Threatstealth Security Research Blog

Practitioner-grade writing on threat intelligence, vulnerability research, detection engineering, exploit analysis, and compliance automation — from the Threatstealth security team.

• Threat Intel · 2026-05-20 · 19 min read 2026 H1 Threat Landscape: Ransomware TTPs, KEV Exploitation Rates, and Emerging Vectors

  Ransomware operators reduced median dwell time to 4.3 days in H1 2026. KEV exploitation windows shrank to under 72 hours for 38% of new entries. This report analyses the data and maps it to defender actions.

• Threat Intel · 2026-05-18 · 22 min read State of Enterprise Security 2026: Endpoint Telemetry Benchmarks from 10,000+ Monitored Systems

  Across 10,000+ monitored endpoints: median MTTD is 6.2 hours, median MTTR is 4.1 days, and 41% of critical alerts are never actioned within SLA. The benchmarks, the outliers, and what separates top-quartile teams.

• Threat Intel · 2026-05-14 · 17 min read Anatomy of a Supply Chain Compromise: How a Poisoned Build Dependency Persisted for 23 Days

  A compromised npm package silently exfiltrated CI/CD environment variables — including cloud credentials and signing keys — for 23 days before detection. Here is the complete attack chain and where it could have been stopped.

• DevSecOps · 2026-05-10 · 15 min read Lab Report: CVE-2025-32433 — Erlang/OTP SSH RCE Exploitation Chain and Detection Coverage

  CVE-2025-32433 is a CVSS 10.0 unauthenticated RCE in the Erlang/OTP SSH daemon. Any Erlang application exposing an SSH port — including RabbitMQ and CouchDB — is potentially affected. This lab reproduces the exploitation chain and documents detection coverage.

• DevSecOps · 2026-05-07 · 16 min read Detection Engineering Playbook: Sigma Rules for LOLBAS Living-Off-the-Land Persistence

  67% of post-compromise persistence in H1 2026 used legitimate Windows binaries. Here are 12 production Sigma rules for the highest-volume LOLBAS techniques, with tuning notes and MITRE ATT&CK mappings.

• Threat Intel · 2026-05-04 · 14 min read Exploit Research: SSRF-to-IMDS Credential Theft Chains in AWS, Azure, and GCP

  SSRF vulnerabilities that reach cloud metadata services give attackers temporary cloud credentials with the power of the instance's IAM role. Here's the full exploitation chain across AWS, Azure, and GCP — and what actually stops it.

• Threat Intel · 2026-04-30 · 13 min read Telemetry Findings: 4.1M WAF Events Reveal the Top 10 Web Attack Patterns in Q1 2026

  SQL injection is still #1 by volume. But the most significant Q1 2026 shift is the rise of scanner-first attacks — automated tools probing for 47 CVEs before any human operator reviews the output. Here's what 4.1M events reveal.

• DevSecOps · 2026-04-26 · 18 min read Benchmark Study: MTTD and MTTR Across EDR Configurations in 180-Day Controlled Simulations

  We ran 180 days of controlled adversary simulations across 6 EDR configurations. The results: rule density past a threshold hurts MTTD, SIEM integration drops MTTR by 61%, and the single highest-leverage configuration change is structured alert triage.

• DevSecOps · 2026-04-22 · 8 min read KEV-First Vulnerability Management in 2026

  CVSS alone overstates priority for the 95% of CVEs that are never exploited. KEV+EPSS prioritisation cuts most teams' actionable backlog by 60–80% in the first week.

• AI Security · 2026-04-08 · 10 min read OWASP LLM Top 10: the Acceptance Bar for Shipping Models

  SAST and DAST cannot reason about prompt-injection chains. The OWASP LLM Top 10 is the new acceptance bar for production model endpoints, and most teams ship with no baseline at all.

• DevSecOps · 2026-03-25 · 9 min read MSSP Scale: Multi-Tenant Isolation Without the Glue

  Most SIEMs were designed for one tenant. Multi-tenancy bolted on at the application layer is one logic bug away from a cross-tenant data leak.

• Identity · 2026-03-11 · 6 min read Phishing Resilience as a Board Metric

  Move from 'we trained everyone' to 'click rate dropped 38% over six campaigns.' Here's how to build a per-org phishing-resilience score the board will quote.

• Compliance · 2026-02-18 · 7 min read SOC 2 as a Side Effect

  Auditors want evidence, not screenshots. Here's how to wire every Trust Services Criteria control to a live signal so evidence accumulates continuously.

• DevSecOps · 2026-02-04 · 11 min read The 08:30 Runbook: Day in the Life of a Super-Admin

  A super-admin's day is shaped by a small number of recurring rhythms. Run them in order and the platform stays healthy. Skip them and the queue takes over.

• EU CRA · 2026-04-22 · 18 min read EU CRA Audit Checklist — 60 Controls Across 8 Sections

  An auditor-grade EU Cyber Resilience Act checklist covering scope, Annex I essential requirements, vulnerability handling, conformity assessment, technical documentation, and incident reporting — every row tagged with the controlling CRA article and answered Yes / No / N/A.

• EU CRA · 2026-04-29 · 16 min read EU CRA Policy & Procedure Register — 48 Documents Across 7 Domains

  The complete EU CRA policy and procedure register: 48 documents (P-01 to P-48) organised into Governance, Secure Development, Vulnerability Management, Incident Response, Supply Chain, Documentation, and Conformity — each with an owner, a priority, and a CRA article reference.

• EU CRA · 2026-05-04 · 20 min read EU CRA Technical Requirements — 32 Controls (Mandatory + Good Service)

  An engineer-facing breakdown of EU CRA technical requirements: 13 Annex I Part I essential cybersecurity controls (mandatory), 7 Annex I Part II vulnerability-handling controls (mandatory), and 12 Good Service practices that materially reduce CRA risk and audit friction.