A pentest is only as valuable as the report that comes out of it. You can find critical vulnerabilities, chain exploits creatively, and demonstrate full infrastructure compromise, but if your report is unclear, overly technical, or poorly structured, its impact will be limited. A strong pentesting report bridges the gap between technical discovery and business…
Read MoreA Rule Is More Than a Query In modern detection engineering, a rule is often misunderstood as just a query that triggers alerts. In reality, within Elastic Security, a detection rule is a structured, versioned, and lifecycle-managed object that goes far beyond simple query logic. Understanding this structure is essential for anyone operating in a…
Read MoreA scalable approach to detecting malicious domains using Threat Intelligence and Indicator Match Rules One of the most common techniques used in phishing and initial access campaigns is the creation of domains that closely resemble legitimate ones. Attackers exploit typosquatting, homograph attacks, and brand impersonation to deceive users and steal credentials. For a Security Operations…
Read More
There’s been a lot of talk in recent days about the seizure of the underground forum RAMP. There’s little to add to this issue, which has already been extensively written about. An excellent summary is available in this BleepingComputer article. What I’d like to highlight in this article, however, is how the main players in…
Read MoreThis is the first article in the RTO series The Problem Red team and penetration testing activities are full of repetition: the network scans, reconnaissance, OSINT collection, and routine validation tasks are all necessary, but they’re also time-consuming and error-prone when executed manually. Over time, most teams end up with a zoo of scripts, half-maintained…
Read MoreIn modern security programs the silos between offensive and defensive teams is no longer sustainable: attackers iterate faster, tooling evolves daily, and detection gaps are exploited in minutes, not months. In this environment purple teaming is not an optional maturity enhancement, but it becomes a foundational requirement for organizations that take risk management seriously. Purple…
Read More
As 2025 comes to a close, we can make some observations regarding the evolution of the double-extortion ransomware attack landscape. The data shown is the result of the enrichment performed within SATAYO starting from the data made available by the Ransomfeed project. The URLs of the Data Leak Sites (DLS) of the various ransomware gangs…
Read MoreIntroduction If you work in the Cyber Security field, you probably know how a traditional Security Operations Center (SOC) operates. It’s often characterized by a demanding workload, extended night shifts, and high personnel turnover. These factors can lead to alert fatigue among analysts and lower morale. The stressful nature of such environments can also result…
Read MoreThe year is almost over and there’s one thing that always marks this period: the end of one of our biggest and most hyped events. You probably already know what I’m talking about… but just in case you don’t (or even worse, have no idea what the most awaited event of the year is) let…
Read MoreWhen periodic reports need to be shared in dedicated spaces, managing documents manually can quickly become a significant burden. Every reporting cycle involves generating and uploading files to multiple SharePoint folders, a time-consuming process that’s also prone to human error. The main challenge lies in handling SharePoint tasks manually, which affects efficiency, consistency, and makes…
Read MoreIntroduction Kerberoasting remains one of the most popular techniques for attackers attempting to escalate privileges inside a Windows domain. By requesting service tickets (TGS – Ticket Granting Service) encrypted with weak algorithms, an attacker can extract hashes and crack them offline to recover service account passwords. It should be mentioned that a Kerberos ticket request…
Read MoreOrganizations often struggle to understand how they truly appear from the outside. Security teams work hard to protect internal systems, yet the real exposure visible to potential attackers often remains unclear. That’s why we created the External Attack Surface Management (EASM) report. By delivering this report we want to provide a clear overview of the…
Read MoreOn October 1, 2025, Würth Group employees were targeted by a WhatsApp-based cyberattack. A few users fell for it and some devices got infected. The attack was promptly detected by our Cyber Defense Center, and was stopped before it could spread further. Investigating the threat more deeply, we discovered it was part of a wider…
Read MoreMy SANS Course in London – April 2025 Back in April, I had the opportunity to attend a SANS course in London. More precisely, SANS 504: Hacker Tools, Techniques, and Incident Handling. The course ran from April 7th to April 12th, and those six days were intense, exciting, and surprisingly fun in ways I didn’t…
Read More
Producing actionable intelligence must be the mindset that every Threat Intelligence analyst must set as their primary objective. The problem of properly integrating Threat Intelligence into Security Operations processes is a recurring one. In this article, I aim to describe the integration process we, at Würth IT, have implemented, which allows us to produce actionable…
Read More