2026
Original Article
Agentic AI
Governance
Zero Trust
NIS2 / CRA
The Agentic AI Governance Gap: Securing the Autonomous Frontier
Original research · Cybersecurity governance · AI security architecture
In 2026, the cybersecurity conversation has shifted. The concern is no longer limited to what an AI system says - the real risk is what an AI system does. As organisations deploy agentic AI systems that can navigate software, access databases, and execute transactions, they are introducing a new category of governance risk.
Traditional generative AI requires human initiation. Agentic AI operates with delegated autonomy - planning, acting, and interacting with external tools in iterative loops. If compromised, these systems do not just produce incorrect outputs. They can execute harmful actions at scale.
This creates a governance gap: organisations are extending trust to non-human actors without applying equivalent controls, visibility, or accountability frameworks.
Guardrail Architecture (4 layers): Execution sandboxing in ephemeral environments · Intent verification via structured reasoning traces and pre-execution policy checks · Zero trust for agent identities with short-lived credentials and fine-grained permissions · Immutable audit logging to write-once-read-many storage.
Vulnerability Management: Controlled model updates with rollback mechanisms · Prompt injection mitigation through input sanitisation, trust boundaries, and content filtering · Controlled memory strategies including segmentation, scoring, and cryptographic provenance · Tool and permission abuse prevention via strict scoping and multi-step workflow monitoring.
Regulatory alignment: EU Cyber Resilience Act (from Sept 2026) · NIS2 Directive - organisational accountability, supply chain risk, management liability for cybersecurity governance failures.
The challenge for 2026 is ensuring autonomous systems operating inside the organisation remain controlled, auditable, and aligned with intent.
2026
Original Article
Identity Security
BEC
BYOD
T1078 · T1566
How Impossible Travel Detection Helps Mitigate Business Email Compromise and Protect BYOD Data
Original research · Identity-driven security · Detection to prevention
Business Email Compromise (BEC) remains one of the most damaging cyber threats facing organisations today. Unlike traditional malware attacks, BEC abuses valid credentials and trusted communication channels - making it harder to detect and easier to overlook.
Impossible travel detection - triggered when a user account authenticates from two geographically distant locations within an unrealistic time frame - is one of the most consistently effective signals for reducing BEC impact, particularly in BYOD environments.
MITRE ATT&CK alignment: Valid Accounts (T1078) · Credential Phishing (T1566) · Mailbox Rule Modification (T1098.002) · Email Collection (T1114) · Stolen Auth Tokens (T1528) · Cloud Data Access (T1530).
Why detection alone is not enough: Attackers only need minutes of unrestricted email access to create forwarding rules, monitor executive communications, and initiate fraudulent payment requests. Automated prevention - session termination, step-up MFA, temporary suspension - removes that window entirely.
BYOD considerations: Personal devices rarely carry equivalent monitoring or enforcement. Correlating location anomalies with device posture enables organisations to restrict access to sensitive data from unknown endpoints without requiring full device control - balancing security with user privacy.
Attack flow: Phishing (T1566) → Credential abuse (T1078) → Detection opportunity: impossible travel → Mailbox persistence (T1098.002) → Email collection (T1114) → Fraud execution. Automated controls at the impossible travel stage can break this chain before persistence or financial fraud occurs.
DFIR Investigations
10 Apr 2026
Security Blue Team
Ransomware IR
DFIR
Phishing
Windows
ClickFix - Phishing-Driven Ransomware Intrusion
Security Blue Team Lab · Released 10 April 2026 · Thanks: Khaled Allam
Reconstructed the full attack timeline of a sophisticated phishing-driven ransomware intrusion using host-based artefacts: event logs, registry analysis, and file system metadata. Initial access traced to user-driven execution of a malicious command (T1204.002), with timestamp correlation confirming the exact compromise moment.
Payload delivery via Ingress Tool Transfer (T1105) was followed by C2 communication (T1071) and rapid interactive shell establishment. Persistence achieved through a legitimate process executing a strategically placed file (T1547). Privilege escalation exploited a trusted Windows component without user interaction (T1068) - highly reliable and difficult to detect. Defence evasion included registry modification (T1112), log tampering/clearing (T1070), and cleanup script execution. Network share enumeration (T1135) preceded final ransomware deployment (T1486).
Risk: Very High - stealthy initial access, reliable privilege escalation, strong persistence, anti-forensic TTPs.
