that behavior in their environment, they uncovered an additional infection vector that would have otherwise gone undetected—avoiding a far more complex incident response scenario.

Intelligence from the underground

Technical signals alone don’t tell the full story.

Recorded Future augments telemetry with intelligence from criminal forums, marketplaces, and adversary communications, revealing:

  • Stolen data and credentials
  • Emerging attack techniques
  • Threat actor intent
  • Ransomware victimology
  • Telegram

This provides critical context for prioritizing risk and understanding adversary motivations.

Community intelligence: strength in numbers

Recorded Future’s Collective Insights capability aggregates detections across organizations, helping customers identify patterns they might not see alone. This is especially important for preparing for monthly C-suite briefs on the latest threat assessments.

One logistics customer used this capability to investigate a multi-stage intrusion, correlating activity across their environment and linking it to nation-state actors in real time. Another customer uses Collective Insights to provide clear visibility into the specific malware most frequently blocked within their own environment, rather than relying on general trends.

This shared intelligence transforms isolated detections into campaign-level understanding.

Proactive defense in practice

This combination of technical, underground, and community intelligence enables proactive defense.

Customers often use Recorded Future’s Threat Map to identify an emerging threat actor and deploy detections in advance. Weeks later, when the actor launches a phishing campaign, customers can immediately detect and block the activity—preventing compromise before it begins.

Where open source fits

Open-source intelligence provides valuable context, but on its own it’s incomplete. Without technical telemetry, behavioral analysis, and external digital risk monitoring, organizations risk seeing only part of the threat landscape.

At Recorded Future, open sources are one part of a broader intelligence ecosystem that also supports data leakage detection, code repository monitoring, social media monitoring, and analysis of web infrastructure and content—including HTML and DOM elements—to identify brand abuse, exposed data, impersonation, and other external threats.

The bottom line

Recorded Future’s technical collection engine doesn’t just gather data. It reveals:

  • Who’s attacking
  • How attacks are executed
  • Where infrastructure is operating
  • When action is required

One platform for comprehensive threat intelligence

While some platforms focus on immediate detection, the Recorded Future Platform maintains years of historical data to reveal long-term patterns. And it automatically connects intelligence from diverse sources, turning separate data streams into unified insights.

From initial reconnaissance through criminal planning, active infrastructure attacks, and malware deployment, our four intelligence source types work together to enable proactive defense across the entire attack lifecycle.

In the next blog in our series, we’ll show how human experts connect the dots, validating our intelligence and making it actionable so you can prevent threats.

To see our four types of data sources in action in the Recorded Future Platform, request a custom demo.

Recorded Future Launches Impact and Metrics Dashboard

11 June 2026 at 02:00

Today, Recorded Future is announcing the Impact and Metrics Dashboard, a new way for every Recorded Future customer to see the value their intelligence program generates without building reports by hand. The dashboard pulls data from your environment, alerts, integrations, threat detections, and analyst activity, then surfaces the metrics that map to the business and security outcomes your leadership cares about.

Security teams have always known that intelligence drives better outcomes. The hard part has been proving it in the language of the business. Boards, CFOs, and CIOs aren't asking for threat counts. They want measurable risk reduction tied to business context, and they want it in numbers they can defend.

Our 2025 ROI Report, validated across nearly 300 customers, puts numbers to what security teams already know. Recorded Future customers have reported achieving 351.3% ROI annually. 57% say the platform has substantially reduced their overall cyber risk. 96% would recommend it to a peer.

But the numbers that resonate most are not the averages. They are the attacks that your team was able to get ahead of. Ransomware stopped before detonation. Credentials reset before an adversary could use them. Fraud campaigns contained before they could reach customers. Until now, capturing that story meant pulling data from across the platform, stitching it together by hand, and rebuilding the same readout every quarter.

The most powerful version of that story is yours and that is what the Impact and Metrics Dashboard is built to show.

What the dashboard covers

Platform-Wide Security Value: Your headline number. Aggregate risk reduction and intelligence coverage across your environment, built for leadership conversations.

Threat Prioritization: See which threat actors and malware families are relevant to your organization, and how Recorded Future AI cuts noise so your team focuses on what matters. Customers who aligned their alerting to PIRs reported identifying new threats 65% faster.

Threat Detection: Understand how intelligence is moving through your security stack, from malware detected in your telemetry to integrations and threat hunting activity. Customers often receive critical alerts hours or days earlier than from other vendors.

Digital Risk Protection: Quantify exposure reduced from fraud, brand impersonation, and credential threats. For organizations with significant brand or customer risk, this is where ROI becomes immediately tangible and immediately explainable to a CFO.

Account & Credential Monitoring: See identity threats surfaced and remediated before they became incidents.

Recorded Future AI & Insikt GroupⓇ Research: Recorded Future’s expert Intelligence team & AI does the work for you, providing deeper insights than most teams could do alone. Measure analyst hours recaptured through AI-powered automation and the volume of expert research your team has put to work. Your efficiency case, in your own numbers.

Today the dashboard surfaces key metrics to start the conversation and give your team something concrete to point to. Over time the calculations will get more personalized, the benchmarks more specific to your organization, and the integration with your business context deeper.

The Impact and Metrics Dashboard is available now for every customer. To find it, navigate to Dashboards > Impact and Metrics in your Recorded Future instance. For setup help or questions, contact your Technical Account Manager (TAM).

Screenshot of the Recorded Future Impact and Metrics Dashboard, displaying key security metrics, risk reduction data, and actionable intelligence insights.

Cyber-Enabled Maritime Sanctions Evasion

11 June 2026 at 02:00

Executive Summary

Iranian and Russian shadow fleet vessels, along with multiple sanctions evasion networks (SENs), are using online infrastructure likely designed to facilitate sanctions evasion. The infrastructure consists of inauthentic websites impersonating ship registries, national maritime administrations, seafarer training and certification organizations, protection and indemnity (P&I) clubs, and ship classification societies, effectively replicating key layers of the maritime compliance stack. The websites are likely being used to circumvent maritime compliance mechanisms by generating and corroborating false documents and certificates.

The online infrastructure is consistent with a service-provider model in which threat actors offer reusable digital infrastructure, documentation, and identities, rather than operating as centrally coordinated, country-specific networks. Three identified clusters of online activity –– designated as Alpha, Bravo, and Charlie for the purposes of this report –– have several technical overlaps, suggesting these clusters may form a broader, loosely connected ecosystem of online infrastructure supporting multiple SENs. This activity also aligns with prior reporting by Bellingcat and Lloyd’s List and demonstrates potential links between the two reports across these three clusters.

This infrastructure blends established sanctions evasion practices, such as exploiting weak jurisdictional oversight in under-resourced jurisdictions to conduct fraudulent ship flag registrations, with increasingly cyber-enabled tactics such as automated document generation and layered infrastructure to produce fraudulent documents and credible front companies, complicating detection and enforcement.

Cyber-enabled SENs almost certainly undermine sanctions compliance mechanisms by developing credible but fraudulent maritime organizations, increasing the risk of due diligence failures and regulatory exposure. Organizations in the maritime and shipping sectors should integrate independent verification and cyber threat intelligence into compliance workflows to proactively identify fraudulent online infrastructure. Governments whose authorities are regularly impersonated by SENs and associated service providers should prioritize coordinated identification and disruption of fraudulent infrastructure, particularly where threat actors claim multi-jurisdictional legitimacy.

Key Findings

  • SENs tied to the Iranian and Russian shadow fleets are likely using over 36 inauthentic websites in three distinct clusters. Insikt Group identified explicit connections between these websites and seventeen vessels, the majority of which have already been sanctioned by the United States (US) Department of the Treasury (USDT)’s Office of Foreign Asset Control (OFAC) and by other countries.
  • Inauthentic websites identified as part of these clusters routinely impersonate national maritime administrations and ship registries from countries such as the Comoros and Benin, as well as Bhutan, Cameroon, Chad, Equatorial Guinea, Gambia, Haiti, Malawi, Nicaragua, and Zambia.
  • Other websites also aim to establish fictional ship classification societies as credible registered organizations (ROs), in addition to several websites acting as fictional seafarer training and certification organizations and P&I clubs.
  • One website impersonates the Benin Maritime Administration and provides a self-service tool to generate fraudulent seafarer documents from the governments of Benin, the Comoros, and Nicaragua.
  • Attribution for at least two of the clusters documented in this report includes Cluster Alpha, which is likely to have been at least partially developed by an Indian web development company, Oceaniek Technologies. Cluster Bravo is linked to two Syrian nationals, one of whom has previous historical involvement in illicit activity. Cluster Charlie remains unattributed, although it shares technical and design characteristics with Cluster Bravo.

Background

Three partially overlapping clusters of online infrastructure are likely being used by both the Iranian and Russian shadow fleets to evade sanctions (Figure 1). The three clusters (designated Alpha, Bravo, and Charlie) are connected through shared infrastructure, consistent domain registration patterns, and recurring operational security (OPSEC) mistakes.

The activity described in this report also overlaps with two previously unconnected activity clusters described by Bellingcat and Lloyd’s List –– the first tied to Indian web development company Oceaniek Technologies, and the second to a cluster of fraudulent ship registries centered around the domain marinegov[.]net. This activity also aligns with prior reporting from independent researcher Christian Panton, who collaborated with both Bellingcat and Lloyd’s List.

Unlike traditional intrusion sets, these websites enabling maritime fraud and sanctions evasion form a complex network involving front companies, individuals, and vessels. However, Insikt Group has established initial attribution to one of the clusters to two Syrian nationals, with one individual having a record of previous involvement in illicit activities.

diagram showing three partially overlapping clusters—labeled Alpha, Bravo, and Charlie
Figure 1: Clusters identified by Insikt Group (Source: Recorded Future)

2026 FIFA World Cup: What Public Safety Officials Need to Know

10 June 2026 at 02:00
Starting tomorrow, millions of people will gather in sixteen host cities across the United States, Canada, and Mexico to cheer on their teams in the 2026 FIFA World Cup. Securing the tournament will require preparing for a mix of physical security risks, cyber threats, scams, protests, politically motivated activity, and reputational disruption tied to one of the world’s most visible sporting events.

The World Cup’s global profile creates an attractive target environment for a wide range of threat actors. Cybercriminals are already exploiting tournament demand through fraudulent domains, fake stores, credential-harvesting sites, and advertising campaigns. Hacktivists and influence operators will likely try to use the event’s visibility to amplify political narratives or claim responsibility for disruptive activity. At the same time, public safety officials must manage the physical security challenges associated with large crowds, soft targets, protests, transportation hubs, hospitality infrastructure, and fan zones.

Together, these risks create a blended cyber-physical threat environment that requires coordination across public safety, cybersecurity, fraud, legal, communications, brand protection, executive protection, travel security, and third-party risk teams.
An assessment of physical, cyber, and fraud threats to the 2026 FIFA World Cup, visualizing various risk categories associated with the event

Figure 1: Assessment of physical, cyber, and fraud risks affecting the 2026 FIFA World Cup

(Source: Recorded Future)

China's Noncombatant Evacuation Operations: 2005–2025

10 June 2026 at 02:00

Over the past two decades, noncombatant evacuation operations (NEOs) have emerged as an important tool for protecting China’s overseas interests. To assess China’s NEO capabilities for the US Army War College China Landpower Studies Center’s 2026 Carlisle Conference on the PLA (People’s Liberation Army), Insikt Group built an original dataset of 37 Chinese NEOs carried out between January 2005 and August 2025. This blog post has been adapted from Insikt Group’s conference paper, and our “China 2005–2025 Noncombatant Evacuation Operation Dataset” is attached as a PDF.

