Corporate & board cyber-exposure briefings
49 briefingsThese briefings address the digital exposure layer that sits outside your perimeter but inside a determined adversary's reconnaissance toolkit: staff credentials in breach corpora, executive home addresses in people-search platforms, supplier relationships in public filings, third-party access artefacts in infostealer markets.
Most corporate security programmes measure infrastructure risk. They do not measure the personal data layer — the records held in data broker systems that map your people, not your network. These briefings fill that gap with practitioner-level analysis of how corporate exposure is built, how threat actors use it, and what structured investigation and monitoring approaches identify the risk before it becomes an incident.
Coverage includes threat actor profiles for the most active criminal groups targeting corporate data, NIS2 and board-level disclosure obligations across EU and UK jurisdictions, attack chains that originate in open-source data, and the intelligence methodologies behind targeted campaigns. The audience is security and risk professionals, board members, and executives who need to understand the actual threat model, not a vendor summary of it.
Corporate Footprint
View hub →Dutch NIS2 Compliance: The Exposure Gap Boards Still Need to Map
From 15 August 2026 the Dutch Cyberbeveiligingswet makes boards accountable for cyber-risk management, and a controls checklist alone cannot show the exposure that makes those controls bypassable.
ANALYSISDo Phishing Simulations Work? Only If the Threat Model Does
Generic security-awareness training barely moved failure rates in the large studies; the realism of the lure moved them far more. That makes a simulation only as good as the attack surface behind it.
ANALYSISThe Consultant as an Exposure Surface
A consultant expands your attack surface before they get a login. What an attacker can infer, and weaponise, from a visibly trusted third-party relationship.
ANALYSISBusiness Email Compromise Defence: How to Break the Attack Chain Before the Payment Request
CEO fraud rarely begins in the inbox. By the time the payment-change email arrives, the attacker has already mapped the people, timing, and relationships behind it.
ANALYSISAttack Surface Management vs Exposure Management: What's the Difference?
ASM and exposure management are not rivals, and even the vendors define the words inconsistently. The one definition that holds, and the human layer no scanner reaches.
ANALYSISDo Exposure Audits Actually Work?
Security exposure audits reduce risk only under three conditions. What they are, when an audit is theatre, and where they fit within exposure management.
ANALYSISThe Evidence Standard Problem in OSINT: When Findings Are Intelligence, Not Evidence
Most open-source findings are intelligence, not evidence. What separates the two, and why the difference matters even when a case never reaches court.
ANALYSISWhat Stealer-Log Monitoring Actually Prevents — and What It Misses
Stealer-log monitoring catches the crowd reusing commodity credentials, not the operator who bought your specific access while the log was still private.
ANALYSISThe Data Broker in Your Sales Stack: What AI Sales Tools Do With the Data You Feed Them
Some AI sales and enrichment tools take a licence to absorb the contacts you upload into a dataset they resell, your competitors included. Here is the exposure under the GDPR and NIS2, and how to check before you connect your CRM.
INTELScattered Spider: A Social-Engineering Threat Profile
Scattered Spider (UNC3944) breaks into Fortune 500 networks with a ten-minute call to the help desk. A profile of its method, its ransomware partners, the arrests, and the defence.
ANALYSISWhat "The Com" Actually Is: One Word, Thousands of People, Three Kinds of Crime
In 2019 ‘The Community’ named nine indicted SIM-swappers. By 2025 ‘The Com’ meant thousands. We trace the drift and isolate the one layer that belongs on a corporate risk register.
ANALYSISWhy People Fall for Phishing
A 21-day field experiment sent simulated phishing to 158 people. 43% clicked, older users never improved, and the lures that worked show the limits of training.
ANALYSISThe Six Phases of a Social Engineering Attack
Social engineering runs in six phases, but the dominant security frameworks map only the technical ones. The Arup $25M deepfake fraud shows where defences actually need to sit.
ANALYSISThreat Surface vs Attack Surface: The Half That ASM Tools Miss
Attack surface is what you own; threat surface is that exposure plus the adversary capability pointed at it. ASM tools measure the first half well and the second half not at all.
INTELDragonForce Ransomware: Threat Actor Profile
DragonForce ransomware cartel: public RaaS registration, the RansomHub infrastructure episode, Suppliers marketplace, SINBON and Co-op UK breaches.
