The IT Nerd

As enterprises race to deploy AI coding agents, a new security challenge is emerging: organizations are creating high-privilege endpoint activity that many SOCs can’t actually see.

New research from the Abstract ASTRO team in a blog post that went live today examines telemetry from Anthropic’s Claude Code and Cowork and finds these tools create a rich but largely untapped detection source. It’s a source that can expose everything from shell execution and file access to plugin installs, MCP server interactions, and sensitive data leakage. The scary part? Most teams aren’t monitoring it.

ASTRO’s research also demonstrates how attackers could abuse AI coding workflows using techniques such as TrustFall, a recently disclosed flaw that can trigger arbitrary code execution simply through project trust prompts, potentially enabling credential theft, persistence, or data exfiltration.

A few findings and angles that may resonate with security readers:

• AI agents are becoming new endpoint hotspots with broad access across developer systems and applications
• Claude Code lacks native host telemetry, creating visibility and correlation challenges for SOC teams
• Organizations can reduce AI-agent log volume by 30–50% while preserving security visibility
• Detection opportunities include secret leakage, sensitive file access, malicious plugins, persistence attempts, and data exfiltration
• Researchers built a higher-fidelity detection approach correlating AI agent telemetry with EDR/process activity to reduce false positives

This speaks to a broader issue: security teams are entering an era where agent activity may need to be monitored the same way they monitor users, endpoints, and cloud infrastructure.

The Abstract ASTRO research team has just published a blog entitled: How Attackers Disable CloudTrail Without Calling StopLogging or DeleteTrail.

Security teams rely heavily on AWS CloudTrail as a source of truth for detecting breaches, but new research shows attackers can quietly disable or degrade logging without ever touching the APIs most defenders monitor.

In a new technical deep dive, ASTRO uncovers how adversaries are bypassing traditional detections (like StopLogging or DeleteTrail) and instead using lesser-known AWS APIs to blind logging systems while keeping them appearing fully operational.

Key findings that may interest your readers:

• Attackers can create “invisible activity zones” using PutEventSelectors, selectively excluding malicious actions from logs while CloudTrail continues to run normally.
• CloudTrail Lake can be silently neutralized via APIs like StopEventDataStoreIngestion and DeleteEventDataStore, halting or destroying long-term forensic visibility.
• Anomaly detection can be disabled outright by-passing empty parameters to PutInsightSelectors, removing automated detection of suspicious behavior.
• Critical guardrails can be dismantled through APIs like DeleteResourcePolicy and DeregisterOrganizationDelegatedAdmin, weakening cross-account protections.
• The real risk is in the sequence: individually, these API calls look like routine maintenance—but chained together, they allow attackers to erase evidence and evade detection entirely.

The research also outlines detection strategies, including how to identify subtle parameter changes and—more importantly—how to correlate multiple low-signal events into high-confidence alerts, something most SIEMs struggle to do.

This has major implications for DFIR teams and cloud security programs: organizations may believe they have full visibility, while attackers are actively operating in blind spots.

You can read the blog entry here: https://www.abstract.security/blog/how-attackers-disable-cloudtrail-without-calling-stoplogging-or-deletetrail

A new threat intelligence report from the Abstract’s Threat Research Organization (ASTRO) will reveal that the cybercrime economy has industrialized network breaches with specialized criminals now selling pre-compromised access to corporate networks for as little as $500.

Abstract’s report, “Priced to Move: The Underground Markets of Modern Cyberattacks,” examines the rapidly growing ecosystem of Initial Access Brokers (IABs): attackers who break into organizations and then sell that access to ransomware gangs and other threat actors.

Key findings from the research include:

1. Credential abuse is now the dominant entry point. 56% of incidents involved valid accounts without MFA.
2. Ransomware attacks surged 47% year over year, fueled by the growth of this underground access market.
3. Network access often sells for $500–$1,000, allowing attackers to target dozens of organizations simultaneously.
4. Median time from initial compromise to ransomware deployment has dropped to just five days.
5. Healthcare, government, and education are among the sectors seeing the fastest growth in IAB-driven attacks.

The economics are striking. The report details a healthcare breach where $2,200 worth of purchased access ultimately resulted in nearly $4 million in damage, a roughly 1,700x return on investment for attackers.