One of Insikt Group’s most notable findings is that, over the past twenty years, China has consistently mobilized civilian resources to facilitate NEOs, demonstrating China’s reliance on these resources for NEOs and its capability to call upon diverse instruments of national power to protect overseas interests. During this period, at least 65% of China’s NEOs involved support from Chinese state-owned enterprises (SOEs), private enterprises, or United Front/civil society organizations located in the host country, third-party countries, or China. The contributions of SOEs, private enterprises, and United Front/civil society organizations to China’s NEOs include:

  • Organizing evacuation efforts on the ground
  • Communicating official instructions
  • Providing air, land, and maritime transportation
  • Providing relief to evacuees once they arrive in neighboring countries or return to China-


The Chinese Communist Party (CCP) and the Chinese government have continued to take advantage of civilian resources for NEOs since August 2025 — such as for its Iran NEO in early 2026 — and will almost certainly continue to mobilize these resources in the future.

Overview of China’s NEOs

China carried out at least 37 NEOs in 28 different countries between 2005 and 2025 (see image below). China carried out eleven NEOs in Africa, nine in the Middle East, and nine in Asia, with the other eight occurring in the Caribbean, Pacific Islands, Europe, and North America. China conducted multiple NEOs in the Central African Republic, Haiti, Iran, Israel, Kyrgyzstan, Lebanon, Libya, and South Sudan.

Map highlighting 28 countries in which China carried out Noncombatant Evacuation Operations (2005-2025)
The 28 countries in which China carried out a NEO between 2005 and 2025 (Source: Recorded Future)

Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars

9 June 2026 at 02:00

Executive Summary

Since Russia’s full-scale invasion of Ukraine in February 2022, and the subsequent increase in Western sanctions on Russian individuals and firms, Russia’s economy has become increasingly skewed toward the defense sector. This has very likely led Russian political elites to increasingly draw patronage flows from defense-related expenditures. The wide range of sanctions has likely made it difficult for elites to diversify the sources of their graft, leaving them increasingly dependent on defense contracts for illicit funds.

As Russian President Vladimir Putin uses the distribution and withdrawal of patronage flows as a key way to maintain elite loyalty, a steady stream of defense expenditures has likely become an increasingly important cornerstone for Putin’s ability to maintain domestic political stability. Since maintaining domestic political stability is critical to Putin’s political survival, he very likely sees maintaining current defense expenditures as not only a foreign policy priority, but also a domestic political imperative. A decrease in defense expenditures would likely result in a decline in patronage flows to elites, thereby raising the prospect of elite discontent and greater difficulty in maintaining political stability.

Insikt Group therefore assesses that Putin is likely incentivized to engage in conflict abroad, not only for geopolitical purposes, but also to maintain high levels of defense spending. Should the war in Ukraine end without sanctions abatement –– and thus without providing a pathway for economic and patronage flow diversification –– Putin would likely seek alternative venues for mobilization to ensure defense-related patronage flows continue. Likely target states include non-NATO states close to Russia, including Moldova.

Public- and private-sector entities based in Europe and those with investment in Russia or users there are therefore likely to face a high-risk, unpredictable Russia-nexus cyber, physical, and economic threat environment, as long as sanctions preclude diversification of patronage flows beyond the defense sector.

As such, political settlement in Ukraine, coupled with sanctions rollbacks and security guarantees for Ukraine and other non-NATO states close to Russia, such as Moldova, likely would raise the cost of starting a conflict elsewhere while providing Putin with a pathway to diversify his elites’ patronage flows, thereby reducing his incentive to fund Russia’s patronage networks via mobilization.

Key Findings

  • Since the 2022 invasion of Ukraine, Russia’s economy has become increasingly dependent on military spending, with defense expenditures reaching an estimated 7.2% of GDP and 32% of the federal budget by 2025.
  • The military-industrial complex now employs approximately 3.5 million Russians, accounting for roughly 5% of the total labor force, while the production of civilian goods, such as cars and home appliances, has stagnated or declined.
  • Systematic Western sanctions have limited the avenues Russian elites have to accumulate illicit wealth, forcing Russian political and business elites to rely increasingly on defense contracts for patronage and graft.
  • As a decrease in defense spending would likely reduce the patronage flows necessary to maintain elite loyalty and domestic stability, Putin is likely incentivized to maintain high levels of military mobilization, even if the war in Ukraine were to end.
  • Putin’s likely domestic political motivation to maintain military mobilization –– whether in Ukraine or elsewhere –– means that dissuading Putin from pursuing further interventions abroad likely would require not only negotiating a peace in Ukraine and providing security guarantees for Kyiv, but also alleviating sanctions on Russia, thereby providing Putin a pathway to diversify the sources of elite patronage

Received — 8 June 2026 Recorded Future

May 2026 CVE Landscape

8 June 2026 at 02:00

In May 2026, Insikt Group® identified 41 high-impact vulnerabilities that should be prioritized for remediation, all of which had a Very Critical Recorded Future Risk Score. This represents an 11% increase from last month.

These vulnerabilities affected products from 20 vendors. 21 of the 41 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 19 were surfaced through honeypot data, and one was reported by a cybersecurity vendor.

The 41 vulnerabilities in this report affected products from 20 vendors. Vercel accounted for approximately 27% of the vulnerabilities, driven by honeypot-sourced Next.js activity. The remaining exposure was concentrated across a range of enterprise software, security, networking, developer tooling, and cloud-related products.

Quick Reference: May 2026 Vulnerability Table

All 22 vulnerabilities below were actively exploited in May 2026. This table does not include the 19 CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly Report. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

#
Vulnerability
Risk
Score
Vendor/Product
KEV
Malware Analysis
RCE
PoC
1
CVE-2008-4250
99
Microsoft Windows
2
CVE-2009-1537
99
Microsoft DirectX
3
CVE-2009-3459
99
Adobe Acrobat and Reader
4
CVE-2010-0249
99
Microsoft Internet Explorer
5
CVE-2010-0806
99
Microsoft Internet Explorer

(available to Recorded Future Customers)

6
CVE-2025-34291
99
Langflow
7
CVE-2026-0257
99
Palo Alto Networks PAN-OS, Cloud NGFW, and Prisma Access
8
CVE-2026-0300
99
Palo Alto Networks PAN-OS, Cloud NGFW, Prisma Access
9
CVE-2026-20182
99
Cisco Catalyst SD-WAN and SD-WAN Manager
10
CVE-2026-31431
99
Linux Kernel

(available to Recorded Future Customers)

11
CVE-2026-34926
99
Trend Micro Apex One (On-Premise)
12
CVE-2026-41091
99
Microsoft Defender
13
CVE-2026-42208
99
BerriAI LiteLLM
14
CVE-2026-42897
99
Microsoft Exchange Server
15
CVE-2026-45321
99
TanStack (Multiple Packages)
16
CVE-2026-45498
99
Microsoft Defender
17
CVE-2026-48027
99
Nx Console
18
CVE-2026-48172
99
LiteSpeed cPanel Plugin
19
CVE-2026-6973
99
Ivanti Endpoint Manager Mobile (EPMM)
20
CVE-2026-8398
99
Daemon Tools Lite
21
CVE-2026-9082
99
Drupal Core
22
CVE-2026-26980
99
Ghost CMS

(available to Recorded Future Customers)

Table 1: List of vulnerabilities that were actively exploited in May, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).

Key Trends: May 2026

  • In May 2026, threat actors exploited a Ghost CMS vulnerability in large-scale ClickFix and FakeCaptcha poisoning campaigns.
    • The campaigns used compromised Ghost CMS websites to inject malicious JavaScript, redirect victims through social engineering lures, and stage dropper and loader payloads from attacker-controlled infrastructure.
  • 12 of the 41 vulnerabilities enabled remote code execution (RCE), affecting products from 8 vendors: Microsoft, Adobe, Langflow, Palo Alto Networks, Apache, openDCIM, Fortinet, and Ivanti.
  • Insikt Group identified public proof-of-concept (PoC) exploits for 32 of the 41 vulnerabilities reported this month.
  • The most commonly observed flaws this month were CWE-79 (Cross-site Scripting), CWE-506 (Embedded Malicious Code), and CWE-89 (SQL Injection), with three CVEs each.
  • 5 of the 41 vulnerabilities in this month’s prominent vulnerabilities table were first disclosed between 2008 and 2010, making them at least 15 years old, with the oldest vulnerability being approximately 18 years old.
    • This reinforces our finding that attackers continue to exploit long-known weaknesses in environments where patching has lagged.
    • Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was less than one day.

Exploitation Analysis

This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns or that have public PoC exploits available. Vulnerabilities with no meaningful public technical detail are summarized in the quick reference table above only.

Threat Actors Exploit CVE-2026-26980 in Ghost CMS To Conduct Large-Scale ClickFix Poisoning Campaigns, Sample Available From Recorded Future Malware Intelligence

On May 21, 2026, cybersecurity firm XLab published a technical analysis detailing large-scale ClickFix poisoning campaigns targeting vulnerable Ghost Content Management System (CMS) instances by exploiting CVE-2026-26980. Ghost CMS allows users to create, manage, and publish content for blogs, media sites, newsletters, and subscription-based websites through a node.js-based publishing platform.

CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS that allows unauthenticated threat actors to extract Ghost Admin API Keys and modify website content through the Ghost Admin API.

As previously reported by Insikt Group®, at least two threat groups exploited CVE-2026-26980 to inject malicious JavaScript into more than 700 compromised Ghost CMS websites across industries, including blockchain, artificial intelligence (AI), and financial technology (fintech). According to XLab, the threat actors used the compromised websites to deliver ClickFix and FakeCaptcha social engineering attacks that tricked victims into executing malicious commands and malware payloads on their systems.

Insikt Group® obtained one of the malicious samples, UtilifySetup.exe, from Recorded Future Malware Intelligence. The sample matched the sandbox YARA rule for detecting Inno Setup packaging. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

  • Conducts DLL injection
  • Retrieves the system language and geolocation using the Windows registry
  • Drops files named UtilifySetup.tmp (SHA256: 7790fd1035266000ed6d6cc35822f7683f5271663af8a5b5effadff85316df6d) and Grape.exe
  • Enumerates files and directories
  • Retrieves system information
  • Delays execution using the Sleep API function for evasion
  • Detects debuggers using the GetTickCount API function to compare the timing and the IsDebuggerPresent API function
  • Creates a file inside the C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite directory, corroborating XLab’s analysis
  • Terminates running processes

Sandbox analysis categorized UtilifySetup.tmp as malicious due to the sample exhibiting discovery capabilities. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

  • Conducts DLL injection
  • Retrieves the system language and geolocation using the Windows registry
  • Executes UtilifySetup.exe installer from the %Temp% directory using internal Inno Setup /SL5 launch parameters
  • Executes a file named Grape.exe inside the C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite directory

Once executed, Grape.exe performs the following actions on a victim’s machine:

  • Adds a Windows registry Run key entry named electron.app.Grape set to execute itself when the victim logs in
  • Enumerates running processes
  • Sends DNS request to web-telegram[.]ug

Further technical details associated with this activity, including sample analysis, MITRE ATT&CK techniques, and IoCs, are available to Recorded Future customers via Insikt Group® reporting.

Recorded Future customers can also access Malware Intelligence queries that surface samples communicating with campaign-associated URLs, domains, and IP addresses.

Figure 1: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-26980 in Recorded Future (Source: Recorded Future)

Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage

5 June 2026 at 02:00
Threats don't operate in silos, and neither should your intelligence. This post, the first in a three-part series, breaks down why comprehensive sourcing is the foundation of effective threat intelligence -- and how Recorded Future's Intelligence Graph® monitors over one million sources across technical, criminal, collective, and open-source domains to surface what narrow or siloed solutions miss. From nation-state TTPs to criminal infrastructure to credential leaks, complete coverage is what separates awareness from action.

Threats to the 2026 FIFA World Cup

4 June 2026 at 02:00

Executive Summary

The 2026 FIFA World Cup, which takes place across sixteen host cities in the United States (US), Mexico, and Canada, presents a complex threat environment across multiple security domains. The tournament’s global visibility creates opportunities for both financially and geopolitically motivated threat actors to target attendees, affiliated organizations, sponsors, vendors, and event-supporting infrastructure.