ANALYSISOne GitLab Instance, 800 Clients: The Credential Risk Hidden in Your Consulting Relationships
One breach of a consulting firm's self-managed GitLab instance exposed client engagement data across hundreds of organisations. The Nissan downstream disclosure three months later confirms the pattern.
ANALYSISWhy Family Office Succession Creates a Recurring Cybersecurity Window
Professional management cycles create a recurring cybersecurity window in family offices — resetting every seven years and compounding across CEO, CFO, and COO roles.
INTELThe Gentlemen Ransomware: Threat Actor Profile
The #2 ransomware group globally in Q1 2026, built from a Qilin affiliate dispute. A 14,700-device FortiGate access inventory, a self-propagating encryptor with no bulk-decrypt path, and a supply-chain pivot from an Atlassian partner into a $12B manufacturer.
ANALYSISWhen Someone Else's Security Becomes Your Breach: Third-Party Risk and Supply Chain Attacks Are Not the Same Problem
Third-party risk and supply chain risk describe opposite threat models — understanding the direction of trust changes what an organisation investigates and what it finds.
ANALYSISThe Silent Market: How Stolen Corporate Data Is Quietly Bought and Sold
The loud ransomware economy is the part you can measure. A priced, brokered market for stolen corporate access and data runs in silence beside it, and this is how we map it.
ANALYSISUnmanaged Devices, Personal Accounts, and the Corporate Attack Surface You Don't Own
Attack surface management maps what a company owns and can see. A growing share of corporate access lives on personal devices and accounts it owns neither, and the gap widens with seniority.
INTELCoinbaseCartel: A Data-Theft Extortion Profile
A profile of CoinbaseCartel, the data-theft extortion group that breaks into companies using years-old infostealer credentials instead of encryption.
INTELQilin Ransomware: The Most Active Threat Group of 2025-2026
Qilin posts more new victims to its leak site than any other ransomware operation in 2026. Who they are, how they work, the September 2025 cartel with LockBit and DragonForce, and why disruption has not slowed them.
ANALYSISRansomware Negotiation: Four Response Modes Law Firms Have Actually Used
What the HWLE court record and four leaked transcripts reveal about how ransomware operators negotiate with law firms, and the four ways firms have actually responded when a ransom demand lands.
ANALYSISReporting Cybersecurity to Your Board: What NIS2 Requires, What Most Packs Miss
Most cybersecurity board packs were built for the audit committee, not the directive. A look at what NIS2 Article 20 actually asks the board to evidence, how the SEC and UK CSR Bill compare, and what a defensible six-section quarterly pack looks like in practice.
ANALYSISCybersecurity for Executives: Four Threat Models Most Buyers Don't Distinguish
Most executive cybersecurity products address one of four threat models. The other three are where the Arup, MGM, Coinbase and M&S losses landed.
ANALYSISRIA cybersecurity in 2026: where training-first programs miss the actual attack surface
Six RIAs breached by ShinyHunters in 90 days exposed a structural gap: firms train for phishing but leave principal data wide open to the attacks attackers actually used.
ANALYSISLaw Firm Data Breaches: What They Expose About the Client Side
When outside counsel is breached, the data exposed is the client’s. Six verified incidents, a 27-day ransomware leak-site cohort of 19 firms, and the questions principals can ask their counsel.
ANALYSISIdentity Attack Surface: What Infrastructure ASM Vendors Don’t See
Infrastructure ASM, CAASM, and exposure-assessment platforms map machines. They do not map the people-shaped surface that the most expensive intrusions of 2023–2025 actually turned on.
ANALYSISWhy Ransom Notes Read Like Demand Letters
Ransom-extortion text borrows the recognisable forms of demand letters, litigation pleadings, and PR holding statements. The form is a legitimation tool the corporate audit needs to read.
ANALYSISReading the Ransom Note: The 2026 Extortion Economy in the Actors’ Own Words
Read four current ransom notes alongside the ShinyHunters leak site to see how the extortion economy industrialised around named-individual exposure.
ANALYSISFamily Office Cybersecurity: The Principal’s Exposure Surface
Deloitte’s 2024 family office report shows phishing at 93% prevalence. The IT layer cannot reach the surface that makes those attacks plausible.
ANALYSISRight of Access as Reconnaissance: The Article 15 Verification Gap
GDPR Article 15 was designed to protect data subjects. It also creates a pre-authenticated data exfiltration channel at understaffed controllers — and NIS2 will close the gap.
