> deep dives
Long-form breakdowns, incident anatomies, and opinions that don't fit in a news post.
Your Backup Server Is a Domain-Admin Factory: The Kill Chain Ransomware Operators Have Automated
The backup server is the highest-privilege machine in most environments and the least-hardened. Ransomware operators have known this for years and built repeatable kill chains around it. This is how they work and what it takes to stop them.
One Symlink From Host Root: The runC maskedPaths Escapes and the Myth of the Container Boundary
Three runC CVEs disclosed in November 2025 turned container escape back into a /dev/null symlink race — and one of them walks straight through AppArmor and SELinux. Here is how the maskedPaths breakout works, why seccomp and user namespaces are the layers that actually held, and what to change before the next runtime CVE.
eBPF Cuts Both Ways: The Kernel Rootkit Is Now Standard Issue in 2026's Supply-Chain Malware
In two weeks, IronWorm and the atomic-lockfile AUR compromise both shipped an eBPF kernel rootkit as just another payload module. The observability primitive your stack is built on is now the malware's stealth layer — and most detection assumptions are structurally defeated.
Anatomy of the Interlock Campaign: How a ClickFix Gang Learned to Burn Firewall Zero-Days
For a year, the surest way to get hit by Interlock was to paste a command into your own Run dialog. On January 26, 2026, the group stopped waiting for users to make mistakes and started exploiting a pre-auth, root-level Cisco firewall zero-day instead. The same crew now runs both ends of the sophistication ladder — and that should change how you model initial access.
SSRF to the Model, Model to the Cloud: The Inference Layer Is 2026's Softest Attack Surface
Model gateways and inference servers are repeating two decades of solved web-security mistakes — default-open binds, pickle RCE, pre-auth SQLi, and SSRF straight into cloud credentials. A field guide to the AI control plane's softest links and how to harden them before the next 36-hour exploitation window.
The Edge Device Audit: Turn CISA's BOD 26-02 Into a Playbook You Can Actually Run
CISA's BOD 26-02 just handed every infrastructure team a free edge-device audit checklist. Here is how to run it on your own network — inventory, version, exposure, and end-of-support triage — before an attacker runs theirs.
NTLM Coercion's Quiet Resurgence: Why 2026's Zero-Click Attacks Look Like 2021
Two unrelated bugs in the last month — an incomplete APT28 patch and an unpatched RPC defect — both hand attackers a 1990s-era credential primitive. The fact that NTLM coercion still works in 2026 is not a series of accidents. It is the model.
Worms All the Way Down: Why npm and PyPI Will Keep Spawning Self-Propagating Compromises Until We Re-Architect Install-Time Trust
From the original Shai-Hulud in September 2025 through CanisterSprawl, the Bitwarden CLI compromise, and Mini Shai-Hulud, every major npm/PyPI worm of the last eight months has used the same primitive: package lifecycle hooks that run arbitrary code on install. Until the registries change that default, each generation will keep landing.
The OAuth Pivot: How SaaS-to-SaaS Trust Became the 2026 Supply Chain Attack
Salesloft Drift industrialized it. UNC6040 weaponized vishing into it. Vercel and Context.ai proved it pivots through Google Workspace. The pattern is the same: a third-party SaaS gets popped, the attacker inherits its OAuth grants, and your password reset does absolutely nothing.
The Controller Token Leak Epidemic: Kubernetes Has a Confused-Deputy Problem
Six CVEs in three months, four against a single Kyverno feature, plus OpenShift AI and Argo CD: every modern Kubernetes platform is shipping helper code that hands its controller's bearer token to attacker-controlled URLs. The bug class isn't going to fix itself.
The Ransomware Dwell Time Collapse: When the Entire Kill Chain Fits Inside an Hour
Akira is encrypting domains 60 minutes after a VPN login. Storm-1175 is going from zero-day to domain-wide Medusa deployment in under 24 hours. The industry's average detection time is still measured in days. The math no longer works.
Self-Hosted and Unprotected: The AI Workflow Tool Security Crisis
Langflow, Flowise, n8n, ComfyUI — every major self-hosted AI workflow tool has shipped unauthenticated RCE vulnerabilities in 2026. This isn't a coincidence. It's a structural failure baked into how these tools were designed.
Severity Drift: Why Your Vulnerability Triage Process Is Working With Bad Data
From silent reclassifications to incomplete patches to NVD enrichment backlogs, the severity data your vuln management program depends on is wrong more often than you think. Here's the proof — and what to do about it.
Dead Drops on the Chain: Why Blockchain Became the C2 Infrastructure Defenders Can't Take Down
From EtherHiding to CanisterWorm to GlassWorm — attackers spent three years systematically proving that blockchain is the unkillable C2 channel. Here's how each technique works and what you can actually do about it.
Your Firewall Is the Foothold: Q1 2026's Edge Device Exploitation Epidemic
Three months into 2026, edge devices are the dominant entry point for attackers. A deep dive into the FortiGate SSO bypass and Ivanti EPMM RCE chains, and why this pattern shows no signs of stopping.