T1204.002 · T1105 · T1071 · T1082 · T1547 · T1068 · T1112 · T1070 · T1135 · T1486
2025 / 2026
Security Blue Team
Enterprise IR
DFIR
NIS2 / CRA
Lateral Movement
MailFail - Enterprise Intrusion DFIR Investigation
Security Blue Team Lab · Thanks: Khaled Allam
Realistic enterprise intrusion scenario: anomalous authentication activity and suspicious processes identified within an internal network. Forensic image analysis, log correlation, and structured investigative methodology used to reconstruct the adversary's full attack timeline.
Observed attacker activity: Initial Access via public-facing exploit (T1190) · Lateral Movement (T1021) · Privilege Escalation (T1068) · Persistence via web shells and services (T1505, T1543) · Credential Access (T1555) · Command and Control through reverse shell communications (T1071).
From a governance perspective, this simulated incident reflects operational controls expected under NIS2 (monitoring, logging, incident reporting) and demonstrates why the Cyber Resilience Act emphasises secure software design, vulnerability handling, and timely patching.
T1190 · T1021 · T1068 · T1505 · T1543 · T1555 · T1071
2025 / 2026
Security Blue Team
SOC / IR
Lateral Movement
Credential Dumping
Process Hollowing
Dumpster - SOC & Incident Response Investigation
Security Blue Team Lab · Soprano's Enterprises scenario · Thanks: Khaled Allam
Multi-system intrusion investigation at Soprano's Enterprises. Dual alerts from Tony's workstation - an initial benign-appearing alert followed by a pattern-revealing second alert - triggered full escalation to the IR team.
Investigation covered: initial foothold identification · defence evasion via a security-disabling script · payload delivery · SYSTEM-level privilege escalation · persistence establishment · credential dumping through abuse of a legitimate Windows process · data exfiltration to an external domain · Domain Controller authentication and persistence · browser data collection · process hollowing for stealth · credential staging in a temporary directory on Corrado's machine.
Privilege Escalation · Credential Dumping · Lateral Movement · Process Hollowing · Exfiltration
2025 / 2026
Security Blue Team
macOS Forensics
Supply Chain
DFIR
RCE
Mac Updater - macOS Digital Forensics Investigation
Security Blue Team Lab · Corporate MacBook compromise · Thanks: Khaled Allam
SIEM alert triggered by a crashed unknown process on a corporate MacBook. Triage revealed a legitimate workflow repository had been cloned referencing an external project hosting malicious code - consistent with T1195 Supply Chain Compromise and T1204 User Execution.
Shortly after the clone event, outbound traffic initiated C2 communication (T1071). Further analysis confirmed exploitation of an RCE vulnerability (T1203). Access validated via command execution (T1059) and shell session stabilised. Persistence established via scheduled mechanism (T1053) and Boot/Logon Autostart Execution (T1547) with recurring callbacks to a secondary controller. A final malicious payload written to disk and executed multiple times ultimately crashed and surfaced through alert telemetry.
T1195 · T1204 · T1071 · T1203 · T1059 · T1053 · T1547
2025
Hack The Box Sherlocks
Network Forensics
APT41
AttackLens StarMap
Wireshark
HackTheBox Sherlock - APT41-Style Network Forensics
HTB Sherlocks · Custom tooling: AttackLens StarMap
Full network forensic investigation on HackTheBox resembling APT41-style operations. Attack chain: public-facing application exploit for Initial Access (T1190) → Web Shell deployment (T1505.003) → database-driven command execution (T1059) → Ingress Tool Transfer (T1105) → Remote Services abuse (T1021). Structured multi-stage post-exploitation tradecraft throughout.
Wireshark used to analyse encrypted HTTP payload delivery and abnormal parameter behaviour at network layer. Timeline Explorer used to correlate Windows event logs (CSV format) - process creation, file system modifications, and network connections mapped to reconstruct the full intrusion timeline.
Adversary mapping formalised using AttackLens StarMap - a tool personally built to map attack patterns directly to MITRE ATT&CK, correlating observed behaviours against APT41 (G0096) across the Enterprise matrix. This custom tooling transforms raw investigation artefacts into structured detection intelligence.