Physical security will almost certainly remain the highest priority for event coordinators and local government officials, given the high levels of international attention and the concentration of large crowds in host cities spanning three countries and multiple, distinct security environments. Mexico’s host cities face the highest physical risk due to the persistent presence of local and transnational criminal organizations (TCOs), with elevated concerns around theft, extortion, kidnapping, and fraud. US and Canadian host cities likely face a more limited threat from violent extremists, with greater risks to soft targets such as fan zones, watch parties, transit hubs, and other crowded public areas.

Civil unrest and disruptive protests are also very likely in a majority of host cities. Localized travel disruptions are especially likely in Mexico, where prior demonstrations have already blocked roads near World Cup venues. Large police or military deployments near event sites will likely increase the risk of confrontation.

The most immediate risk to corporate sponsors and affiliates is likely cybercriminal exploitation of World Cup demand and branding. Recorded Future’s Payment Fraud Intelligence team has already identified World Cup-themed purchase scams, fake FIFA-branded stores, and spoofed FIFA and host city domains. Carders are also likely to leverage stolen payment card credentials to fraudulently purchase event tickets and travel-related services for rapid resale and monetization. Efforts to use individuals’ interest in the World Cup to deliver malware or carry out data extortion or fraud will likely accelerate as the tournament approaches. Threat actors will likely continue to use AI-generated content to scale fraud, impersonation, phishing, smishing, and social engineering campaigns.

The concentration of senior government officials, diplomats, security personnel, corporate executives, and media at World Cup events also very likely increases the risk of cyber espionage and disruptive cyber incidents. Russian, Chinese, and Iranian state-sponsored threat groups will likely use the tournament as an intelligence collection opportunity, targeting executives, VIP attendees, national delegations, media partners, telecommunications providers, airlines, hotels, event logistics firms, and commercial affiliates. China is most likely to pursue targeted espionage, while Russia and Iran pose a higher risk of more disruptive attacks through proxy hacktivism.

Influence activity related to the tournament remains largely overt, driven by state media and diplomatic messaging from Russia, China, and Iran. These narratives focus on host-country legitimacy, Iran’s conditional participation, visa and access issues, public safety, immigration, ticketing, and alleged politicization of the event. Covert influence activity has so far been limited and opportunistic, but could increase as the tournament approaches, particularly around geopolitical flashpoints or viral news events.

Organizations involved in or exposed to the World Cup should prioritize proactive monitoring of location-specific physical security risks, protest activity, cybercriminal infrastructure, phishing and credential exposure, malicious traffic, ransomware indicators, and influence operations. Cyber indicators such as increased scanning activity or newly registered domains linked to FIFA or host cities may indicate an expansion of criminal or espionage activity. Developments around geopolitical flashpoints such as the war in Iran may increase the likelihood of attempts to disrupt the tournament through cyber or physical attacks.

Key Findings

  • World Cup crowds will likely elevate physical security risks around match venues and fan areas, exacerbated by factors such as TCO activity in Mexico and impending primary elections and 250th Independence Day celebrations in the US.
  • Opportunistic criminal activities tied to organized crime very likely constitute the largest physical security risks to Mexico’s World Cup host cities, while US venues face very likely less substantial (but nonetheless tangible) threats from violent extremists, particularly homegrown violent extremists (HVEs).
  • Cybercriminal threat actors are exploiting World Cup-themed branding via purchase scams and phishing infrastructures, with AI-generated content likely enabling operations to surpass volumes observed during prior World Cups. Carders frequently use fraudulent ticket purchases and resale schemes as a rapid monetization method for stolen payment card credentials.
  • Russian, Chinese, and Iranian state-sponsored threat groups will likely use the World Cup as an intelligence collection opportunity, while Russia and Iran pose additional risks of disruptive cyber operations, particularly from proxies and hacktivist personas.
  • World Cup-related influence activity from Russia, China, and Iran is driven overwhelmingly through overt state media and diplomatic messaging, while observed covert activity remains limited, opportunistic, and largely secondary to broader geopolitical narratives about Iran, host-country legitimacy, and US access and security policies.

Country Risk

Insikt Group assessed four categories of country-level risk in World Cup host countries: security and crime data; network intrusion activity, which measures Malicious Traffic Analysis events targeting each country; ransomware attacks targeting victims in each country; and data privacy and surveillance-related risks, accessible in the Recorded Future Intelligence Operations Platform as State Surveillance risk. While public reporting indicates declining crime rates in many World Cup host cities, violent crime risks are almost certainly greatest in Mexico; opportunistic crime, such as theft, likely presents the greatest physical security risk in Canadian and US host cities. By comparison, threats to data security and privacy are likely greatest in the US and Canada, given the higher volume of malicious cyber activity targeting US and Canadian entities. Factors complicating the security environment across World Cup host nations include TCO operations in Mexico; 250th anniversary celebrations in the US; and the lead-up to the US midterm elections in November 2026, including summer primary elections.

A country level security environment chart broken down by Security and Crime, Network Intrusion Activity, Ransomware Targeting and State Surveillance for Canada, Mexico and United States
Figure 1: Composite Country Risk Scores for Canada, Mexico, and the US (Source: Recorded Future)

Remembering Sir Alex Younger

4 June 2026 at 02:00

There are moments when you meet a person who you immediately know will have a formative influence on you — a person you will learn from, who you will respect, who you will follow anywhere, who you will listen to, who will be your friend. Sir Alex was just that.

I was lucky to meet Sir Alex just as he was leaving MI6 in 2020. I traveled to London, having to navigate a few Covid restrictions. I asked him if this would cause problems. He smiled: “It is always better to ask for forgiveness than seek permission,” he said. Immediately I knew that this was someone I would get along with very well.

The objective was straightforward: I was hoping to recruit him to the Recorded Future board of directors, which we eventually accomplished after significant complications got in the way, once again solved by the previous method.

Sir Alex joined a Recorded Future board meeting in New York. As I welcomed him, Alex — smiling characteristically — introduced himself as having run the world’s best intelligence agency, a pointed reminder that superb people, tradecraft, and pedigree can rival any scale. And we wanted to learn from the best.

My assumption, as much as one should not make them, was that Alex could teach us everything in intelligence, except for perhaps around the technical SIGINT-like apparatus that is at the core of Recorded Future. Yet, in our first discussion, talking about “connecting dots,” Alex said, “it is not about connecting dots, it is about connecting entire collections,” which became the very underpinning of how we build our Intelligence Graph®. I was humbled, having underestimated him, and it taught me a valuable lesson.

Yet, the confidence of having run the world’s best intelligence agency did not at all hold back Alex from asking even the most basic questions. Coming from public service, driving revenue was not a familiar concept. As opposed to most senior characters who would do anything to not seem to have all the answers, Alex, early in the first meeting, when hearing the terms ARR and revenue, raised his hand and said, “please explain annualized revenue.” That is the sign of somebody who always wanted to learn and would not let pride get in the way of gaining insights.

Sir Alex brought great moral clarity, yet not the kind that is based on anger, “you’re either with us or against us,” rather, the kind that leads to an alliance of peers sharing in values that can defeat any autocratic counterpart. Teamwork, he would say, is the unique strength of the West, as we can build on trust, whereas our adversaries fundamentally cannot.

Speaking at the Recorded Future 2023 Predict conference, our audience spellbound, Sir Alex paraphrased Milton Friedman: “No individual can make a pencil alone.” He was cheered by everyone, and we know that this was the answer to beat our adversaries.

Over the last few months, I asked Alex for some favors, and I now find myself wondering whether I asked too much of him. He gave a briefing to thousands of Recorded Future clients on Iran with an energy and intellect that would put anyone to shame. And more recently, I asked him for help with a personal endeavour, which in hindsight was too much to ask at the time, yet he did something amazing.

I can only hope that I can be such a friend to my friends as Alex was to me.

Six months ago, when Alex was in the midst of treatment, I asked him if I could take him for a special dinner. We enjoyed amazing food and, truth be told, even more amazing wine. I came early to the restaurant and suggested to them, “he may eat and drink a little, please do not make a fuss about that.” Yet, Alex went at the food and wine with a vengeance, claiming that his treatment left him very hungry. If there ever was a fighting spirit, it was his.

Sir Alex and Christoper sitting at a restaurant and a picture of the course menu on the left.

Please join my Recorded Future colleagues in our cheers for Sir Alex Younger and thoughts for Sarah and their family.

I’m certain that he would want us to take the fight to the bad guys and build even greater alliances with our friends.

Iran Expands Handala Brand to Physical Threats

2 June 2026 at 02:00

Executive Summary

Iran’s Ministry of Intelligence (MOIS) has likely broadened the use of its “Handala” brand to encompass MOIS’s external physical and influence operations targeting US and Israeli interests. Since the beginning of the Iran War, Insikt Group has observed significant overlaps in the online activities of Handala Hack Team, a newly created, Handala-branded persona referring to itself as the “Handala Popular Resistance Front” (HPRF), and three influence operations networks previously identified by Insikt Group. Based on frequent amplification and cross-posting of claims and content between Handala Hack Team and these four additional entities, we now attribute these groups to MOIS, with varying degrees of confidence.

The nexus between these personas and MOIS, as well as their multidomain tactics, techniques, and procedures (TTPs) and targeting, likely reflects how MOIS’s external operations have shifted in response to the Iran War. Notably, the HPRF and the three influence operations networks all almost certainly share a modus operandi: their administrators solicit individuals to conduct physical attacks and espionage targeting US and Israeli entities, on behalf of Iranian intelligence agencies, for a financial reward. By encompassing these groups under the Handala brand, MOIS likely seeks to take advantage of Handala’s global recognition to amplify its solicitation efforts.

MOIS’s likely coordination of distinct cyber, physical, and influence personas under a single brand very likely amplifies physical and cyber threats to targeted individuals and facilities. Handala-linked physical threat actors could almost certainly leverage the recognition of the brand’s hacktivist personas to recruit individuals to conduct targeted violent attacks, espionage, sabotage, or other physical threat activities. Shared resources, intelligence, and coordination efforts from a centralized source likely increase the impact of an attack. This very likely entails heightened risks for US and Israeli law enforcement, military, and intelligence agencies and their personnel, in addition to energy, transportation, and research organizations operating in the region.

The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It.

21 May 2026 at 02:00

I've had some version of the same conversation dozens of times since Mythos and Daybreak emerged. CISOs want to know how worried they should be. My honest answer: less than the headlines suggest, and more than most programs are currently prepared for.

Last year, roughly 50,000 software vulnerabilities were disclosed. Recorded Future tracked 446 that were actually weaponized by threat actors. That's less than 1%. The problem was never finding vulnerabilities. It was always knowing which ones adversaries will actually use.

AI makes that distinction harder. Discovery accelerates for everyone, the noise grows faster than any team can manually triage, and the window between a disclosed vulnerability and a working exploit keeps shrinking. Security leaders who've built intelligence-led programs are ready for what's coming. For them, Mythos isn't a crisis. It's the moment their program finally gets the attention it deserves, including in the boardroom.

The threat got faster. The fundamentals didn't.

The instinct to treat AI-assisted vulnerability discovery as a wholesale transformation of the threat landscape isn't quite right, and that imprecision will hurt you in a board conversation.

What's changed is speed. AI has compressed the time between a disclosed vulnerability and a working exploit from days to minutes. Your team has to match that tempo.

What hasn't changed is the fundamental prioritization problem. Disclosed vulnerabilities have more than doubled over the last five years, from roughly 21,000 in 2021 to approximately 50,000 in 2025. That growth happened before AI-assisted discovery became widely accessible. AI makes that challenge faster and more consequential. It doesn't make it new.

That distinction matters because it changes the conversation from "we need to completely rebuild our security program" to "we need to make sure our intelligence capability is operating at the speed the threat environment now demands." The first conversation is expensive and destabilizing. The second is actionable.

Most programs have a triage problem, not a discovery problem

When an AI model returns hundreds of new vulnerability findings, the bottleneck shifts immediately to prioritization. In most organizations, that process is still largely manual. Analysts research each finding, assess severity, cross-reference existing guidance, and attempt to sequence a response. At the volume and velocity these models produce, that workflow can’t keep pace.

