![[SIGNALS WEEKLY] Perimeter Pressure, Supply Chain Drift, and Identity Theft](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/06/z-1.png)
weekly
[SIGNALS WEEKLY] Perimeter Pressure, Supply Chain Drift, and Identity Theft
The perimeter blinked. VPN portals and CI tokens are still doing incident cosplay.
identity
![[SIGNALS WEEKLY] Identity-First Intrusions and AI-Driven Attack Surface Shifts](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/zz-1.png)
weekly
[SIGNALS WEEKLY] Identity-First Intrusions and AI-Driven Attack Surface Shifts
The login was real. The control plane did the rest. Storm-2949 is the ugly part: one Entra ID identity can turn into SaaS theft and Azure abuse. Nobody owns this until incident day.
![[FORECAST] Device-Bound Sessions Are Coming. Defaults Are the Hard Part.](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-2.png)
forecasts
[FORECAST] Device-Bound Sessions Are Coming. Defaults Are the Hard Part.
“Secure by default” sounds great until it meets BYOD, VDI, federated SSO, and the help desk exception list from hell. Device-bound sessions help. Waiting for every SaaS vendor to flip the default is not a strategy.
![[FORECAST] Two New App-Layer Campaigns by Year-End? Watch the Attribution Line](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-6.png)
forecasts
[FORECAST] Two New App-Layer Campaigns by Year-End? Watch the Attribution Line
Teams keep hardening the front door while the “trusted integration” gets waved through reception with a box truck. No core-platform exploit required. Just approval fatigue with API access.
![[SIGNALS WEEKLY] Edge Devices, Identity Abuse, and KEV-Driven Exploitation Converge](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-5.png)
weekly
[SIGNALS WEEKLY] Edge Devices, Identity Abuse, and KEV-Driven Exploitation Converge
The industry still talks like identity compromise begins at the login page. Meanwhile the path is edge box → DNS games → token theft → bad week for everyone pretending “strong auth” was the whole plan.
![[FORECAST] Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact? UPDATED 2026-04-08!](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-3.png)
forecasts
[FORECAST] Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact? UPDATED 2026-04-08!
Everyone saw the PLC headline and immediately built their whole Iran take around exposed controllers. Cool. The nastier question is what happens when the next move comes through identity, admin planes, or some target class nobody staffed for.
![[SIGNALS WEEKLY] Converging Control-Plane Threats Across Modern Infrastructure](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-2.png)
weekly
[SIGNALS WEEKLY] Converging Control-Plane Threats Across Modern Infrastructure
Everyone loves “endpoint visibility” until the incident starts in the control plane they treated like support infrastructure. Routers, CI/CD, token flows, web admin panels — same neglect, better attacker ROI.
![[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-6.png)
forecasts
[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26
Iran cyber risk is not about whether they’ll be active. They will. The real question is whether the next 8 weeks produce a publicly attributed, materially disruptive hit with a new twist beyond the usual password-spray sludge. Tenant sabotage is the part to watch. 👀🔥
![[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-2.png)
forecasts
[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs
Iran cyber risk isn’t just “watch for wipers.” It’s the same ugly identity-first playbook: password sprays, MFA abuse, cloud access… then maybe admin-plane sabotage. Recent reporting says activity is already reaching U.S. targets. Cute.
weekly
SIGNALS WEEKLY: Cisco Catalyst SD-WAN Exploitation + OAuth Redirect Abuse + Prompt Injection Observed in the Wild
Edge + identity + AI = the new “oops.” 😬🧨🤖 ED 26-03 on Cisco Catalyst SD-WAN exploitation, OAuth redirect abuse that lands users in malware without token theft, plus Gemini panel hijack vs indirect prompt injection in the wild.
identity
The 90-Day Disruption Dividend: How Intel-Led Hunting Reduces Dwell Time Without a Massive SOC
Your SOC isn’t understaffed. It’s late. ⏱️😈 Attackers aren’t scaling with malware—they’re scaling with OAuth + tokens + “normal” API exports. Big tech wins by yanking kill-switches fast. Can you revoke an OAuth grant in <30 min?
weekly
SIGNALS WEEKLY: ShinyHunters, Vishing, and the MFA Hijack Problem in SaaS
MFA isn’t “done.” It’s now the excuse attackers use on the phone. ☎️😈🔑 Vishing → MFA reset/re-enroll → post-login SaaS data grabs. Plus: selective Notepad++ updater abuse + proxy traffic making IP rep cry.