INTELWhy Executive Digital Exposure Is a NIS2 Compliance Risk
Article 21 of the NIS2 directive names supply-chain and human-factor risk. Executive digital exposure fits both — and sits in the half of compliance that most programmes under-audit.
ANALYSISHow to Verify AI Voice Scam Claims
Abnormal's ATHR vishing disclosure is sole-sourced, IOC-free, and invisible on the underground after a full verification window. A framework for reading AI threat marketing.
ANALYSISNIS2 Personal Liability: What the Directive Actually Says About Board Members
The NIS2 Directive requires management bodies to approve, oversee, and bear liability for cybersecurity risk management. Twenty-two EU member states have transposed it into law. The directive sets the standard of care; national company law supplies the personal claim — and the gap most boards leave open is their own digital exposure.
ANALYSISBasic-Fit, Booking.com, and the SEPA Direct Debit Fraud Kit
Two major EU breaches disclosed on the same Sunday, two different attack patterns, one downstream consequence: targeted fraud built on real data. How SEPA Direct Debit fraud actually works after an IBAN leak, and what closes the window.
ANALYSISCanada Goose: Two Extortion Claims and the Vendors Nobody Named
ShinyHunters published 581,877 Canada Goose customer records in February 2026. Twenty-four days later, Coinbasecartel listed the same brand claiming supply chain data — on the same day as Lacoste.
ANALYSISHow a Security Scanner Breached the European Commission
CERT-EU confirmed the European Commission was breached through a poisoned Trivy vulnerability scanner. The supply chain attack exposed DKIM signing keys, military financing data, and 52,000 email files — at the institution drafting Europe's cybersecurity laws.
GUIDECorporate Breach Response Checklist: The First 72 Hours
A structured 72-hour breach response checklist covering GDPR and US state notification laws, with phase-by-phase guidance for DPOs, CISOs, and board members.
ANALYSISRaaS Inc.: The Business Plan Nobody Asked For
Eighty-five ransomware groups competed for an $820 million market in 2025. Forty-seven of them claimed fewer than ten victims. The unit economics explain why.
INTELCorporate Credential Leak Assessment: What to Check After Credentials Surface
Google shut down its Dark Web Report because alerts without context are noise. Here is what stealer logs actually contain, why free scans miss most of it, and what a professional assessment covers.
ANALYSISThe EDPB Work Programme 2026–2027 and the Digital Omnibus: Is GDPR Quietly Shifting?
The EDPB is building compliance tools for a GDPR framework the European Commission may be in the process of dismantling. Here is what both documents change — and where they contradict.
METHODHow a 10-Minute Phone Call Took Down a $34 Billion Company
How Scattered Spider used LinkedIn, breach databases, and a 10-minute helpdesk call to compromise MGM Resorts and Marks & Spencer. Both attacks dissected stage by stage.
METHODLinkedIn OSINT: What Your Staff Profiles Reveal to Attackers
LinkedIn profiles reveal far more than most understand—timing patterns, role signals, public networks, business-context posts, and document metadata all become intelligence for phishing and vishing. This is what attackers actually see.
METHODHow the FBI Traced $3.6B in Bitcoin — Tool by Tool
The Bitfinex hack moved $3.6 billion through 2,000 addresses across six years. This is a step-by-step reconstruction of how investigators followed the trail — using Blockchair, 3xpl, and WalletExplorer, the same open-source tools anyone can access today.
ANALYSISWhat ShinyHunters Learns Before They Target Your Company
ShinyHunters called Wynn Resorts. Before that call was placed, they already knew who managed IT access, which SSO platform the company used, and which employees had credentials in breach databases. The call was the end of the intelligence phase, not the beginning.
ANALYSISAfter LockBit: The Ransomware Market Never Shrinks
Every major takedown — LockBit, ALPHV, RansomHub — was followed by a larger, more capable successor. 680 victims across 54 groups in February 2026 alone. A market analysis of who fills every vacuum, and what comes next.
INTELShinyHunters: Inside the Threat Group
From Tokopedia to Charter Communications, ShinyHunters has stolen data from hundreds of millions of people. Updated June 2026: Carnival (5.99M confirmed), Charter (42M claimed), BCD Travel, DentaQuest, Baker — and the FBI PSA on LMS targeting.
If this kind of exposure affects your organisation, a Corporate Audit maps the full surface.
Assess organisational exposure