The result is a backlog where genuinely critical exposures sit alongside noise, and triage decisions get made without the context needed to get them right. That's not a tooling problem. It's an intelligence problem.

The organizations handling this well have built a layer between discovery and action that automatically correlates every finding against real-world adversary activity, flags vulnerabilities tied to active campaigns, and tells the analyst what it means and what to do about it, not just what was found. Raw discovery tells you that you have a problem. Intelligence-led response tells you which one to solve first, then hunts it down autonomously at machine speed.

There's a second exposure worth naming, and it can produce an uncomfortable board conversation. Most enterprise security investment is concentrated on what enters the environment and what executes at the endpoint. AI-assisted discovery surfaces a different category of risk: exposures that already exist inside the environment, in software running on your infrastructure today, in third-party components that weren't fully inventoried, in vendor systems connected to yours in ways that aren't fully mapped.

Organizations that have concentrated their posture at the edge may find that some of their most consequential vulnerabilities sit somewhere else. That's a hard answer to give a board that just read about Mythos. It's better to surface it yourself than to have someone else surface it for you.

The programs that didn't panic had something in common

The CISOs I talk to who've been building intelligence-led programs for years have handled Mythos differently than organizations that haven't. They didn't need to rebuild anything from the ground up. They used the moment to sharpen programs they'd already been investing in.

But not every organization was already there when Mythos was announced, and that's the more important story for most security leaders reading this. The announcement was a forcing function. The organizations that treated it as one are already in a different position than the ones that didn't.

A financial services customer who came to us shortly after the Mythos announcement is a good example of what moving quickly actually produces. They rebuilt their vulnerability workflow around our automation capability and within two weeks their team had recovered over 20 hours a week that had previously gone to manual triage and research. Those aren't hours saved on busywork. They're hours now going toward work that actually reduces exposure. And when the next wave hits, they won't be caught flat-footed.

What made that possible wasn't just better tooling. It was an intelligence layer that automatically matches vulnerabilities to known threat actors, ties findings to active campaigns where relevant, and scores on real-world exploitation evidence rather than theoretical severity. Every finding arrives with the context an analyst needs to act, without hours of manual research standing between the signal and a response.

The practical outcome is coverage at scale without proportionally growing the team. That's what operating at machine speed means in practice, and it can hold up in a board conversation for a simple reason: it's not just a security answer, it's a business one.

What wins the board conversation

Boards are asking about AI-driven vulnerability discovery because it's broken into mainstream coverage in a way most threat developments haven't. That attention isn't going away. Security leaders who can walk into that conversation with a clear, specific answer about how they're managing the risk will come out with more credibility and more resource authority.

Mythos and Daybreak are the start of a longer trend. The right response isn't to treat each new model as a fresh crisis. It's to build the intelligence foundation that makes your program resilient regardless of what comes next. When you've done that, AI-assisted discovery stops being a source of anxiety and becomes what it should be: a faster path to finding and fixing what actually matters.

Ready to go deeper on the operational response? Recorded Future Chief Product Officer Jamie Zajac lays out the full playbook here.

Received — 20 May 2026 Recorded Future

At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026

19 May 2026 at 02:00

Key Takeaways

  • Discovery has been commoditized. Frontier AI models like Mythos and GPT 5.5 are making vulnerability discovery cheap, fast, and broadly accessible.
  • The defender's job is to match the speed. Manual triage has lost the throughput race.
  • Threat intelligence is the prioritization layer at machine speed. Recorded Future Intelligence observed only 446 actively exploited CVEs in 2025 against approximately 50,000 disclosed — less than 1%.
  • Recorded Future's agentic processing plus Autonomous Threat Operations can be the answer. It offers detection signatures in just 31 minutes and automated action across more than 100 integrations, with third-party reach coming soon. Attackers are operating at this speed. Your defenses have to match them.

It’s now a question I get daily: “What is Recorded Future doing about Mythos?”

It's a fair question. Anthropic's Project Glasswing announcement, paired with the vulnerability research benchmarks coming out of OpenAI's GPT 5.5, has made AI-driven vulnerability discovery a board-level topic in a matter of weeks.

To answer that question, first we need to discuss the operational problem defenders actually face and why threat intelligence can be the best way to counter it at machine speed. Then we'll get into what Recorded Future is already deploying to solve it: our agentic processing.

The problem: drowning in signal, starving for context

Even before AI and the news of Mythos’ capabilities and speed, defenders were struggling. Signal volume was outpacing analyst capacity. Coverage gaps widened daily as long-tail vendors and niche platforms went unmonitored. Raw findings arrived without root cause, threat-actor relevance, or vetted remediation paths. Producing one analyst-grade enrichment took hours of senior researcher time. The math didn't work at enterprise scale.

The reality check: 50,000 disclosed, 446 actually exploited

The data point that should anchor any conversation about the AI vulnerability surge: The NVD disclosed approximately 50,000 CVEs in 2025. Recorded Future Intelligence observed only 446 actively exploited in the wild — less than 1%.

Finding vulnerabilities is one thing, but knowing which ones matter, to which environments, against which adversaries, and with which compensating controls already in place is a whole different matter. Forrester put it directly: “The limiting factor in security is no longer the ability and knowledge to find problems — it's the ability to absorb, prioritize, and act on them before adversaries do.” The bottleneck has always been on the absorb-prioritize-act side. The find side was never the problem.

Frontier AI models accelerate the finding side. Threat intelligence is what helps close the prioritization gap on the fixing side.

The prioritization filter: what turns 50,000 into 446

Threat intelligence is operational, not philosophical. It comes down to four signals that distinguish the small fraction of CVEs adversaries actually weaponize from the overwhelming majority that they don't. These four signals are non-negotiable to be able to get to the prioritizing at speed and scale:

  1. A live risk score. A composite index of exploitation likelihood and impact, recalculated continuously as evidence shifts. Not a static CVSS rating; a live measure of which vulnerabilities are weaponizable, exploitable in modern environments, and likely to be picked up by threat actors.
  2. Active exploitation in the wild. Observed exploitation evidence — not theoretical PoC availability, but documented use against real systems by real actors. Sources include open and dark web telemetry, vendor disclosures, government advisories (CISA KEV catalog and equivalents), and primary research like what Insikt Group® produces.
  3. Ransomware actor association. Mapping CVEs to specific ransomware operators and access broker activity. The same vulnerability used by a financially motivated ransomware affiliate against your sector is a different incident than the same CVE in a state-actor toolkit targeting a different region.
  4. Sector and campaign targeting. Which threat actors are targeting your industry, which TTPs they're using, which exposures map to known tooling.

Together, these four signals are how you prioritize what actually matters for any given defender.

Recorded Future's answer: agentic processing plus Autonomous Threat Operations

If attackers are moving at Mythos speed, your defenses need to keep up using agentic processing and Autonomous Threat Operations. This is my answer to the question we started with about what Recorded Future is doing about the new world we live in.

Agentic processing is the production system that turns exposure signals into deployable intelligence. The pipeline reads descriptions, vendor advisories, and patch diffs the moment they appear. It produces production-ready detection signatures — documented detection logic, evidence specification, passive fingerprinting strategy. It writes analyst-grade enrichment for every finding — root cause, exploit mechanics, threat-actor associations, prioritized defensive controls with deploy-time and false-positive estimates, validated remediation tasks with acceptance criteria and rollback plans.

It’s end-to-end target: identification to deployment in customer environments in only 31 minutes. Internal averages run lower. No security team operating manual triage workflows is matching that throughput.

That content can reach every relevant control point in your environment through Autonomous Threat Operations (ATO).

ATO turns agentic-processing outputs and correlated intelligence into operational action across over 100 integrations spanning SIEM, SOAR, EDR/XDR, NGFW, vulnerability management, threat intelligence platforms, identity and access management, email and cloud security, GRC, and threat-informed defense. It continuously deploys priority intelligence, runs autonomous threat hunts, pushes detection rules, and takes preventive action without analyst hours spent on manual correlation. The 8-to-12 hours of weekly correlation work most analyst teams perform manually is almost entirely eliminated. The hunting cadence becomes 24/7.

Soon, ATO will do this across your attack surface and third parties, as vendor exposure has been the most common path to breach for the past three years.

The five-stage pipeline that produces all of this — threat signals, intelligent enrichment, validation and verification, structured output, and customer workflow — runs continuously. Production-ready content is in customer environments within minutes of the originating disclosure across every category of threat the platform detects.

Why agentic processing is different, and why your organization needs it

Four things distinguish agentic processing from anything a security team can build manually:

  1. Hours → minutes. A complete enriched finding can be produced in minutes, not the hours of manual research the same output used to require.
  2. Order-of-magnitude efficiency. Based on Recorded Future R&D findings, per-vulnerability triage runs at 40x the efficiency of manual research effort, enabling coverage at scale your team cannot achieve by hand.
  3. Long-tail coverage. Localized vendors, niche platforms, and legacy systems become economically viable to cover at breadth.
  4. Always current. Continuous refresh cycles keep intelligence accurate as threats evolve.

These benefits represent the difference between preventing threats pre-attack and absorbing the damage after.

Let’s look at an example of what agentic processing does at machine speed.

React2Shell with agentic processing

Take CVE-2025-55182 — React2Shell, a pre-authentication remote code execution vulnerability in React Server Components. Within minutes of disclosure, agentic processing produced:

  1. An Attack Surface Intelligence (ASI) detection signature with documented detection logic, evidence specification, and passive fingerprinting strategy
  2. Root cause and exploit mechanics down to the specific code path
  3. Active campaigns, threat-actor associations, observed exploitation evidence
  4. Confidence-graded indicators of compromise with detection commands
  5. Prioritized defensive controls with deploy-time and false-positive estimates
  6. Manual validation procedures, remediation tasks with acceptance criteria and rollback plans, and post-remediation verification commands

In this new Mythos age, this type of agentic processing and speed is going to be required as the new baseline.

Beyond vulnerabilities: the same playbook generalizes

Vulnerability disclosure is the most visible trigger for the intelligence-at-speed pattern, but it isn't the only one. The same operational logic applies wherever a new threat signal surfaces and a defender needs to act on it before the adversary monetizes it.

When a brand impersonation site is stood up, the defensive sequence is the same: detection, intelligence enrichment (registrant, registrar, hosting infrastructure, historical campaign association), prioritized defensive controls (takedown coordination, blocking at email and web layers, alerting affected employees), and verification that the takedown landed. Recorded Future's Digital Risk Protection runs this loop continuously across the open, deep, and dark web.

When a stolen credential surfaces in an infostealer log market, Identity Intelligence runs the same pattern: detection of credentials tied to your environment, enrichment with infection context (malware family, device, other credentials in the same log, MFA cookie capture status), prioritized response (force password reset, revoke active sessions, alert the user), and verification.

The pattern is the posture. Apply intelligence at machine speed wherever the adversary is acting, across every category of threat surface. Vulnerabilities are one trigger. The work generalizes. Recorded Future is operationalizing intelligence at machine speed across our four solutions, Cyber Operations, Digital Risk Protection, Third-Party Risk, and Payment Fraud Intelligence.

What this means for defenders

The operational response to AI-driven vulnerability discovery is what separates organizations that contain exposures from those that wake up to incident response calls.

We are seeing customers set up automation to move faster in response to this new reality. A large enterprise in the financial services sector used Recorded Future to transform their vulnerability management workflow. Following a major patching effort across the organization, the team built out automation between their vulnerability scanning and IT service management tools. The result: a streamlined, repeatable process and an estimated weekly time savings of over 20 hours for the team.