ASTRO says the rise of access brokers has fundamentally changed how cybercrime operates…turning network intrusions into a specialized supply chain where one group gains access, another sells it, and ransomware gangs monetize it.

You can read the research here:https://abstract.security/reports/priced-to-move

Researchers from Abstracts ASTRO research team have uncovered new developments in the evolving “Contagious Interview” campaign, showing how attackers are increasingly abusing developer tools—including Visual Studio Code and the AI coding editor Cursor AI Code Editor—to silently execute malware on developer machines. Here is the blog post: Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains Part 2.

ASTRO analysts detail how attackers are embedding malicious commands into IDE task configuration files. When a developer opens a cloned repository and approves the standard workspace trust prompt, the tasks execute automatically which triggers multi-stage infection chains without requiring the victim to run code manually.

Key findings from the research include:

• New payload staging infrastructure: Attackers are shifting from previously exposed hosting platforms to GitHub Gists, URL shorteners, and Google Drive to stage malicious scripts and payloads.
• Developer-focused social engineering: Malicious repositories disguised as interview projects or legitimate development tools execute automatically when opened in an IDE.
• Multi-stage infection chains: Initial task execution downloads additional loaders and can ultimately deploy infostealers or backdoors targeting browser credentials, crypto wallets, and system data.
• Evasion tactics: Some payloads are hidden off-screen in configuration files or masquerade as legitimate GPU or driver tooling to avoid detection.

The report also outlines detection opportunities for security teams, including monitoring IDE-spawned shell commands, suspicious use of URL shorteners in configuration files, and unusual process chains involving Node.js and Python runtimes.

Given the growing use of AI-assisted development environments and the trust developers place in their toolchains, researchers warn this technique could become a major new software supply-chain attack vector.

The first blog post about Contagious Interview is here:: https://www.abstract.security/blog/contagious-interview-evolution-of-vscode-and-cursor-tasks-infection-chains.

Abstract’s ASTRO research team has just published a blog entitled: Critical Cisco Vulnerabilities: CVE-2026-20079 and CVE-2026-20131 Affecting Cisco Secure Firewall Management Center‍.

Earlier today, Cisco published several security advisories addressing vulnerabilities across its Secure Firewall product line. Two of these are rated critical with a CVSS score of 10.0 and affect Cisco Secure Firewall Management Center (FMC). Both can be exploited remotely by unauthenticated attackers to execute code on an affected device and obtain root access to the underlying operating system. Cisco has released software updates to address these vulnerabilities. Currently there are no workarounds for either vulnerability, making patching the only path to remediation. At the time of publishing, Cisco PSIRT is not aware of any public announcements or malicious use of these vulnerabilities.

This post covers the critical vulnerabilities in detail, along with a summary of additional high-severity issues disclosed in the same advisory bundle. Abstract also offers recommendations for immediate actions to take plus detection and monitoring bullets.

Abstract Security just published a blog this morning: Moving Laterally through Abuse of Managed Identities attached to VMs.  The blog was written by Abstract’s ASTRO research organization.

The research talks about how to put some detection for some type of managed identity abuse. Since managed Identities are very useful tools for the proper functioning of an Azure environment, it becomes difficult in case there are multiple resources attached to a single Managed Identity.

This can lead to the abuse of managed identities. Even though detection may vary depending on environment. For example, there might be some script which uses managed Identities to access other resources like another Virtual Machine. Therefore, this detection is very generalized form of detecting some type of managed identity abuse.

You can read the blog post here: https://www.abstract.security/blog/moving-laterally-through-abuse-of-managed-identities-attached-to-vms

Abstract Security today announced a partnership with Netskope to provide joint customers the ability to bring detection directly into the data stream and to help eliminate indexing delays for more efficient threat detection.

Through this integration, Abstract Security and Netskope empower customers to simplify and optimize the collection, transformation, and analysis of Netskope One telemetry. By ingesting high-fidelity Security Service Edge (SSE) data directly into Abstract’s adaptive pipeline, joint customers can filter, enrich, and route critical security context to any SIEM, data lake, or analytics platform. This integration helps ensure that customers maintain full data sovereignty and deep visibility while eliminating the prohibitive costs of high-volume log ingestion.

