Resemble AI has launched DETECT-3B Omni, a deepfake detection model that analyzes audio, images, and video using a unified system. It boasts enhanced capabilities over its predecessor, DETECT-2B, including expanded training data, support for over 40 languages, and protections against modern threats like replay attacks. The model ranks highly on various benchmarks for its detection accuracy across multiple media types.

A recent study found that over 90% of participants could not reliably distinguish between real and AI-generated videos. The findings highlight the impressive advancements in AI video generation, particularly with the Gen-4.5 model, and raise concerns about the implications for video authenticity and trust.

This article discusses how threat actors can exploit the Bind Link API in Windows 11 to redirect EDR folders to locations under their control, allowing them to tamper with EDR operations. It details a proof of concept tool called EDR-Redir that demonstrates this technique and highlights detection strategies for security teams.

This eBook focuses on the vulnerabilities in enterprise security caused by evolving attack methods. It highlights how adversaries exploit gaps in visibility across endpoints, cloud, network, and identity domains, and offers insights on improving detection and response with Vectra AI’s technology.

This article explains how to use CloudFlare Workers for Conditional Access Payload Delivery (CAPD). It details the architecture, code implementation, and variations to enhance security and flexibility in delivering payloads while minimizing detection risks.

This article outlines the updates in MITRE ATT&CK v18, focusing on new Detection Strategies and Analytics that enhance the framework's usability for cyber defenders. It details improvements in coverage across various domains, including enterprise, mobile, and industrial control systems, as well as the introduction of the ATT&CK Advisory Council for community input.

This article explores how AI agents, specifically Claude Code, streamline the threat hunting process in security operations. Using Model Context Protocol (MCP) servers, analysts can quickly gather evidence and prioritize threats for investigation, transforming a traditionally manual task into a more efficient workflow.

This article details the MongoBleed vulnerability (CVE-2025-14847) in MongoDB, which allows attackers to extract sensitive data from server memory without authentication. It outlines a detection method using Velociraptor to identify exploitation attempts by analyzing connection patterns in MongoDB logs.

TruffleHog has introduced a new feature that detects JSON Web Tokens (JWTs) signed with public-key cryptography and verifies their liveness. This capability has already identified hundreds of exposed JWTs shortly after deployment, improving security for users. However, it does not currently support shared-secret-based JWTs or those from non-routing IPs.

Magnet is a modular toolkit designed for generating telemetry and simulating malicious activity, primarily for testing detection rules. It can also serve as a decoy during red team engagements. The project is still developing and welcomes contributions.

This article outlines essential resources and methodologies for detection engineers, emphasizing the need for a proactive approach to cybersecurity through detection-as-code. It covers key roles, frameworks, and specializations within detection engineering.

Resemble AI has launched DETECT-3B Omni, a deepfake detection model that analyzes audio, images, and video through a single API. It improves upon its predecessor with expanded training data, increased language support, and enhanced protection against modern synthetic media threats. The model achieves top performance benchmarks across all modalities.

Social Analyzer is an OSINT tool that helps find and analyze profiles across over 1000 social media platforms. It offers various detection modules and analysis features to assist in investigating suspicious online activities. The tool is used by some law enforcement agencies, particularly in resource-limited areas.

Santamon is a detection sidecar for the Santa application that evaluates macOS Endpoint Security telemetry using CEL rules. It processes detection signals locally and sends only relevant alerts to a backend server, keeping raw telemetry on the endpoint. Ideal for home labs and small fleets, it's still in an experimental stage.

This article details the features of the Security Detections MCP server, which allows LLMs to query various security detection rules. It highlights enhancements like improved error handling, dynamic pattern extraction, and the introduction of 11 pre-built prompts for common security tasks.

Vega offers a solution for security operations without the need for data migration or complex setups. Its AI-powered analytics and detection provide immediate visibility across all data, enabling faster and more effective security responses. You maintain control over your data while benefiting from rapid onboarding.

Google has updated its Gemini app to allow users to verify if videos were created by its AI. By uploading a video, users can check for a digital watermark that indicates AI involvement. However, this tool only works for content generated by Google's own systems.

This article discusses the risks of prompt injection attacks on AI browser agents and presents a benchmark for evaluating detection mechanisms. It highlights the challenges in creating effective security systems and introduces a fine-tuned model that improves attack detection while maintaining user experience.