We recommend taking these five actions so you can respond as well:

  1. Move to autonomous intelligence-led security. Asset inventories are no longer sufficient without knowing if a vulnerability exists, if it is a priority, and what the blast radius is.
  2. Compress your disclosure-to-detection cycle to minutes. Manual signature creation runs in days. Adversaries are moving in hours. Whatever your current cycle time, halving it is now baseline.
  3. Demand intelligence-led prioritization, not severity scores. CVSS and EPSS describe the universe of vulnerabilities, not which ones are being weaponized against your sector this quarter. Threat intelligence helps you prioritize.
  4. Action across the full stack, not just the endpoint. AI-driven discovery surfaces flaws in app code, kernels, libraries, and cloud configurations. Defensive response requires reaching wherever the attacker might use the bug.
  5. Apply the same posture across all four threat surfaces. Cyber Operations, Digital Risk Protection, Third-Party Risk, and Payment Fraud all face the same AI-augmented attacker clock speed.

AI-driven vulnerability discovery is here. The big question is whether your systems can operate at attacker speed, with a depth of intelligence that survives executive scrutiny. If the answer isn’t a confident yes, then Mythos and the category behind it have already shifted the math against you.

See it in production. Request a demo to see Recorded Future Intelligence and Autonomous Threat Operations turn a vulnerability disclosure into deployable detection and action across your stack within minutes.

Received — 19 May 2026 Recorded Future

April 2026 CVE Landscape

15 May 2026 at 02:00

In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation, 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.

31 of the 37 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, and six were surfaced only through honeypot data. Those six CVEs associated with honeypots are available only to Recorded Future customers.

Those 37 vulnerabilities affected products from 23 vendors. Microsoft accounted for approximately 22%, while the remaining exposure was concentrated across a range of enterprise-facing vendors, particularly security and systems management tools, collaboration and server platforms, developer and application-delivery software, remote support tools, and network-edge infrastructure.

In April, Insikt Group created Nuclei templates for the missing authentication vulnerabilities in Nginx UI (CVE-2026-33032) and Marimo (CVE-2026-39987). These Nuclei templates are available to Recorded Future customers.

Quick Reference: April 2026 Vulnerability Table

All 31 vulnerabilities below were actively exploited in April 2026. This table does not include the 6 CVEs associated with honeypot activity. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

#
Vulnerability
Risk
Score
Vendor/Product
KEV
Malware Analysis
RCE
PoC
1
CVE-2009-0238
99
Microsoft Office Excel, Excel Viewer, Office Compatibility Pack, Office

(available to Recorded Future Customers)

2
CVE-2012-1854
99
Microsoft Office, Visual Basic for Applications
3
CVE-2020-9715
99
Adobe Acrobat, Acrobat Reader
4
CVE-2023-21529
99
Microsoft Exchange Server
5
CVE-2023-27351
99
PaperCut NG, MF
6
CVE-2023-36424
99
Microsoft Windows Server
7
CVE-2024-1708
99
ConnectWise ScreenConnect
8
CVE-2024-27199
99
JetBrains TeamCity On-Premises
9
CVE-2024-57726
99
SimpleHelp remote support software
10
CVE-2024-57728
99
SimpleHelp remote support software
11
CVE-2024-7399
99
Samsung MagicINFO Server
12
CVE-2025-2749
99
Kentico Xperience
13
CVE-2025-29635
99
D-Link DIR-823X
14
CVE-2025-32975
99
Quest KACE Systems Management Appliance
15
CVE-2025-48700
99
Synacor Zimbra Collaboration Suite (ZCS)
16
CVE-2025-60710
99
Windows Server Host Process for Windows Tasks
17
CVE-2026-1340
99
Ivanti Endpoint Manager Mobile
18
CVE-2026-20122
99
Cisco Catalyst SD-WAN Manager
19
CVE-2026-20128
99
Cisco Catalyst SD-WAN Manager
20
CVE-2026-20133
99
Cisco Catalyst SD-WAN Manager
21
CVE-2026-21643
99
Fortinet FortiClient EMS
22
CVE-2026-32201
99
Microsoft SharePoint Server
23
CVE-2026-32202
99
Windows Shell
24
CVE-2026-33825
99
Microsoft Defender

(available to Recorded Future Customers)

25
CVE-2026-34197
99
Apache ActiveMQ, ActiveMQ Broker
26
CVE-2026-34621
99
Adobe Acrobat, Acrobat Reader
27
CVE-2026-35616
99
Fortinet FortiClient EMS
28
CVE-2026-39987
99
Marimo
29
CVE-2026-41940
99
cPanel, WHM, WP Squared
30
CVE-2026-3502
89
TrueConf Client
31
CVE-2026-5281
89
Dawn in Google Chrome

Table 1: List of vulnerabilities that were actively exploited in April based on Recorded Future data (excluding honeypot-sourced CVEs).

Key Trends: March 2026

  • In April 2026, seven of the 37 vulnerabilities in this report were linked to ransomware activity.
    • Six are explicitly tied to Storm-1175's Medusa ransomware operations.
    • CISA has also linked CVE-2026-41940 with known ransomware use (Sorry Ransomware, per open source reporting).
    • Additionally, threat actors exploited CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium botnet.
  • Sixteen of the 37 vulnerabilities enabled remote code execution (RCE), affecting products from twelve vendors: Adobe, Apache, D-Link, Fortinet, Google, Ivanti, Kentico, Marimo, Microsoft, SimpleHelp, TrueConf, and Wazuh.
  • Insikt Group® identified public proof-of-concept (PoC) exploits for 24 of the 37 vulnerabilities in this report.
  • The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-94 (Code Injection), CWE-20 (Improper Input Validation), and CWE-306 (Missing Authentication for Critical Function).
  • Three of the 37 vulnerabilities are at least five years old, with the oldest approximately seventeen years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was two days.

Exploitation Analysis

This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns, that have public PoC exploits available, or for which Insikt Group® has created Nuclei templates to detect the vulnerability. Vulnerabilities with no meaningful public technical detail are summarized in the disclosures table only.

Threat Actors Exploit TBK DVR Vulnerability (CVE-2024-3721) to Deliver Nexcorium

On April 17, 2026, FortiGuard Labs (@FortiGuardLabs on X, formerly known as Twitter), associated with Fortinet (@Fortinet), published a technical analysis detailing a campaign that exploits TBK Digital Video Recorder (DVR) devices to deliver Nexcorium, a Mirai-based botnet. A TBK DVR device is a surveillance system recorder that captures, stores, and allows playback or remote viewing of video from connected security cameras. According to FortiGuard Labs, Nexcorium targets TBK DVR-4104 and DVR-4216 systems by exploiting CVE-2024-3721, an operating system (OS) command injection vulnerability that allows remote threat actors to execute arbitrary system commands.

Based on FortiGuard Labs’ analysis, the campaign begins with the exploitation of CVE-2024-3721 through crafted requests that manipulate the mdb and mdc arguments in TBK DVR devices, which delivers a downloader script named dvr. The exploit includes the HTTP header X-Hacked-By with the value Nexus Team - Exploited By Erratic. The dvr script retrieves Nexcorium binaries with filenames beginning with nexuscorp for architectures such as ARM, MIPS R3000, and x86-64. The dvr script then sets the Nexcorium binaries’ permissions to 777, and executes them with an argument that identifies the compromised system.

Further technical details associated with this activity, including sample analysis and IoCs, are available to Recorded Future customers via Insikt Group reporting.

Recorded Future customers can also access Malware Intelligence queries, which surface samples that connect to known network indicators.

Figure 1: Vulnerability Intelligence Card® for CVE-2024-3721 in Recorded Future
Figure 1: Vulnerability Intelligence Card® for CVE-2024-3721 in Recorded Future (Source: Recorded Future)

NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals

14 May 2026 at 02:00

As of April 15, 2026, NIST enriches only CVEs that appear in the CISA Known Exploited Vulnerabilities catalog, federal government software, or software designated critical under Executive Order 14028. Everything else carries a "Lowest Priority" status: no CVSS score, no affected product mappings, no weakness classification. NIST enriched roughly 42,000 CVEs in 2025, and submissions in early 2026 are running about a third higher year-over-year. Industry estimates suggest the prioritized categories will cover only 15–20% of anticipated CVE volume going forward.

For teams whose vulnerability management workflows depend on CVSS scores from NVD, this could create an operational gap. The CVEs in the unenriched backlog can signify real vulnerabilities affecting real software. They don't necessarily stop mattering because NIST didn't get to them.

Recorded Future does not believe that the solution is to source CVSS scores faster. Instead, Recorded Future endeavors to provide the signals that actually reflect attacker behavior. CVSS was designed to characterize the technical properties of a vulnerability — attack vector, complexity, required privileges, potential impact. CVSS was not designed with patch prioritization as a prime concern. This distinction has always existed; the growing gap in NVD enrichment increases the importance of the right intelligence and insights that can capture attacker behavior in real time.

Where vulnerability risk actually originates

Exploit code surfaces on GitHub. Proof-of-concept development gets discussed in offensive security forums and underground communities. Ransomware operators evaluate which vulnerabilities fit their deployment pipelines. Threat actors incorporate specific CVEs into their toolkits and begin scanning in search of exploitable targets.

At some point during or after that sequence, a CVE gets assigned and, under the previous policy, would eventually be enriched by NVD. By the time a practitioner sees a CVSS score in their scanner, the risk may already have materialized.

The delay between attacker use and the assignment of a CVE and CVSS score is not a new dynamic. For this reason, Recorded Future's vulnerability Risk Scores were never built to depend on NVD enrichment.

The intelligence that determines whether a vulnerability is dangerous originates in the technical communities, underground markets, exploit repositories, and malware ecosystems where attackers work. It does not come from institutional databases processing CVEs up to weeks or months post-assignment. NVD's policy change doesn't create a gap in Recorded Future's coverage because NVD is not the primary signal behind Recorded Future Vulnerability Intelligence.

What the model actually weighs

Recorded Future's risk scoring maps directly to the vulnerability weaponization lifecycle. Many of the signals fire based on where a CVE sits on that path, not on what NIST has or hasn't scored.

Figure 1: The vulnerability weaponization lifecycle, as displayed on Recorded Future’s Vulnerability Intelligence dashboard
Figure 1: The vulnerability weaponization lifecycle, as displayed on Recorded Future’s Vulnerability Intelligence dashboard (Source: Recorded Future).

The signals that carry the most weight are those tied to active exploitation in the wild — malware samples observed by Recorded Future's collection infrastructure, ransomware operations validated by Insikt Group® analysts, and other direct evidence of attacker use. Confirmed exploitation activity carries the most weight in the model, regardless of a CVE's CVSS score. These are the signals that answer the question practitioners actually need answered: is someone using this right now?

Below active exploitation, the model tracks proof-of-concept availability, including the distinction between a verified and unverified PoC. Verified exploit code that demonstrates remote execution is a materially different signal from an unverified proof of concept of unknown reliability. As an example, exploit code on GitHub is not theoretical risk; it usually compresses the time between disclosure and weaponization. Recorded Future Risk Scores treat it accordingly.

In addition to these collection and analytic capabilities, Recorded Future tracks web reporting about a CVE before NVD has published enrichment data. For the majority of new CVEs going forward, this pre-NVD signal may be the earliest structured intelligence available anywhere. A CVE that NIST has marked Lowest Priority can still accumulate signals across many dimensions. As a result, the absence of a CVSS score in NVD doesn't create a blind spot in Recorded Future's assessment.

CVSS still matters. It just isn't the foundation.

CVSS scores flow into the model from multiple sources. Many CVE numbering authorities (CNAs) supply CVSS scores at the point of submission, and CVSS coverage across published CVEs remained above 90% in 2025 even as NVD's independent enrichment narrowed. That doesn't mean CNA-supplied scores are interchangeable with NVD's. Academic analyses of dual-scored CVEs have documented divergence rates above 50% throughout the past decade, reaching 70% in 2023, with disagreements sometimes large enough to move a vulnerability across severity tiers. For CVEs where neither NVD nor a CNA has provided scoring, Recorded Future independently assigns scores through its own analysis. CVSS occupies one position in the model, alongside signals grounded in observable attacker behavior, and those signals operate independently of whether a CVSS score exists at all.

