Corporate digital exposure
41 briefingsEvery organisation leaves a digital footprint that its security team did not place and cannot fully see: directorship records and filings that map senior leadership, HR platform profiles that expose staff movements, third-party breach data that circulates internal email addresses and credentials, and infostealer logs that aggregate personal device data alongside corporate access artefacts. Threat actors read this footprint methodically before any technical attempt begins.
The attack chains documented in recent incidents consistently start with open-source reconnaissance: a staff member's personal email found in a breach corpus, a supplier relationship mapped from a public filing, an executive's home address extracted from a companies register and used to build a social-engineering pretext. The entry points are in the data, not the infrastructure.
These briefings cover the criminal groups that use corporate exposure as an attack vector, the intelligence and investigation methodology behind targeted campaigns, the regulatory frameworks — NIS2, SEC disclosure rules, UK corporate governance standards — that govern how boards are expected to respond, and the structural audit and monitoring approaches that reduce the footprint before it becomes a liability.
All briefings in this hub
Scattered Spider: A Social-Engineering Threat Profile
Scattered Spider (UNC3944) breaks into Fortune 500 networks with a ten-minute call to the help desk. A profile of its method, its ransomware partners, the arrests, and the defence.
What "The Com" Actually Is: One Word, Thousands of People, Three Kinds of Crime
In 2019 ‘The Community’ named nine indicted SIM-swappers. By 2025 ‘The Com’ meant thousands. We trace the drift and isolate the one layer that belongs on a corporate risk register.
Why People Fall for Phishing
A 21-day field experiment sent simulated phishing to 158 people. 43% clicked, older users never improved, and the lures that worked show the limits of training.
The Six Phases of a Social Engineering Attack
Social engineering runs in six phases, but the dominant security frameworks map only the technical ones. The Arup $25M deepfake fraud shows where defences actually need to sit.
Threat Surface vs Attack Surface: The Half That ASM Tools Miss
Attack surface is what you own; threat surface is that exposure plus the adversary capability pointed at it. ASM tools measure the first half well and the second half not at all.
DragonForce Ransomware: Threat Actor Profile
DragonForce ransomware cartel: public RaaS registration, the RansomHub infrastructure episode, Suppliers marketplace, SINBON and Co-op UK breaches.
One GitLab Instance, 800 Clients: The Credential Risk Hidden in Your Consulting Relationships
One breach of a consulting firm's self-managed GitLab instance exposed client engagement data across hundreds of organisations. The Nissan downstream disclosure three months later confirms the pattern.
Why Family Office Succession Creates a Recurring Cybersecurity Window
Professional management cycles create a recurring cybersecurity window in family offices — resetting every seven years and compounding across CEO, CFO, and COO roles.
The Gentlemen Ransomware: Threat Actor Profile
The #2 ransomware group globally in Q1 2026, built from a Qilin affiliate dispute. A 14,700-device FortiGate access inventory, a self-propagating encryptor with no bulk-decrypt path, and a supply-chain pivot from an Atlassian partner into a $12B manufacturer.
When Someone Else's Security Becomes Your Breach: Third-Party Risk and Supply Chain Attacks Are Not the Same Problem
Third-party risk and supply chain risk describe opposite threat models — understanding the direction of trust changes what an organisation investigates and what it finds.
The Silent Market: How Stolen Corporate Data Is Quietly Bought and Sold
The loud ransomware economy is the part you can measure. A priced, brokered market for stolen corporate access and data runs in silence beside it, and this is how we map it.
The Attack Surface You Don't Own: How Personal Devices and Lives Extend Corporate Risk
Attack surface management maps what a company owns and can see. A growing share of corporate access lives on personal devices and accounts it owns neither, and the gap widens with seniority.
CoinbaseCartel: A Data-Theft Extortion Profile
A profile of CoinbaseCartel, the data-theft extortion group that breaks into companies using years-old infostealer credentials instead of encryption.
Qilin Ransomware: The Most Active Threat Group of 2025-2026
Qilin posts more new victims to its leak site than any other ransomware operation in 2026. Who they are, how they work, the September 2025 cartel with LockBit and DragonForce, and why disruption has not slowed them.
Reporting Cybersecurity to Your Board: What NIS2 Requires, What Most Packs Miss
Most cybersecurity board packs were built for the audit committee, not the directive. A look at what NIS2 Article 20 actually asks the board to evidence, how the SEC and UK CSR Bill compare, and what a defensible six-section quarterly pack looks like in practice.
Cybersecurity for Executives: Four Threat Models Most Buyers Don't Distinguish
Most executive cybersecurity products address one of four threat models. The other three are where the Arup, MGM, Coinbase and M&S losses landed.
RIA cybersecurity in 2026: where training-first programs miss the actual attack surface
Six RIAs breached by ShinyHunters in 90 days exposed a structural gap: firms train for phishing but leave principal data wide open to the attacks attackers actually used.
Law Firm Data Breaches: What They Expose About the Client Side
When outside counsel is breached, the data exposed is the client’s. Six verified incidents, a 27-day ransomware leak-site cohort of 19 firms, and the questions principals can ask their counsel.
Identity Attack Surface: What Infrastructure ASM Vendors Don’t See
Infrastructure ASM, CAASM, and exposure-assessment platforms map machines. They do not map the people-shaped surface that the most expensive intrusions of 2023–2025 actually turned on.