This article explains drift in machine learning, which occurs when the data distribution changes over time, impacting model performance. It distinguishes between data drift and concept drift, and outlines methods for detecting and handling these shifts to maintain model reliability.

Detection engineering requires an understanding of how attackers exploit subtle flaws in detection rules. The article highlights five common pitfalls that can lead to missed threats, including parameter variations, command chaining, double spaces, obfuscation techniques, and unaudited commands. By addressing these issues, detection engineers can improve their rule-writing to better catch malicious activity.

ghbuster is a tool that identifies potentially malicious or inauthentic GitHub repositories and users through heuristics. It provides methods to detect suspicious activities such as unlinked email commits and coordinated stargazing, helping to maintain the integrity of the GitHub ecosystem. Users can easily install and run the tool with specific commands and can also generate documentation and run tests.

The article provides insights into detecting privilege escalation vulnerabilities in Active Directory Certificate Services (ADCS). It outlines various techniques and tools that can be employed to identify and mitigate these security risks effectively. The content emphasizes the importance of proactive security measures in safeguarding sensitive systems.

AutoPwnKey is a framework designed to enhance security awareness regarding the risks of AutoHotKey and AutoIT in red team engagements. It aims to equip red teams with tools to effectively test and assess security postures against evasive tactics used by adversaries, while encouraging ethical participation and contributions to improve detection capabilities. The ultimate goal is to make such attack vectors obsolete by advancing detection logic.

This repository contains the official code for the paper "Unlearning Isn't Invisible: Detecting Unlearning Traces in LLMs from Model Outputs," which addresses the detection of unlearning traces in large language models (LLMs). The repository is actively being updated and provides various documentation files related to data, installation, and responses. Researchers are encouraged to cite the work if they find it beneficial.

Cloudflared is a tunneling application that allows secure remote access to hosts and deployment of web applications without exposing them to the internet. However, it has also been misused by ransomware groups for maintaining unauthorized access within compromised environments. The article discusses various detection methods for identifying malicious Cloudflared instances, including analyzing account IDs and monitoring for anomalous activities.

The article discusses advancements in artificial intelligence aimed at defending against deepfake technology, which poses significant risks to personal and organizational security. It emphasizes the importance of developing robust detection methods to identify manipulated media and protect against misinformation. Additionally, the piece highlights the need for ongoing research and collaboration in this evolving field.

The "am-i-vibing" library detects whether CLI tools and Node applications are being executed by AI agents, allowing them to adjust outputs and error handling accordingly. It provides functions for detecting different types of environments—agentic, interactive, and hybrid—and can be used via CLI for quick checks and detailed diagnostics.

Understanding the distinctions between Indicators of Attack (IoAs), Indicators of Compromise (IoCs), and fraud indicators is essential for effective threat hunting in cybersecurity. IoAs serve as proactive alerts to potential threats, while IoCs provide forensic evidence after a breach. The article emphasizes the importance of utilizing appropriate KQL queries to detect these indicators and enhance organizational security.

The DetectRaptor repository provides a collection of Velociraptor detection artifacts for easy public access and use. Users can import the VQL zip file into Velociraptor through the artifact exchange feature, which includes various detection methods for Windows, Linux, and macOS systems. Current artifacts cover a range of detection scenarios, including malware and system behavior analysis.

Bots can perform beneficial tasks but can also disrupt services and steal data. This guide provides strategies for detecting and stopping malicious bots, including monitoring traffic patterns, using bot detection tools, implementing honeypots, and applying rate limiting to control excessive requests.

Call stacks enhance malware detection by providing detailed insights into who is executing specific activities on Windows systems. By utilizing execution tracing features and enriching call stack data, Elastic's approach improves the ability to identify and respond to malicious behavior more effectively. The article emphasizes the importance of accurately analyzing call stacks to expose the lies malware authors use to conceal their actions.

The article discusses an advanced technique for bypassing the Anti-Malware Scan Interface (AMSI) using RPC hijacking through the NdrClientCall3 function. By intercepting the scan requests at the RPC level, this method manipulates the data before it reaches antivirus engines, allowing malware to evade detection without modifying AMSI itself. This approach operates deeper than traditional bypass methods, making it more effective against both signature and behavior-based detection systems.

A large-scale ad fraud operation named 'Scallywag' has been generating 1.4 billion fraudulent ad requests daily through malicious WordPress plugins targeting piracy and URL shortening sites. Though efforts by the detection firm HUMAN have reduced Scallywag's operations by 95%, the perpetrators are adapting by rotating domains and exploring new monetization strategies.