What to do with this

Audit where your prioritization signals come from. If your program is relying entirely or primarily on CVSS scores pulled from NVD, you may have exposure, not just from the existing backlog, but from every new CVE entering the ecosystem under the new policy.

Recorded Future Vulnerability Intelligence, as a part of the Cyber Operations solution, scores every CVE against the full signal set — exploitation activity, malware and ransomware associations, proof-of-concept availability, threat actor targeting, and analyst-validated intelligence. All independent of NVD's enrichment pipeline. See this prioritization and automation in action with this click-through tour.

See how Vulnerability Intelligence integrates with your existing vulnerability management workflow — request a demo.

Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense

14 May 2026 at 02:00

Executive Summary

Artificial intelligence is often discussed as a tool for automating and accelerating existing cybersecurity workflows. While that framing is accurate, it is incomplete. The most consequential shift occurs when AI is combined with threat intelligence — both intelligence about attacker capabilities and TTPs, and intelligence about our own defensive weaknesses and exposure. This combination produces qualitatively new defensive capabilities that may, for the first time, begin to structurally narrow the long-standing asymmetry between attackers and defenders.

This memo examines what is genuinely new about AI-enabled defense, with particular emphasis on how the fusion of threat intelligence and AI reasoning changes the strategic calculus. It also argues that in the end, it is a question of who can most efficiently use scarce resources (compute and energy) to get the upper hand. Intelligence guides defenders in how to best use these resources to defend, thereby changing the balance of power against adversaries.

The Traditional Defender’s Dilemma

The core asymmetry in cybersecurity is well understood: defenders must protect every possible attack surface, while attackers only need to find one exploitable weakness. Defenders operate under constraints — budgets, compliance mandates, uptime requirements — while attackers can be patient, selective, and asymmetric.

Traditionally, threat intelligence has been consumed by defenders as a feed: indicators of compromise, malware signatures, and published advisories. This intelligence was valuable but largely reactive and disconnected from the defender’s own environment. Knowing that a threat group uses a particular technique is only useful if you can rapidly assess whether that technique works against your infrastructure. That assessment has historically required scarce human expertise, time, and tooling — precisely the resources defenders lack.

The Automation Layer: Real But Evolutionary

A significant portion of AI’s current impact on defense is best described as automation of existing processes: faster alert triage, automated enrichment, accelerated patch prioritisation, and AI-assisted Tier 1 SOC analysis. These improvements are valuable — they compress response times, reduce analyst fatigue, and address chronic staffing shortages — but they are conceptually extensions of workflows that already existed.

Similarly, AI can automate the ingestion and normalisation of threat intelligence feeds, reducing the manual work of parsing reports and extracting indicators. This is useful, but it does not change what defenders can fundamentally do with that intelligence. The real transformation lies elsewhere.

The Convergence: Where Threat Intelligence Meets AI Reasoning

The most significant shift is not AI applied to defense in isolation, nor threat intelligence consumed as a feed. It is the convergence of the two: AI systems that can reason simultaneously over what attackers are doing and what defenders are exposed to, in real time, at scale. This convergence produces capabilities that did not previously exist.

1. Connecting Attacker TTPs to Your Actual Exposure

Traditionally, a threat intelligence report might tell you that a particular adversary group is exploiting a vulnerability in a specific product, or is targeting your sector using a known technique chain. Acting on that information used to require an analyst to manually map those TTPs against your environment: do we run that product? Is the vulnerable version deployed? Are the relevant network paths open? Are our detection rules adequate for that technique?

AI can perform this mapping continuously and at scale. When a new threat report lands, an AI system can immediately cross-reference the described TTPs against a live model of your infrastructure, your patching state, your detection coverage, and your segmentation — and surface a prioritised assessment of actual risk, not theoretical risk. This transforms threat intelligence from awareness into actionable, environment-specific defense guidance.

2. Fusing Offensive Intelligence With Defensive Weakness Data

Defenders have long maintained two separate bodies of knowledge: external threat intelligence (what adversaries are capable of and likely to do) and internal vulnerability and exposure data (what weaknesses exist in our own environment). These have typically lived in different systems, managed by different teams, and reconciled manually and infrequently.

AI enables continuous fusion of these two streams. A model can hold both the attacker’s perspective — known TTPs, targeting patterns, tooling, and objectives — and the defender’s perspective — unpatched systems, misconfigured controls, overprivileged accounts, and detection gaps — and reason about the intersection. The result is not a vulnerability list or a threat report, but an integrated picture of where the attacker’s capabilities meet our specific weaknesses. This is the analysis that the best red teams produce during an engagement, except it can now run continuously rather than quarterly.

3. Predictive Prioritisation Based on Adversary Behaviour

Patch prioritisation has traditionally been driven by CVSS scores — a measure of theoretical severity that ignores both attacker intent and environmental context. AI models trained on threat intelligence can reorder priorities based on which vulnerabilities are actually being exploited in the wild, by which adversary groups, against which sectors, using which delivery mechanisms. Combined with internal exposure data, this enables prioritisation that better reflects real-world risk rather than abstract severity.

The same logic applies to detection engineering. Rather than building detections for every possible technique, AI can identify the techniques most likely to be used against your specific environment — based on who is targeting your sector, what tools they use, and where your coverage gaps are — and focus engineering effort where it matters most. In fact, in most cases AI will be able to build those detectors for you!

4. Reasoning Over Context at Scale

Traditional detection systems correlate events against rules. AI models can reason about events holistically, synthesising partial logs, ambiguous telemetry, and unusual configuration changes into a judgment that approximates what a senior analyst would conclude. Crucially, this reasoning can be informed by threat intelligence: not just “is this anomalous?” but “is this consistent with the tradecraft of groups known to target us?” That contextual layer makes detection both more accurate and more relevant.

5. Continuous Attack-Path Modelling

Historically, understanding one’s own exposure was a periodic exercise: run a penetration test, receive a report, remediate, repeat. AI enables a living model of the environment that continuously re-evaluates exploitable paths to critical assets as conditions change. When this model is enriched with threat intelligence — particularly information about which attack paths adversaries actually favour, and which tools they use to traverse them — the result is a dynamic, threat-informed view of exposure that stays up to date automatically, not only when your manual pen testers or red team have time to update it.

6. Adversarial Prediction During Active Incidents

During an active incident, experienced responders draw on their knowledge of attacker behaviour to anticipate likely next moves. AI models trained on threat intelligence and historical incident data can encode this reasoning and make it available to any response team. If the model recognises that the observed initial access technique and lateral movement pattern are consistent with a known adversary group, it can predict likely next steps — which credentials they will target, which persistence mechanisms they prefer, which data they are likely to exfiltrate — and help defenders get ahead of the intrusion rather than simply reacting to each new indicator.

Turning the Tables: AI-Enabled Deception

The capabilities described above are fundamentally defensive: detecting, predicting, and prioritising. But the convergence of AI and threat intelligence also opens a qualitatively different category of action — using intelligence about the attacker to actively mislead them.

From Static Honeypots to Adaptive Deception

Deception technologies such as honeypots and honeytokens have existed for decades, but they have always been constrained by how static and labour-intensive they are to deploy convincingly. A skilled attacker can often identify a honeypot by its lack of realistic activity, stale data, or inconsistencies with the surrounding environment. AI removes these constraints. AI-generated deception environments can include realistic-looking decoy infrastructure — fake services, plausible file shares, synthetic credentials, even simulated user activity patterns — that adapts dynamically in response to attacker behaviour. Rather than a static trap that a competent adversary recognises and avoids, the defender can maintain a deception layer that evolves to stay convincing.

Intelligence-Informed Decoy Placement

This capability ties directly into the threat intelligence fusion described above. If you know which TTPs a likely adversary uses, which attack paths they favour, and where your real weaknesses are, AI can place decoys precisely along the routes those adversaries are most likely to take. The deception is no longer generic; it is tailored to the specific threat. A decoy credential can mimic the type of service account the adversary’s tooling is known to target. A fake file share can contain documents plausible enough to absorb attacker time and attention, and simultaneously provide new intelligence about the adversary. The threat intelligence that informs your defensive posture simultaneously informs your deception strategy. This is “Machine Counter Intelligence”!

Imposing Costs and Eroding Attacker Confidence

AI-generated deception at scale inverts a piece of the traditional asymmetry. Attackers who encounter a pervasive deception layer must spend significant time and effort distinguishing real assets from fake ones. Every interaction with a decoy wastes their resources, degrades their confidence in the intelligence they have gathered, and increases the risk that they will trigger an alert. In effect, the attacker now faces a version of the defender’s dilemma: they must verify everything, while the defender only needs one decoy to succeed.

Active Intelligence Collection Through Engagement

Perhaps most significantly, AI can interact with attackers inside deception environments in ways that feel plausible, drawing out more of their tooling, techniques, and objectives. This turns deception from a passive tripwire into an active intelligence-gathering operation. The tradecraft revealed through these engagements feeds back into the threat intelligence cycle, improving the defender’s understanding of the adversary and refining future defensive and deceptive measures. The result is a virtuous loop: intelligence informs deception, deception generates new intelligence.

There is an inherent tension in active deception engagement: traditional incident response doctrine prioritises minimising dwell time, while deception-based intelligence collection deliberately extends it. The risks are real — containment failure if the deception boundary isn't airtight, resource cost of sustained monitoring, potential legal and regulatory questions about why an attacker was permitted to remain active, and the possibility that a sophisticated adversary recognises the deception and feeds false signals back to poison your intelligence. These risks do not invalidate the approach, but they define the conditions under which it works. Active engagement requires genuinely isolated deception infrastructure, and clear decision frameworks for when to engage.

Democratising Access to Intelligence-Driven Defense

A less obvious but structurally significant change is that AI lowers the barrier to performing intelligence-driven defense. When an analyst can query in plain language — “which of our externally-facing systems are vulnerable to techniques used by a certain threat group in the last 90 days?” — and receive an accurate, contextualised answer, the skill requirement for effective threat-informed defense drops substantially. This is not doing an old thing faster; it is enabling a different operating model in which threat intelligence becomes a working tool for the entire security team, not just the analysts who specialise in it.

Strategic Implications

The most profound implication is that defenders have historically been reactive because they lacked the cognitive bandwidth to continuously fuse offensive intelligence with their own exposure data. AI makes this fusion not only possible but economically viable for organisations that could never previously afford dedicated threat intelligence teams, red teams, and continuous assessment programmes.

This changes the nature of the defender’s dilemma. The traditional framing — “defenders must protect everything; attackers only need one way in” — assumed that defenders could not know, in real time, which parts of their attack surface are most likely to be targeted. AI-enabled threat intelligence fusion challenges that assumption. If defenders can continuously identify the most probable attack paths based on current adversary behaviour and their own specific weaknesses, they can concentrate resources where they matter most. The dilemma does not disappear, but the defender is no longer operating blindly, but can take control.

The key asymmetry is therefore shifting from “attacker versus defender” to “AI-augmented versus non-augmented.” Organisations that integrate AI with robust threat intelligence programmes may find themselves closer to parity with attackers than at any point in the history of the field. Those that do not will face an even steeper version of the traditional dilemma, as AI-empowered adversaries exploit the widening gap.

Final Words

The emergence of fully autonomous AI agents on both sides raises unresolved questions. If attackers deploy autonomous offensive agents that can chain exploits and adapt to defenses without human guidance, defenders will need equally autonomous systems — systems that consume threat intelligence, assess exposure, and act on the results without waiting for human approval. The governance, trust, and control challenges this creates are substantial, but the journey towards this goal must begin now.

There is also a risk that the intelligence-AI feedback loop becomes adversarial in new ways. Sophisticated attackers who understand that defenders are using AI to map TTPs against exposure may deliberately vary their tradecraft to evade predictive models, or generate false signals to misdirect AI-driven defense. The quality and provenance of threat intelligence will become even more critical as AI amplifies both its value and the consequences of acting on flawed data — we need automation-grade intelligence!

