Corporate & board cyber-exposure briefings
34 briefingsThese briefings address the digital exposure layer that sits outside your perimeter but inside a determined adversary's reconnaissance toolkit: staff credentials in breach corpora, executive home addresses in people-search platforms, supplier relationships in public filings, third-party access artefacts in infostealer markets.
Most corporate security programmes measure infrastructure risk. They do not measure the personal data layer — the records held in data broker systems that map your people, not your network. These briefings fill that gap with practitioner-level analysis of how corporate exposure is built, how threat actors use it, and what structured investigation and monitoring approaches identify the risk before it becomes an incident.
Coverage includes threat actor profiles for the most active criminal groups targeting corporate data, NIS2 and board-level disclosure obligations across EU and UK jurisdictions, attack chains that originate in open-source data, and the intelligence methodologies behind targeted campaigns. The audience is security and risk professionals, board members, and executives who need to understand the actual threat model, not a vendor summary of it.
Corporate Footprint
View hub →The Gentlemen Ransomware: Threat Actor Profile
The #2 ransomware group globally in Q1 2026, built from a Qilin affiliate dispute. A 14,700-device FortiGate access inventory, a self-propagating encryptor with no bulk-decrypt path, and a supply-chain pivot from an Atlassian partner into a $12B manufacturer.
ANALYSISWhen Someone Else's Security Becomes Your Breach: Third-Party Risk and Supply Chain Attacks Are Not the Same Problem
Third-party risk and supply chain risk describe opposite threat models — understanding the direction of trust changes what an organisation investigates and what it finds.
ANALYSISThe Silent Market: How Stolen Corporate Data Is Quietly Bought and Sold
The loud ransomware economy is the part you can measure. A priced, brokered market for stolen corporate access and data runs in silence beside it, and this is how we map it.
ANALYSISThe Attack Surface You Don't Own: How Personal Devices and Lives Extend Corporate Risk
Attack surface management maps what a company owns and can see. A growing share of corporate access lives on personal devices and accounts it owns neither, and the gap widens with seniority.
INTELCoinbaseCartel: A Data-Theft Extortion Profile
A profile of CoinbaseCartel, the data-theft extortion group that breaks into companies using years-old infostealer credentials instead of encryption.
INTELQilin Ransomware: The Most Active Threat Group of 2025-2026
Qilin posts more new victims to its leak site than any other ransomware operation in 2026. Who they are, how they work, the September 2025 cartel with LockBit and DragonForce, and why disruption has not slowed them.
ANALYSISReporting Cybersecurity to Your Board: What NIS2 Requires, What Most Packs Miss
Most cybersecurity board packs were built for the audit committee, not the directive. A look at what NIS2 Article 20 actually asks the board to evidence, how the SEC and UK CSR Bill compare, and what a defensible six-section quarterly pack looks like in practice.
ANALYSISCybersecurity for Executives: Four Threat Models Most Buyers Don't Distinguish
Most executive cybersecurity products address one of four threat models. The other three are where the Arup, MGM, Coinbase and M&S losses landed.
ANALYSISRIA cybersecurity in 2026: where training-first programs miss the actual attack surface
Six RIAs breached by ShinyHunters in 90 days exposed a structural gap: firms train for phishing but leave principal data wide open to the attacks attackers actually used.
ANALYSISLaw Firm Data Breaches: What They Expose About the Client Side
When outside counsel is breached, the data exposed is the client’s. Six verified incidents, a 27-day ransomware leak-site cohort of 19 firms, and the questions principals can ask their counsel.
ANALYSISIdentity Attack Surface: What Infrastructure ASM Vendors Don’t See
Infrastructure ASM, CAASM, and exposure-assessment platforms map machines. They do not map the people-shaped surface that the most expensive intrusions of 2023–2025 actually turned on.
ANALYSISWhy Ransom Notes Read Like Demand Letters
Ransom-extortion text borrows the recognisable forms of demand letters, litigation pleadings, and PR holding statements. The form is a legitimation tool the corporate audit needs to read.
ANALYSISReading the Ransom Note: The 2026 Extortion Economy in the Actors’ Own Words
Read four current ransom notes alongside the ShinyHunters leak site to see how the extortion economy industrialised around named-individual exposure.
ANALYSISFamily Office Cybersecurity: The Principal’s Exposure Surface
Deloitte’s 2024 family office report shows phishing at 93% prevalence. The IT layer cannot reach the surface that makes those attacks plausible.
ANALYSISRight of Access as Reconnaissance: The Article 15 Verification Gap
GDPR Article 15 was designed to protect data subjects. It also creates a pre-authenticated data exfiltration channel at understaffed controllers — and NIS2 will close the gap.
INTELWhy Executive Digital Exposure Is a NIS2 Compliance Risk
Article 21 of the NIS2 directive names supply-chain and human-factor risk. Executive digital exposure fits both — and sits in the half of compliance that most programmes under-audit.
