Organizations often struggle to understand how they truly appear from the outside. Security teams work hard to protect internal systems, yet the real exposure visible to potential attackers often remains unclear. That’s why we created the External Attack Surface Management (EASM) report. By delivering this report we want to provide a clear overview of the…
Read MoreOn October 1, 2025, Würth Group employees were targeted by a WhatsApp-based cyberattack. A few users fell for it and some devices got infected. The attack was promptly detected by our Cyber Defense Center, and was stopped before it could spread further. Investigating the threat more deeply, we discovered it was part of a wider…
Read MoreMy SANS Course in London – April 2025 Back in April, I had the opportunity to attend a SANS course in London. More precisely, SANS 504: Hacker Tools, Techniques, and Incident Handling. The course ran from April 7th to April 12th, and those six days were intense, exciting, and surprisingly fun in ways I didn’t…
Read More
Producing actionable intelligence must be the mindset that every Threat Intelligence analyst must set as their primary objective. The problem of properly integrating Threat Intelligence into Security Operations processes is a recurring one. In this article, I aim to describe the integration process we, at Würth IT, have implemented, which allows us to produce actionable…
Read MoreWhen organizations think about cybersecurity, the conversation often starts with compliance. ISO 27001, PCI-DSS, HIPAA, GDPR, NIS2… frameworks and regulations designed to protect sensitive data and establish minimum standards for risk management. Achieving compliance is often seen as the ultimate milestone: once the certificate is obtained or the audit is passed, the company is considered…
Read More
During the NetEye Conference 2025, I discussed several analysis use cases where integrating threat intelligence information can help build a useful framework for further alert analysis. Below, I’ll share a possible analysis approach for each use case. Case 1 – Alert about scan attempts from an AWS IP SOC Analyst’s decision: “Ouch, this IP is…
Read MoreEffective Vulnerability Management doesn’t end with detection, it ends with action. And to take the right action, you need clear, accurate, and timely reports. In today’s fast-moving threat landscape, reporting is not just a formality, it’s a critical bridge between scan data and strategic security decisions. This article explores the role of reporting within the…
Read MoreIntroduction In modern SOC environments, detection rules are the cornerstone of identifying malicious activity. However, the effectiveness of a rule depends not only on what it looks for but also on how precisely it defines suspicious behavior. Many analysts have experienced the pain of rules that are “noisy” – generating countless false positives (FPs) that…
Read MoreIntroduction: What is MCP? The Model Context Protocol is an emerging open standard that defines how large language models and AI agents interact with external tools, services, and data sources. Instead of every AI provider building its own proprietary “tool calling” system, MCP provides a common protocol (typically over JSON-RPC) to expose capabilities such as…
Read MoreSummer is over, autumn is here – and so is the most anticipated event of the year for cybersecurity students: WP CTF 2025. Every year, the WP CTF draws cybersecurity students hungry to learn, compete, and put their skills to the test. Our marketing team has been working for months to organize an incredible event,…
Read MoreWelcome back for the second and last part of our journey into the jungle of Windows logs! In the first part we set out our goal – tracking admin authentications – and learned more about Windows, how authentication events are logged, and where can we focus to isolate the most accurate events. Today we’re going…
Read MoreIn the context of vulnerability management, it’s common to be faced with a long list of findings after each scan, often too many to tackle all at once. But how do you decide where to focus your efforts and resources? Which vulnerabilities are truly critical, the ones that could actually compromise your organization’s security? The…
Read More
In this article, I want to introduce an important new development we have introduced within the SATAYO Threat Intelligence Platform (TIP). Our experience has shown that favicons, those seemingly innocuous icons used in browser tabs and bookmarks, can be a rich and often overlooked source of intelligence. By systematically analyzing these artifacts, we’ve established a…
Read MoreWhen we talk about security assessments, the first thing that comes to mind is a snapshot of a company’s security posture: vulnerabilities, misconfigurations, uncontrolled access, and so on. But reducing these activities to a mere “test” means missing a key strategic opportunity: turning every assessment into the possibility of helping the internal IT team grow…
Read MoreIntroduction Windows environments rely heavily on authentication protocols like NTLM and Kerberos. While these protocols serve critical security purposes, they are also commonly abused during malicious activities. This article explains how to detect suspicious behaviors related to Domain Account Discovery and Credential Access, specifically focusing on Enumeration, Brute Force, and Password Spraying attempts via NTLM…
Read More