We have not changed the basic equation: defenders must still know and mitigate every weakness, while the attacker needs only one. AI does not abolish that asymmetry, and claiming otherwise would be dishonest. What AI fused with threat intelligence does is change the terms of the contest. Instead of defending blind — treating every weakness as equally likely to be exploited — defenders can now continuously map attacker capabilities against their own specific exposure, concentrate resources on the paths adversaries actually use, and impose real friction through deception that degrades the attacker's speed advantage. The attacker still only needs one weakness, but they are now searching for it in an environment that fights back: one that predicts where they will look, places convincing traps along those paths, and learns from every encounter.

The defender may never achieve dominance, but the era of structural helplessness — of knowing that the asymmetry is permanent and unmanageable — is ending for organisations willing to invest in these capabilities. Parity in an adversarial contest is not a consolation prize; it is the condition under which skill, preparation, and operational discipline start to matter more than structural advantage.

Diagram showing how AI-powered Deception Networks flip the defender's dilemma in cyber defense

Received — 11 May 2026 Recorded Future

Working in London at the World’s Largest Intelligence Company

8 May 2026 at 02:00

Intro

There’s a certain energy you can only find at Recorded Future. Take that energy and bring it to London’s “Silicon Roundabout” and you get the perfect spot for Futurists to build and innovate.

Recorded Future's office @ The Bower on Old Street. Source: https://www.theboweroldst.com/

Across the globe, Recorded Future is 1000+ employees working towards the same mission: Securing Our World With Intelligence.

Our London office – one of our most storied hubs – hosts a range of departments supporting both local, regional, and global operations. The office brings together 100+ cross-functional professionals from People & Talent Acquisition, Finance, Sales, Marketing, Global Services, Research, and more!

Looking back: From the Attic to The Bower

Our story in London didn’t start in the high-rise, but in a converted attic with just a handful of people and a big mission.

When I first joined, we were in the attic of a 3-story building.It was full of great people and energy; the immediate feeling I got was that everyone was building something great together.”

Joe Rooke

Director Risk Insights, Insikt Group

This passion for building something great fueled incredible growth. Sam Pullen, Director of Intelligence Services, remembers when the entire EMEA team was just about 20 people. Since 2018, we’ve gone from service a few dozen customers in the region to ~700 now.

On the left: First Recorded Future office in London. On the right: Recorded Future's newest office

On the left: First Recorded Future office in London. On the right: Recorded Future's newest office

Inside the Office

This modern high-rise building’s open-plan layout offers quite a few collaboration spaces across our office, where the team likes to have small team meetings, breaks, or even lunch.

Like all Recorded Future offices, our meeting rooms follow a unique naming convention. While Boston uses countries, and Sweden volcanoes - London chose islands. Rumors say we picked islands following a 95-day rain streak – we can neither confirm nor deny. So, in our London office, you’ll find Futurists collaborating in rooms like Bora Bora, Crete, and even San Andres.

Our Culture

What truly defines our London office is the sense of camaraderie – whether that’s competing in a friendly team padel game, testing your dartboard skills, or truly memorable summer & end of year celebrations.

The culture at the London office has always been welcoming and inclusive. The BDRs are the soul of the office, and you can always rely on them for a good conversation over a cup of tea.
Sam Pullen

Whether over summer picnics and pedalos in Hyde Park years, playing 5-a-side football in the pouring rain, or at the most recent Christmas party at the Savoy - our Futurists celebrate wins together.

Friendly Team Padel Game at Canary Wharf

Onwards & Upwards: Why Recorded Future

We asked Sam and Joe what has been the highlight of their long tenure at Recorded Future: the opportunity to build. For Sam, it has been the opportunity to build great relationships with clients over nearly a decade. For Joe, it has been the opportunity to build new solutions and new ways to work towards our mission.

The company offers opportunities to builders. If you are willing to take the initiative to make something better, you are not stopped. That is rare.

Joe Rooke

Director Risk Insights, Insikt Group

Ready for your next move? Join the team!

A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats

8 May 2026 at 02:00

Cybersecurity is a cornerstone of our modern world, but its roots stretch back long before the internet. Far from a recent phenomenon, the field began in university labs and evolved through decades of innovation and conflict. For professionals and everyday users alike, tracing this history reveals why today's defenses exist and why vigilance remains our most critical tool.

The 1940s: Theoretical Seeds and Massive Machines

Long before the first hack, pioneers were already contemplating the risks of digital intelligence. In 1945, the Electronic Numerical Integrator and Computer (ENIAC) - the first general-purpose electronic computer - showcased the power of computing, though it was a room-sized giant reserved for military use. While the idea of a "cybercriminal" was still science fiction, the theoretical groundwork for future threats was being laid.

Mathematician John von Neumann began developing his "Theory of Self-Reproducing Automata" during this era. He proposed that a machine-based organism could replicate itself across systems - the conceptual birth of the computer virus.

Key Characteristics of This Era:

  • Physical Isolation: Security meant locking the door to a room-sized machine.
  • Government Monopoly: Computers were exclusive to the military and the academic elite.
  • Conceptual Threats: Risks were purely mathematical theories rather than practical realities.
  • The Virus Blueprint: The foundational logic for self-replicating code was established.

By understanding these early foundations, we can appreciate how a field born in the realm of theory has become the frontline of global stability.

The 1950s: Mainframes, Physical Security, and Phone Phreaking

Governments, universities, and major businesses started using large, centralized machines known as mainframes. As these computers grew more powerful, the definition of "security" still remained grounded in the physical world. During this era, data protection simply meant controlling access to the room where the hardware sat. However, a new kind of technical subculture was beginning to emerge on the fringes of the telecommunications industry.

The 1950s saw the rise of phone phreaking, where enthusiasts exploited telephone signaling frequencies to make unauthorized long-distance calls. While not yet digital hacking, this movement introduced the concept of manipulating infrastructure for unintended purposes. This culture of curiosity and boundary-pushing would eventually produce industry titans; notably, both Steve Jobs and Steve Wozniak experimented with phreaking technology before the birth of Apple.

Key Characteristics of This Era:

  • Physical Perimeter: Security was defined by locks and restricted personnel access.
  • Phone Phreaking: The first widespread exploitation of a technological network.
  • Nascent Authentication: Password-based systems began to appear in informal, non-standardized forms.
  • Fragmented Protocols: Without a connected internet, every institution developed its own isolated security rules.

These early exploits proved that even the most robust physical defenses could be bypassed by those who understood the hidden language of the systems within.

The 1960s: The First Hackers and Growing Vulnerabilities

While known primarily for its social shifts, the 1960s also marked the birth of "hacking" as a technical practice. As computers became more prevalent in universities and large institutions, a new generation of users began exploring the limits of these systems. This era shifted the focus from purely physical security to the inherent vulnerabilities within the software itself.

In 1967, IBM invited students to test a new system, only to be surprised that their probing caused system crashes and revealed weaknesses. This informal "penetration test" proved that any system accessible to users was inherently open to exploitation. It was a wake-up call that sparked the transition of cybersecurity from a passive state to an active, intellectual discipline.

Key Characteristics of This Era:

  • Intentional Probing: The birth of deliberate vulnerability testing and "white hat" exploration.
  • Curiosity-Driven Hacking: Hacking emerged as a way to explore system boundaries, generally motivated by academic interest rather than malice.
  • Access vs. Security: Institutions realized that providing user access created inevitable security risks.
  • Beyond the Lock: The realization that cybersecurity required ongoing digital strategy, not just physical barriers.

This decade transformed the computer from a mysterious black box into a challenge to be solved, proving that human ingenuity would always be the greatest threat - and defense - to any system.

The 1970s: Networking and the First "Worm"

The 1970s transformed cybersecurity from a localized concern into a networked reality. The launch of ARPANET, the precursor to the modern internet, enabled researchers to share resources across distances but also opened a doorway for autonomous software to travel between systems.

In 1971, this potential was realized with Creeper, the world's first self-replicating network program. While harmless, its ability to move across the network and display messages was a revolutionary proof of concept. In response, programmer Ray Tomlinson created Reaper - the first antivirus program - specifically designed to hunt and delete Creeper. This decade also saw the rise of Kevin Mitnick, whose exploits in the 1980s showed that psychological manipulation, or social engineering, could bypass even the strongest technical barriers.

Key Characteristics of This Era:

  • Network Connectivity: ARPANET's birth created the first interconnected digital landscape.
  • The First Worm: Creeper demonstrated that programs could self-propagate autonomously.
  • The First Antivirus: Reaper established the "detect and delete" model of digital defense.
  • Social Engineering: Early hacks highlighted that human error is often the weakest link in the security chain.

This era proved that once computers started talking to each other, the "locked door" was no longer enough to keep an intruder out.

The 1980s: Personal Computers and the Birth of an Industry

The 1980s shifted computing from sterile labs to homes and offices. This explosion of connectivity via modems and floppy disks turned theoretical threats into a global reality, giving rise to the first commercial antivirus software and formal incident response teams like CERT.

Key Characteristics of This Era:

  • Wild Malware: Viruses like Elk Cloner and the Brain Virus moved beyond labs to infect personal computers worldwide.
  • The Morris Worm (1988): The first major network-wide disruption, leading to the first conviction under the Computer Fraud and Abuse Act (Robert Tappan Morris).
  • Cyber Espionage: Marcus Hess's breach of military systems for Soviet intelligence proved that digital networks had massive geopolitical stakes.
  • Ransomware Roots: The AIDS Trojan introduced the world to the concept of holding digital files hostage for payment.

The 1980s proved that as computers became personal, the threats against them became universal.

The 1990s: The Public Internet and Exploding Threats

As the World Wide Web went mainstream, the attack surface grew exponentially. This was the era of the "Macro Virus," where malicious code hid in everyday documents, and the dominance of Windows made it a universal target for hackers.

Key Characteristics of This Era:

  • Mass-Mailers: The Melissa virus demonstrated how email could be weaponized to clog global servers in hours.
  • The Encryption Standard: Netscape's SSL (1995) laid the foundation for secure online commerce and HTTPS.
  • Network Fortification: Firewalls became standard equipment as businesses scrambled to block external intrusions.
  • Legal Frameworks: Organizations like the EFF began fighting for digital privacy and standardized cybercrime laws.

This decade transformed cybersecurity services from a technical niche into a vital pillar of global commerce and law.

The 2000s: Professionalized Crime and Mature Defenses

The 2000s saw cybercrime scale into a high-profit industry. High-speed broadband and the rise of e-commerce meant that a single breach could compromise tens of millions of records, forcing the industry to develop more sophisticated authentication and monitoring tools.

Key Characteristics of This Era:

  • Massive DDoS Attacks: "Mafiaboy" proved that even giants like Amazon and eBay could be paralyzed by flooded traffic.
  • Social Engineering at Scale: The ILOVEYOU virus infected millions by exploiting human curiosity and trust.
  • Data Breach Epidemics: The TJX breach accelerated the adoption of strict data security standards like PCI DSS.
  • Encrypted Ransomware: In 2006, ransomware began using RSA encryption, making it nearly impossible to recover files without a key.

As attacks became more lucrative, the defensive industry responded with the first generation of modern security standards and behavioral analysis.

The 2010s: Nation-States and Digital Weapons

The 2010s shifted the focus from criminal profit to national security. Cybersecurity became a theater of war, with governments deploying digital weapons to destroy physical infrastructure and influence global politics.

Key Characteristics of This Era:

  • The Stuxnet Worm: The first acknowledged cyberweapon designed to cause physical destruction to industrial equipment.
  • The Snowden Leaks: Exposed the massive scale of global surveillance, sparking a decade-long debate on privacy.
  • Automation and AI: Machine learning began appearing on both sides - defenders used it for detection, while attackers used it to find flaws.
  • Global Ransomware: WannaCry and NotPetya showed how automated exploits could cripple hospitals and shipping lines across 150 countries.

By the end of the decade, it was clear that a line of code could be just as impactful as a physical weapon.