Why Ransom Notes Read Like Demand Letters
Ransom-extortion text borrows the recognisable forms of demand letters, litigation pleadings, and PR holding statements. The form is a legitimation tool the corporate audit needs to read.
Reading the Ransom Note: The 2026 Extortion Economy in the Actors’ Own Words
Read four current ransom notes alongside the ShinyHunters leak site to see how the extortion economy industrialised around named-individual exposure.
Family Office Cybersecurity: The Principal’s Exposure Surface
Deloitte’s 2024 family office report shows phishing at 93% prevalence. The IT layer cannot reach the surface that makes those attacks plausible.
Right of Access as Reconnaissance: The Article 15 Verification Gap
GDPR Article 15 was designed to protect data subjects. It also creates a pre-authenticated data exfiltration channel at understaffed controllers — and NIS2 will close the gap.
Why Executive Digital Exposure Is a NIS2 Compliance Risk
Article 21 of the NIS2 directive names supply-chain and human-factor risk. Executive digital exposure fits both — and sits in the half of compliance that most programmes under-audit.
The ATHR Disclosure: Anatomy of a Sole-Source Threat Claim
Abnormal's ATHR vishing disclosure is sole-sourced, IOC-free, and invisible on the underground after a full verification window. A framework for reading AI threat marketing.
NIS2 Personal Liability: What the Directive Actually Says About Board Members
The NIS2 Directive requires management bodies to approve, oversee, and bear liability for cybersecurity risk management. Twenty-one EU member states have transposed it into law. Most compliance programmes focus on technical measures — but Article 20 asks boards to understand the risks, including their own digital exposure.
Basic-Fit, Booking.com, and the SEPA Direct Debit Fraud Kit
Two major EU breaches disclosed on the same Sunday, two different attack patterns, one downstream consequence: targeted fraud built on real data. How SEPA Direct Debit fraud actually works after an IBAN leak, and what closes the window.
Canada Goose: Two Extortion Claims and the Vendors Nobody Named
ShinyHunters published 581,877 Canada Goose customer records in February 2026. Twenty-four days later, Coinbasecartel listed the same brand claiming supply chain data — on the same day as Lacoste.
How a Security Scanner Breached the European Commission
CERT-EU confirmed the European Commission was breached through a poisoned Trivy vulnerability scanner. The supply chain attack exposed DKIM signing keys, military financing data, and 52,000 email files — at the institution drafting Europe's cybersecurity laws.
Corporate Breach Response Checklist: The First 72 Hours
A structured 72-hour breach response checklist covering GDPR and US state notification laws, with phase-by-phase guidance for DPOs, CISOs, and board members.
RaaS Inc.: The Business Plan Nobody Asked For
Eighty-five ransomware groups competed for an $820 million market in 2025. Forty-seven of them claimed fewer than ten victims. The unit economics explain why.
How OSINT Tracks Smuggling Networks: The Intelligence Tradecraft Behind Europol’s New Centre
Europol launched ECAMS and named OSINT a core strategic capability. Here is how open-source intelligence actually tracks smuggling networks — from Telegram forwarding chains to satellite change detection.
What Happens After Your Corporate Credentials Leak
Google shut down its Dark Web Report because alerts without context are noise. Here is what stealer logs actually contain, why free scans miss most of it, and what a professional assessment covers.
The EDPB Work Programme 2026–2027 and the Digital Omnibus: Is GDPR Quietly Shifting?
The EDPB is building compliance tools for a GDPR framework the European Commission may be in the process of dismantling. Here is what both documents change — and where they contradict.
How a 10-Minute Phone Call Took Down a $34 Billion Company
How Scattered Spider used LinkedIn, breach databases, and a 10-minute helpdesk call to compromise MGM Resorts and Marks & Spencer. Both attacks dissected stage by stage.
Username and Alias Correlation: Methodology, Tooling, and Likelihood Assessment
A username is not anonymous. It is a behavioural fingerprint dressed as a pseudonym. This is how analysts trace handles to real identities — and why the same process is used against private individuals.
What a LinkedIn Profile Reveals to a Scammer
LinkedIn profiles reveal far more than most understand—timing patterns, role signals, public networks, business-context posts, and document metadata all become intelligence for phishing and vishing. This is what attackers actually see.
How the FBI Traced $3.6B in Bitcoin — Tool by Tool
The Bitfinex hack moved $3.6 billion through 2,000 addresses across six years. This is a step-by-step reconstruction of how investigators followed the trail — using Blockchair, 3xpl, and WalletExplorer, the same open-source tools anyone can access today.
What ShinyHunters Sees Before They Call: Your Organisation's Public Attack Surface
ShinyHunters called Wynn Resorts. Before that call was placed, they already knew who managed IT access, which SSO platform the company used, and which employees had credentials in breach databases. The call was the end of the intelligence phase, not the beginning.
After LockBit: The Ransomware Market Never Shrinks
Every major takedown — LockBit, ALPHV, RansomHub — was followed by a larger, more capable successor. 680 victims across 54 groups in February 2026 alone. A market analysis of who fills every vacuum, and what comes next.
ShinyHunters: Inside the Threat Group
From Tokopedia to Charter Communications, ShinyHunters has stolen data from hundreds of millions of people. Updated June 2026: Carnival (5.99M confirmed), Charter (42M claimed), BCD Travel, DentaQuest, Baker — and the FBI PSA on LMS targeting.
If this kind of exposure affects your organisation, a Corporate Audit maps the full surface.
See Corporate Audit