Introduction In modern SOC environments, detection rules are the cornerstone of identifying malicious activity. However, the effectiveness of a rule depends not only on what it looks for but also on how precisely it defines suspicious behavior. Many analysts have experienced the pain of rules that are “noisy” – generating countless false positives (FPs) that…
Read MoreIntroduction: What is MCP? The Model Context Protocol is an emerging open standard that defines how large language models and AI agents interact with external tools, services, and data sources. Instead of every AI provider building its own proprietary “tool calling” system, MCP provides a common protocol (typically over JSON-RPC) to expose capabilities such as…
Read MoreSummer is over, autumn is here – and so is the most anticipated event of the year for cybersecurity students: WP CTF 2025. Every year, the WP CTF draws cybersecurity students hungry to learn, compete, and put their skills to the test. Our marketing team has been working for months to organize an incredible event,…
Read MoreWelcome back for the second and last part of our journey into the jungle of Windows logs! In the first part we set out our goal – tracking admin authentications – and learned more about Windows, how authentication events are logged, and where can we focus to isolate the most accurate events. Today we’re going…
Read MoreIn the context of vulnerability management, it’s common to be faced with a long list of findings after each scan, often too many to tackle all at once. But how do you decide where to focus your efforts and resources? Which vulnerabilities are truly critical, the ones that could actually compromise your organization’s security? The…
Read More
In this article, I want to introduce an important new development we have introduced within the SATAYO Threat Intelligence Platform (TIP). Our experience has shown that favicons, those seemingly innocuous icons used in browser tabs and bookmarks, can be a rich and often overlooked source of intelligence. By systematically analyzing these artifacts, we’ve established a…
Read MoreWhen we talk about security assessments, the first thing that comes to mind is a snapshot of a company’s security posture: vulnerabilities, misconfigurations, uncontrolled access, and so on. But reducing these activities to a mere “test” means missing a key strategic opportunity: turning every assessment into the possibility of helping the internal IT team grow…
Read MoreIntroduction Windows environments rely heavily on authentication protocols like NTLM and Kerberos. While these protocols serve critical security purposes, they are also commonly abused during malicious activities. This article explains how to detect suspicious behaviors related to Domain Account Discovery and Credential Access, specifically focusing on Enumeration, Brute Force, and Password Spraying attempts via NTLM…
Read MoreIn the ever-evolving cyber threat landscape, financial institutions no longer have the luxury of relying on standard penetration tests or traditional assessments. As attackers grow more sophisticated and persistent, defenders must shift from theory to real-world simulation. This is exactly where Threat-Led Penetration Testing (TLPT) enters the picture, and with the EU’s Digital Operational Resilience…
Read MoreIf you’ve ever worked with Windows authentication logs, you know they can be a chaotic mess. Even when you’re looking for something apparently simple and useful – like tracking admin logins – you quickly find yourself in a sea of redundant entries, some of them logged for no apparent reason, and poorly documented details. I’ve…
Read MoreStepping Deeper into the CTF World It seems that this year, I’m a step further into the world of Capture The Flag (CTF) competitions: not sure why but I don’t regret it. We’re only halfway through the year, and I’ve already participated in three events. Not a huge amount, but a noticeable jump considering that…
Read MoreThis article gives an overview and offers a practical tips to detecting some suspicious activities in Microsoft SQL Server, from configuring audit policies to leveraging Elastic for effective monitoring and threat detection. Introduction Microsoft SQL Server is one of the most widely used relational databases in the enterprise landscape, managing critical data and supporting essential…
Read More⚠️ Warning: This article is intended for educational and ethical purposes only ⚠️ Red teamers don’t often engage in DDoS campaigns or stress testing against client systems, mainly for two reasons: However, there are cases where clients explicitly request such activities. When that happens, the red team must be thoroughly prepared; both legally, to clearly…
Read MoreIn the realm of red teaming, rapid and efficient information gathering is very important. To streamline this process, we’ve developed Vermilion, a lightweight post-exploitation tool for the rapid collection and optional exfiltration of sensitive data from Linux systems. A significant percentage of computational workflows worldwide run on GNU/Linux. Primarily used in servers and increasingly in…
Read MoreAs the digital arena evolves at lightning speed, so do the tactics of those seeking to breach it. Traditional security measures are no longer enough for today’s increasingly sophisticated cyber threats. The perimeter of technological infrastructure is no longer carved in stone – it shifts continuously, reflecting systems that are more distributed and challenging to…
Read More