The 2020s: AI Threats and Modern Threat Intelligence

Today, the line between the physical and digital worlds has vanished. With remote work and cloud-native businesses, security is now a proactive game of "Threat Intelligence", which involves predicting and neutralizing an adversary's move before they even make it.

Key Characteristics of This Era:

  • Targeting Infrastructure: Attacks on power grids and water systems have raised the stakes from financial loss to public safety.
  • AI-Powered Attacks: Adversaries use AI to create deepfakes and hyper-personalized phishing at speeds humans can't match.
  • Predictive Defense: Modern strategy relies on Threat Intelligence, using AI to analyze patterns and stop attacks in their tracks.
  • Cloud & Remote Security: The shift away from traditional offices has forced a move toward "Zero Trust" security models.

The ongoing battle between human ingenuity and artificial intelligence now defines the frontlines of our digital existence.

The Different Types of Payment Fraud and How to Prevent Them

8 May 2026 at 02:00

Payment fraud is growing in scale and sophistication, affecting businesses across every industry, and as digital payments expand, so do the opportunities for bad actors to exploit vulnerabilities. Understanding how fraud works and how to prevent it is essential for protecting revenue, maintaining trust, and staying resilient in an increasingly complex threat landscape.

What Is Payment Fraud?

Payment fraud refers to the theft of money from businesses or individuals through unauthorized transactions or deceptive purchases. Fraudsters may act using their own accounts or by gaining unauthorized access to someone else's account.

While payment fraud can happen in person, online transactions are especially vulnerable. According to Juniper Research, global business losses from online payment fraud are projected to surpass $362 billion between 2023 and 2028. A business's fraud risk depends largely on its industry, the sensitivity of the data it handles, and the payment methods it accepts. The more ways customers can interact with accounts and complete purchases, the more entry points exist for bad actors to exploit.

Different Types of Payment Fraud

Fraudsters use many tactics, and below we list 14 of the most common. Given the large number of threats, businesses must prepare their teams to recognize a variety of warning signs. Strong internal communication policies, clear escalation procedures, and knowledge of the landscape are foundational to any fraud prevention strategy.

1. Phishing

Phishing is a social engineering tactic in which criminals attempt to trick people into revealing sensitive information such as account credentials or payment details. These attacks often come in the form of malicious links sent via email or text, but they can also occur over the phone. Attackers may pose as trusted figures - a friend, a bank representative, or a government official - to manipulate victims.

Prevention tips:

  • Let customers know exactly how your business will contact them, including phone numbers and email addresses.
  • Be transparent about what information your staff will and will not ask for.
  • Alert customers to any known phishing attempts targeting your brand.
  • Train employees on information security protocols and how to identify suspicious communications.

2. Credit and Debit Card Fraud

This type of fraud involves obtaining card information - either physically or digitally - and using it to make unauthorized purchases. Cards may be stolen directly, or details may be harvested through card skimming devices installed on ATMs or point-of-sale terminals. Attackers also acquire card data through phishing schemes or by purchasing stolen credentials on the dark web.

Prevention tips:

  • Restrict POS system access to authorized personnel and regularly inspect payment hardware for tampering.
  • Build secure, encrypted payment pages that comply with data protection standards.
  • Offer customers multiple notification options for purchases and account activity.
  • Warn customers never to share account or confirmation numbers with unverified sources.

3. Wire Transfer Fraud

In wire transfer fraud, criminals convince victims to send money directly to them. Because wire transfers are difficult to reverse, they are a preferred method among scammers. Attackers commonly impersonate someone the victim trusts - a family member, a company executive, or a business vendor. The use of a convincing back-story is often referred to as "social engineering." For example, an attacker may text employees pretending to be their CEO, claiming an emergency and requesting an urgent fund transfer.

Prevention tips:

  • Train employees to spot the signs of social engineering and impersonation.
  • Establish official communication channels and avoid conducting financial business over easily spoofed channels like text messages.
  • Report and share all phishing attempts with the entire team.

4. Check Fraud

Check fraud involves using counterfeit or altered checks to make payments or writing checks from accounts that lack sufficient funds. Fake checks may be digitally printed or modified versions of real checks. In some cases, the check is genuine but drawn from a closed account.

Prevention tips:

  • Implement software that verifies the authenticity of checks.
  • Train staff to recognize the visual and physical signs of fraudulent checks.

5. Chargeback and Refund Fraud

Also known as "friendly fraud," chargeback fraud occurs when a customer makes a legitimate purchase and then falsely claims a refund - either directly from the business or through their credit card company. This type of fraud is particularly tricky because it can be hard to distinguish from genuine disputes, especially when delivery or service quality is involved.

Prevention tips:

  • Validate customer information, including billing addresses and card security codes.
  • Use payment platforms that include fraud protection and dispute automation tools.
  • Respond to refund and chargeback requests quickly.
  • Minimize legitimate chargebacks by fulfilling orders accurately and on time.

6. Identity Theft

Identity theft happens when a criminal obtains someone's personal information and uses it for financial gain or to make purchases in someone else's name. For businesses, a common result is having to deal with chargebacks after customers discover fraudulent charges on their accounts. Although the primary victim is the customer, businesses have a responsibility to prevent data breaches that expose customer information in the first place.

Prevention tips:

  • Train employees to recognize phishing and follow secure information handling practices.
  • Ensure your payment systems comply with PCI DSS (Payment Card Industry Data Security Standard) requirements.

7. Account Takeover Fraud

Account takeover (ATO) fraud typically follows identity theft. Once attackers obtain a user's credentials, they change the password and contact information to lock the real owner out. From there, they may use the account for fraudulent purchases or sell it to other bad actors.

Prevention tips:

  • Enforce strong password requirements for all accounts.
  • Require two-factor authentication (2FA) and send confirmation alerts for any significant account changes.
  • Notify customers of purchases and account modifications in real time.

8. New Account Fraud

New account fraud (NAF) occurs when someone uses stolen or fabricated identities to open new lines of credit or accounts. These fraudulent accounts can then be used to make purchases or commit further fraud down the line.

Prevention tips:

  • Require multi-factor authentication (MFA) - not just email verification - during account creation.
  • Verify address details and card security information during transactions.
  • Use fraud protection tools that leverage machine learning to detect unusual account creation patterns.

9. Gift Card Fraud

Gift card fraud is a social engineering scam where criminals pressure victims into purchasing gift cards and handing over the card numbers. Once the numbers are given, the funds are essentially unrecoverable, making this a popular method among scammers.

Prevention tips:

  • Display warnings about gift card scams during the checkout process.
  • Remind customers never to share gift card numbers with people they don't personally know.
  • Educate in-store staff to recognize signs of gift card fraud and when to escalate the situation.

10. Merchant Identity Theft

In merchant identity theft, attackers impersonate legitimate businesses or vendors to defraud customers or partner organizations. They may use phishing to extract employee credentials and gain access to business systems, or they may pose as a trusted vendor and redirect payments to themselves.

Prevention tips:

  • Train staff to identify phishing attempts and follow secure communication practices.
  • Establish verification procedures when communicating with vendors and business partners.
  • Report phishing attempts to employees and partners promptly.

11. Pagejacking and Domain Spoofing

Pagejacking involves cloning an existing webpage and redirecting users to the fake version to steal login credentials or payment information. Domain spoofing follows a similar concept - attackers build an identical-looking site under a slightly different URL. Users are typically directed to these fraudulent pages through malicious emails or texts.

Prevention tips:

  • Run plagiarism detection tools to identify duplicate versions of your pages online.
  • Pay attention to unusual customer service complaints that might signal a spoofed site.
  • Submit takedown requests to search engines if you discover a duplicate site, and notify affected customers.

12. Mobile Payment Fraud

As mobile payments become more prevalent, they've also become a target for fraud. Attackers can exploit mobile apps through malware installation, stolen app credentials, or interception of 2FA codes. For example, a scammer may call a customer pretending to represent a business and ask them to read back a verification code - which is actually a 2FA code the attacker has triggered on the victim's account.

Prevention tips:

  • Authenticate customers over the phone carefully to reduce the risk of impersonation-based fraud.
  • Monitor for unusual spending or refund activity in mobile transactions.
  • Educate customers about the risks of clicking on unknown links, QR codes, or visiting unfamiliar websites.

13. Push Payment Fraud

Unlike unauthorized transaction fraud, push payment fraud involves tricking the victim into willingly sending money to a fraudster. This can take many forms, including phishing, blackmail, or deceptive scenarios like fake emergencies. The key distinction is that the victim actively initiates the transfer.

Prevention tips:

  • Clearly communicate to customers what your staff can and cannot ask them to do or pay.
  • Make it easy for customers to report anyone impersonating your business.
  • Issue proactive alerts about ongoing scam attempts tied to your brand.

14. ACH Payment Fraud

ACH (Automated Clearing House) payment fraud involves criminals gaining unauthorized access to a victim's bank account details and using them to initiate fraudulent transfers. For businesses, this risk can come from both outside attackers and malicious insiders.

Prevention tips:

  • Strictly limit and monitor employee access to business bank accounts.
  • Educate all staff with account access about phishing tactics and establish firm security policies.

Which Businesses Have the Highest Fraud Risk?

Not all businesses face the same level of exposure. Fraud risk is generally highest in sectors that process online payments, handle sensitive personal data, or still accept paper checks.

E-Commerce Businesses

E-Commerce businesses are particularly vulnerable. Online retail involves accepting payments from a wide range of locations, often with multiple payment methods. Features like peer-to-peer payment integrations or international checkout add more potential points of failure. The more accounts and payment methods a customer has linked, the more attractive a target they become for data breaches.

Healthcare, Banking, and Data-Sensitive Industries

These sectors are at elevated risk because of the high value of the information they store. A breach in these sectors doesn't just expose financial data - it can compromise identity information used to commit fraud across many platforms simultaneously.

Businesses Still Accepting Checks

These kinds of businesses face unique challenges. As check usage declines, employees may become less experienced at identifying fakes, which makes training and verification systems all the more important. According to the Association for Financial Professionals, check fraud remains one of the most common forms of payment fraud.

How to Mitigate Risk

A variety of tools and strategies are available to help businesses identify and reduce fraud exposure. Conducting a security risk assessment is a strong starting point, helping teams understand which vulnerabilities are most critical and where to prioritize investment.

From there, organizations should focus on establishing a solid operational and security foundation before layering in more advanced fraud detection capabilities.

Foundational Controls

These measures create a baseline level of protection by securing systems, safeguarding data, and reducing avoidable losses:

  • Strong network and password security: Establish internal policies governing account access, password requirements, and physical access to devices and systems.
  • Network tokenization: Ensure payment systems encrypt and tokenize customer data to protect sensitive information.
  • PCI standards compliance: Build payment workflows that meet Payment Card Industry (PCI) standards to safeguard cardholder data.
  • 3D Secure (3DS) authentication: Use the latest 3DS protocols to validate transactions and verify user identity before completing purchases.
  • Chargeback protection: Work with your payment processor to implement tools that help minimize financial losses from disputed transactions.

Once these core protections are in place, businesses can enhance their fraud prevention strategies with more dynamic, data-driven approaches.

Advanced Detection & Optimization

These techniques improve visibility, adaptability, and long-term resilience against evolving fraud tactics:

  • Fraud KPI tracking: Monitor key metrics such as dispute rates, authorization rates, and approval/decline ratios to identify trends and respond proactively.
  • Rules-based systems: Implement rule-based detection as a reliable operational backbone. While rules require ongoing maintenance, they are especially useful in early stages and can be refined over time.
  • Machine learning algorithms: Leverage ML-powered systems to analyze large, complex datasets and uncover patterns that are difficult to detect manually. These models continuously improve as they adapt to new fraud behaviors.

Staying Ahead of Payment Fraud

Payment fraud is an ongoing challenge, but a proactive, layered approach can significantly reduce risk. By combining strong foundational controls with data-driven detection and continuous monitoring, businesses can stay ahead of evolving threats.

Ultimately, effective fraud prevention requires regular review, employee awareness, and a commitment to adapting as tactics change.

Additional Resources

❌