ANALYSISThe ATHR Disclosure: Anatomy of a Sole-Source Threat Claim
Abnormal's ATHR vishing disclosure is sole-sourced, IOC-free, and invisible on the underground after a full verification window. A framework for reading AI threat marketing.
ANALYSISNIS2 Personal Liability: What the Directive Actually Says About Board Members
The NIS2 Directive requires management bodies to approve, oversee, and bear liability for cybersecurity risk management. Twenty-one EU member states have transposed it into law. Most compliance programmes focus on technical measures — but Article 20 asks boards to understand the risks, including their own digital exposure.
ANALYSISBasic-Fit, Booking.com, and the SEPA Direct Debit Fraud Kit
Two major EU breaches disclosed on the same Sunday, two different attack patterns, one downstream consequence: targeted fraud built on real data. How SEPA Direct Debit fraud actually works after an IBAN leak, and what closes the window.
ANALYSISCanada Goose: Two Extortion Claims and the Vendors Nobody Named
ShinyHunters published 581,877 Canada Goose customer records in February 2026. Twenty-four days later, Coinbasecartel listed the same brand claiming supply chain data — on the same day as Lacoste.
ANALYSISHow a Security Scanner Breached the European Commission
CERT-EU confirmed the European Commission was breached through a poisoned Trivy vulnerability scanner. The supply chain attack exposed DKIM signing keys, military financing data, and 52,000 email files — at the institution drafting Europe's cybersecurity laws.
GUIDECorporate Breach Response Checklist: The First 72 Hours
A structured 72-hour breach response checklist covering GDPR and US state notification laws, with phase-by-phase guidance for DPOs, CISOs, and board members.
ANALYSISRaaS Inc.: The Business Plan Nobody Asked For
Eighty-five ransomware groups competed for an $820 million market in 2025. Forty-seven of them claimed fewer than ten victims. The unit economics explain why.
ANALYSISHow OSINT Tracks Smuggling Networks: The Intelligence Tradecraft Behind Europol’s New Centre
Europol launched ECAMS and named OSINT a core strategic capability. Here is how open-source intelligence actually tracks smuggling networks — from Telegram forwarding chains to satellite change detection.
INTELWhat Happens After Your Corporate Credentials Leak
Google shut down its Dark Web Report because alerts without context are noise. Here is what stealer logs actually contain, why free scans miss most of it, and what a professional assessment covers.
ANALYSISThe EDPB Work Programme 2026–2027 and the Digital Omnibus: Is GDPR Quietly Shifting?
The EDPB is building compliance tools for a GDPR framework the European Commission may be in the process of dismantling. Here is what both documents change — and where they contradict.
METHODHow a 10-Minute Phone Call Took Down a $34 Billion Company
How Scattered Spider used LinkedIn, breach databases, and a 10-minute helpdesk call to compromise MGM Resorts and Marks & Spencer. Both attacks dissected stage by stage.
INTELDRAGONFORCE: Anatomy Of A Graduated Exfiltration Cartel
In-depth analysis of the DragonForce Ransomware Cartel’s graduated leak strategy, OSINT-driven executive targeting, and the RansomBay affiliate model.
METHODUsername and Alias Correlation: Methodology, Tooling, and Likelihood Assessment
A username is not anonymous. It is a behavioural fingerprint dressed as a pseudonym. This is how analysts trace handles to real identities — and why the same process is used against private individuals.
METHODWhat a LinkedIn Profile Reveals to a Scammer
LinkedIn profiles reveal far more than most understand—timing patterns, role signals, public networks, business-context posts, and document metadata all become intelligence for phishing and vishing. This is what attackers actually see.
METHODHow the FBI Traced $3.6B in Bitcoin — Tool by Tool
The Bitfinex hack moved $3.6 billion through 2,000 addresses across six years. This is a step-by-step reconstruction of how investigators followed the trail — using Blockchair, 3xpl, and WalletExplorer, the same open-source tools anyone can access today.
ANALYSISWhat ShinyHunters Sees Before They Call: Your Organisation's Public Attack Surface
ShinyHunters called Wynn Resorts. Before that call was placed, they already knew who managed IT access, which SSO platform the company used, and which employees had credentials in breach databases. The call was the end of the intelligence phase, not the beginning.
ANALYSISAfter LockBit: The Ransomware Market Never Shrinks
Every major takedown — LockBit, ALPHV, RansomHub — was followed by a larger, more capable successor. 680 victims across 54 groups in February 2026 alone. A market analysis of who fills every vacuum, and what comes next.
INTELShinyHunters: Inside the Threat Group
From Tokopedia to Canvas LMS, ShinyHunters has stolen data from hundreds of millions of people. Updated May 2026 with the Salesforce-Aura campaign, the documented Instructure resolution, and the 90-day cohort.
If this kind of exposure affects your organisation, a Corporate Audit maps the full surface.
See Corporate Audit