T1190 · T1505.003 · T1059 · T1105 · T1021 - attributed: APT41 (G0096)
Malware Analysis
2025
MalOps.io
Malware RE
radare2
Go Binary
Stealer
Dead Drop Resolver
MaskGram - Go-Based Stealer Reverse Engineering
MalOps.io Challenge · radare2 · Static + dynamic analysis
Deep static analysis of a Go-based loader using radare2, focusing on real execution flow rather than surface-level indicators. Traced dynamic syscall resolution via indirect gate jumps (T1106 Native API). Unique challenge of Go's register-based ABI navigated by mapping the runtime stack to identify and dump encrypted regions directly from memory.
Key breakthrough: RC4 key material recovered at runtime by observing the RC4 initialisation sequence with the combined key passed via registers - enabling decryption of staged payloads and validation through embedded constants.
Multi-stage chain exposed: loader → reflective payload delivery (T1620) → layered obfuscation (T1027) → Dead Drop Resolver (T1102.001) decoding external ciphertext from a legitimate web service to dynamically generate C2 infrastructure, bypassing static blacklists. Final-stage: deterministic HTTP path generation (T1071) → browser process injection (T1055) → credential harvesting from local password stores (T1555).
T1106 · T1620 · T1027 · T1102.001 · T1071 · T1055 · T1555
2025
Hack The Box
Malware Analysis
Infostealer
Vidar
MaaS
HTB Foreigners - Infostealer Malware Analysis
Hack The Box Lab · Malware-as-a-Service campaign profile
Comprehensive malware analysis of a sample from the HTB lab FOREIGNERS - a scenario where a user executed commands from a fraudulent website claiming an urgent system fix, resulting in anomalous workstation behaviour.
The malware executes shellcode via Windows API functions (T1204.002), encrypts internal communications (T1027), and targets multiple file transfer clients and gaming platforms to harvest authentication artefacts. Runtime analysis-environment checks and unique mutex-like markers highlight evasion (T1497). Exfiltration channels utilise application-layer protocols (T1071.001).
Threat intelligence comparison revealed similarities to Vidar infostealer - credential harvesting, C2 obfuscation, and distribution via deceptive downloads or phishing (T1566) - consistent with a broader Malware-as-a-Service campaign profile.
T1204.002 · T1027 · T1497 · T1071.001 · T1566 - similar TTP: Vidar infostealer
2025
Hack The Box
Linux Malware
Malcat
FLARE VM
Persistence
HTB Antarctica - Linux Binary Reverse Engineering
Hack The Box Lab · FLARE VM isolated environment · Malcat static analysis
Malware analysis of a suspicious Linux binary discovered within modified shell profile scripts on isolated research systems. Analysed in an isolated FLARE VM environment using Malcat for detailed inspection of embedded strings, imported functions, and program behaviour.
Persistence established by modifying shell initialisation files for automatic execution during user logon (T1037). Defence evasion via virtual machine detection - checking for specific kernel modules and hardware-related system directories (T1497). Unauthorised SSH public key added for maintained remote access (T1098). Shell history file monitoring via file system notifications (T1056). Binary attempted to resolve and communicate with a hardcoded external domain over DNS (T1071.004).
T1037 · T1497 · T1098 · T1056 · T1071.004
Threat Intelligence
2025 / 2026
Threat Intelligence
Supply Chain
Kubernetes
PyPI
TeamPCP / LAPSUS$
Tracking the NPM-Kubernetes-PyPI Supply Chain Attack Campaign
Multi-stage supply chain research · TeamPCP / LAPSUS$ TTP overlap · CanisterWorm
Multi-stage supply chain attack campaign tracked from NPM through Kubernetes environments into the PyPI ecosystem, initially identified through CanisterWorm activity analysis.
Kubernetes phase: attackers reused the same ICP container and deployed privileged DaemonSets across cluster nodes enabling persistence at scale (T1569.002) and lateral movement via SSH keys and Docker API exploitation (T1021.002, T1059.004). Environment-aware malware: timezone and locale checks - systems configured for Iran trigger a destructive "Kamikaze" routine wiping data across all nodes including control plane components (T1485, T1499).
Campaign expanded into PyPI through compromise of LiteLLM (versions 1.82.7 and 1.82.8) - an open-source library for OpenAI, Google, and Anthropic API access. Malicious code enabled silent execution (T1059.006), credential harvesting (T1003.002, T1081), and data exfiltration (T1041). Hundreds of thousands of machines affected with large volumes of sensitive data exfiltrated. Attributed to TeamPCP with observed LAPSUS$ TTP overlaps suggesting financially motivated operations at scale.
T1569.002 · T1021.002 · T1059.004 · T1485 · T1499 · T1059.006 · T1003.002 · T1081 · T1041