Verisimilitude, the art of crafting believable actions, plays a crucial role in cybersecurity, particularly for attackers aiming to blend their activities into legitimate operations. By utilizing techniques that enhance the perceived legitimacy of their actions, such as visual, logical, and behavioral verisimilitude, threat actors can evade detection. Defenders must shift their focus from merely identifying anomalies to understanding the plausibility of actions to effectively combat these sophisticated threats.

OUTLAW is a persistent coinminer malware that uses basic techniques like SSH brute-forcing and cron-based persistence to propagate itself across networks. By observing its behavior through a honeypot setup, researchers gained insights into its operational strategies, revealing a multi-stage infection process that leverages commodity tools and demonstrates how simple malware can remain effective in modern environments. The report outlines the attack chain and offers detection strategies based on the malware's predictable behaviors.

AI-generated articles have now outnumbered human-written articles published on the web, but their growth has plateaued since May 2024. Despite their prevalence, these AI articles do not perform well in search engines, and the study did not assess the prevalence of AI-assisted human-edited content, which may be more common.

A Rust-based Linux kernel module for rootkit detection was developed during an internship at Thalium to enhance malware detection capabilities in various Linux environments. The article discusses the importance of detecting kernel rootkits and outlines the tools and techniques used for this purpose, including leveraging the Linux kernel's tracing APIs and the limitations of existing malware detection solutions.

Maltrail is a malicious traffic detection system that utilizes various blacklists and heuristic mechanisms to identify and report suspicious activities such as malware and unauthorized access attempts. It operates on a sensor-server-client architecture, allowing for real-time monitoring and logging of network traffic, and can be set up easily on Linux systems or via Docker. The system supports extensive customization through user-defined lists and integrates various data sources for comprehensive threat detection.

The article delves into the concept of detection in-depth, exploring various methodologies and technologies used to enhance detection capabilities across different fields. It emphasizes the importance of comprehensive detection strategies to improve outcomes and reduce risks in various applications. The discussion includes the integration of advanced technologies and the need for continuous improvement in detection processes.

Effective fraud prevention requires a comprehensive approach, analyzing various signals and trends. This guide provides over 50 key signals for identifying fraud during Know Your Customer (KYC) checks and 24 additional signals for Know Your Business (KYB) checks, aimed at enhancing fraud detection strategies.

Open-source tools utilized by threat actors exploiting Ivanti's Cloud Services Appliance (CSA) vulnerabilities are analyzed, focusing on the suo5 HTTP proxy tool. The article highlights its functionalities, detection strategies, and the forensic investigations conducted by Synacktiv's CSIRT to understand the attack methods and improve security measures against such threats.

Detection engineering relies on assumptions made during the creation of detection rules, which are often based on limited data and can lead to false positives. Continuous reassessment of these assumptions is vital, especially as environments and behaviors evolve. The article discusses the challenges of tuning detection rules while balancing the need for accuracy and the limitations of available telemetry.

BamboozlEDR is an Event Tracing for Windows (ETW) tool designed for generating realistic security events to test EDR detection capabilities and security monitoring solutions. It features a TUI interface, supports multiple Windows ETW providers, and includes advanced features such as event obfuscation to protect against static analysis. The tool is intended for research and testing purposes and requires user interaction to minimize misuse.

SpyCloud research reveals that traditional endpoint detection and antivirus solutions fail to identify approximately two-thirds (66%) of malware infections. This significant shortcoming raises concerns about the effectiveness of current cybersecurity measures in protecting against sophisticated threats. The findings suggest a need for enhanced detection technologies to better combat malware risks.

AIDR-Bastion is a GenAI protection system that employs multiple detection engines to analyze user inputs and safeguard against malicious activity. It supports various detection rules, integrates with popular platforms for enhanced functionality, and features a flexible architecture that allows for extensibility and real-time analysis. The system is designed to provide comprehensive defense against adversarial prompt engineering and other AI-related threats.

The article discusses the evolving role of Indicators of Compromise (IOCs) and the importance of context in threat detection. It emphasizes the limitations of IOCs in real-time detection due to their quick obsolescence and the need to balance their use with behavioral detections (IOAs) for more effective cybersecurity strategies. The piece also highlights that not all IOCs are created equal and stresses the value of enriched context for maximizing their effectiveness in threat analysis.