Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Sophos named a 2026 Gartner Peer Insights Customers' Choice for Email Security

Sophos named a 2026 Gartner Peer Insights Customers’ Choice for Email Security Sophos’ first ever recognition as a Customers’ Choice for Email Security. Sophos has been named a 2026 Gartner Peer Insights Customers’ Choice in the 2026 Gartner Peer Insights Voice of the Customer for Email Security. This marks Sophos’ entry into the report, as well as Sophos’ first ever Customers’ Choice distinction for Email Security.

Unmasking BitRAT's C2 over HTTPS

BitRAT is a potent and versatile Remote Access Trojan (RAT) commonly sold on underground forums. Its popularity stems from a robust feature set and an emphasis on stealth, allowing it to evade detection by hiding command-and-control (C2) communications over seemingly benign protocols. This makes traditional detection methods more challenging. By examining the subtle artifacts it leaves behind, even in encrypted traffic, defenders can expose these elusive threats.

From days of training to three better rules in a minute

A few years ago, I was part of a team responding to a high-profile security incident. After the incident was resolved, I was given a list of NDR rules to add to my firewalls. The issue was that the rules were not made for Suricata, the IDS I was using in this position at that time, so they generated false positives. With all that extra noise, I made it my goal to eliminate that excess noise.

What the Black Hat NOC taught me about MCP & agentic SOCs (Chapter 2 of 4)

The first time an MCP (Model Context Protocol) server felt real to me, it wasn't because of a clean demo. It was because of the noise. TL;DR: The harness matters more than the protocol, and the evidence matters more than both. MCP earns its keep when it shortens the path from a good security question to trustworthy evidence, and almost everything interesting about making that work happens in the harness wrapped around the model. In this series, I will cover how to build an MCP for an AI SOC.

When AI agents look like attackers: what behavioral telemetry tells us

An X-Ops analysis of how AI coding agents trigger endpoint detection rules designed for adversaries AI coding agents (Claude Code, Cursor, Codex, and others built on skill packs such as GStack) are showing up in customer environments. They write code, install dependencies, automate browser tasks, and troubleshoot failures by trying alternative approaches.

Identifying and detecting ScoutC2 malware

At Corelight Labs, our mission is to help organizations stay a step ahead of evolving threats. When our researchers came across Censys' detailed write-up on ScoutC2, a rapidly growing open-source command-and-control (C2) framework favored by threat actors, we knew we needed to bolster community defenses quickly.

Stop Chasing Alerts, Start Hunting Adversaries: The New NDR Essentials

It was time to write another book. That’s what I thought when I heard that Corelight wanted to update its 2021 book on network detection and response (NDR). Tamara Crawford, who owned the project, scheduled a meeting with me and asked if I might be interested in helping, depending on who might write the text.

"Exploit mitigation" stalled around 2008. The attacks didn't.

"Exploit mitigation" stalled around 2008. The attacks didn't. AI turns a patched bug into a working exploit in hours. Why endpoint exploit mitigation stalled in 2008, and what a default-on mitigation layer looks like now. The core of my last post was an asymmetry. An attack can unfold in two steps or 20, but the vocabulary it draws from never grows.

Detection Engineering: Build Robust Programs & Best

Your SOC probably already has detections. The problem is that many of them don't behave like a managed security capability. They behave like a pile of alerts. Analysts close noisy rules because they have to protect their queue. Engineers keep adding logic because coverage gaps are real. Leaders ask whether the program is improving, and the usual answers are weak. Alert counts go up. Tuning tickets pile up.