There’s been a lot of talk in recent days about the seizure of the underground forum RAMP. There’s little to add to this issue, which has already been extensively written about. An excellent summary is available in this BleepingComputer article. What I’d like to highlight in this article, however, is how the main players in…
Read More
As 2025 comes to a close, we can make some observations regarding the evolution of the double-extortion ransomware attack landscape. The data shown is the result of the enrichment performed within SATAYO starting from the data made available by the Ransomfeed project. The URLs of the Data Leak Sites (DLS) of the various ransomware gangs…
Read More
Producing actionable intelligence must be the mindset that every Threat Intelligence analyst must set as their primary objective. The problem of properly integrating Threat Intelligence into Security Operations processes is a recurring one. In this article, I aim to describe the integration process we, at Würth IT, have implemented, which allows us to produce actionable…
Read More
During the NetEye Conference 2025, I discussed several analysis use cases where integrating threat intelligence information can help build a useful framework for further alert analysis. Below, I’ll share a possible analysis approach for each use case. Case 1 – Alert about scan attempts from an AWS IP SOC Analyst’s decision: “Ouch, this IP is…
Read More
In this article, I want to introduce an important new development we have introduced within the SATAYO Threat Intelligence Platform (TIP). Our experience has shown that favicons, those seemingly innocuous icons used in browser tabs and bookmarks, can be a rich and often overlooked source of intelligence. By systematically analyzing these artifacts, we’ve established a…
Read More
WARNING: This post is constantly updated based on new evidence related to the data breach. The famous company Gravy Analytics seems to have suffered an attack. In fact, inside the XSS forum, a post was published, on Sunday night by the user nightly, reporting some evidence of what appears to be a really important exfiltration….
Read MoreOriginally developed as a proof of concept, SATAYO was designed to gather and analyze OSINT (Open Source Intelligence) data on a single machine. Initially, the platform functioned as a single-threaded script, and scaling was only considered later. As SATAYO’s capabilities evolved to meet the needs of more clients and monitor a greater number of domains,…
Read MoreIn this post, we’ll explore the synergy between a Cyber Threat Intelligence (CTI) platform and a traditional Security Operations Center (SOC) service. For those interested in the topic, I recommend reading my previous article, where I demonstrated a concrete example of integration between our SIEM and SATAYO, the CTI platform we use in our SOC….
Read More
Many of you have probably already heard about the MITRE ATT&CK framework. This framework is an important point of reference at the international level and is used within thousands of projects, detection rules, platforms. The Adversarial Tactics, Techniques, and Common Knowledge is a guideline for classifying and describing cyberattacks and intrusions. It was created by…
Read MoreIn our previous post about Exposure Assessment, we described how we outline a target’s infrastructure using SATAYO, our Cyber Threat Intelligence (CTI) platform. This means that we collected the identifiers of all the target’s machines, i.e., their host names and IP addresses. Now it’s time to understand which machines could allow an attacker to gain…
Read MoreOverview of discovering hostnames and IP addresses using OSINT techniques.
Read More