Controlling data is key

Modern cloud environments generate massive volumes of security data. Yet most organizations still depend on legacy workflows where detection runs only after logs are ingested and indexed, forcing teams to trade visibility for cost and time. By the time analytics systems can query the data, opportunities to detect and respond early have already passed. Working together, Abstract Security and Netskope can help eliminate the “indexed” delay by bringing detection directly into the data stream. Benefits include:

• In-Stream Detection: Abstract analyzes Netskope Log Streaming data as it moves to identify anomalies, patterns, and potential threats in real time.
• Adaptive Enrichment: Add context such as identity, geo, and threat intel before data ever lands in a SIEM or data lake.
• Dynamic Routing: Send only relevant, high-value security events to downstream tools, cutting waste while enhancing insight.
• Seamless Integration: Lightweight deployment built in collaboration with Netskope.

The ROI from this partnership for customers includes:

• Immediate Visibility: Detect risks within the data flow, reducing mean-time-to-detection with a “shift left” operational workflow.
• Operational Efficiency: Solve the “data explosion” challenge and streamline SOC operations by reducing noise and lowering log ingestion/storage costs by up to 70%, all while maintaining the deep, SkopeIT™ metadata visibility required for forensic precision
• Actionable Analytics: Transform raw SSE telemetry into actionable intelligence. Leverage rich user, device, and data context to eliminate alert fatigue and drive accelerated, automated responses through high-confidence detections.
• Unified Architectural Agility: Replace fragmented legacy stacks with a single, adaptive streaming layer. Simplify your infrastructure by consolidating inspection and analytics into a high-performance architecture that scales without compromising latency.

Abstract specializes in delivering threat detection in motion as its platform fuses data pipelines, analytics, and AI-assisted enrichment into a single continuous stream so security teams can filter, shape, and act on events as they happen. Instead of blindly sending everything to storage, Abstract inspects, correlates, and detects on the fly, sending only what matters to SIEMs, data lakes, or response systems.

Abstract Security today announced the launch of its PAINT Partner Program. (Partnerships, Alliances, and INTegrations). The PAINT program is designed to empower resellers, MSPs, MSSPs, and technology integrators to deliver differentiated cybersecurity solutions and accelerate revenue growth through collaboration with one of the industry’s fastest-growing security innovators. 

Since emerging from stealth in 2023, Abstract Security has attracted global attention for its modern take on the security operations stack. The company’s platform decouples data sources and destinations, offering customizable pipelines, real-time analytics and an AI-powered assistant that simplifies threat investigation and detection across environments.  

Now, with the launch of PAINT, Abstract is formally extending its platform to a broader ecosystem of partners ready to bring these capabilities to market. 

Program Highlights 

The PAINT Partner Program is structured to support partners at every stage of growth, from emerging solution providers to global systems integrators. Key benefits include: 

• Competitive pricing models with very attractive margin structures. Abstract’s pricing offers predictability, making it easier for partners to maximize profitability while providing value to end customers. We adapt to your business model to provide cost-effective scaling without compromising performance. 
• Flexible deployment models, including SaaS, self-hosted, and region-specific cloud hosting 
• Joint go-to-market opportunities, such as co-branded campaigns, sales enablement, and events 
• Rep-to-rep sales collaboration and technical support to accelerate sales cycles 
• Access to the Abstract Intelligence Gallery, a curated marketplace with integrations from leading threat intelligence providers 
• Streamlined onboarding and enablement, including certification pathways and training for both sales and technical teams 

Innovatively Differentiated  

• Data Pipelines: Streamline data management with efficient pipelines for ingestion, processing, and routing of security data. Our pipelines reduce data complexity, making it easier for customers to extract actionable insights. 
• Real-Time Security Analytics: Our Analytics engine delivers real-time threat detection and monitoring, allowing your customers to quickly respond to security threats. This high-performance analytics capability meets the demand for fast, accurate data-driven security decisions. 
• Intel Gallery: Access to curated threat intelligence, providing your customers with a robust resource to reveal threats and stay ahead of those emerging. Abstract’s Intel Gallery helps customers boost their intelligence capabilities, positioning you as providers of cutting-edge security solutions. 
• Abstract LakeVilla: LakeVilla is designed to give you a reliable, cost-effective way to store and access historical data without the high price tag or slow performance of traditional SIEM solutions. It makes cold storage actually work for security teams – no more painful rehydration and no more expensive re-ingestion. 

Built for Channel-Led Growth 

The PAINT program reflects Abstract’s commitment to building a channel-first business model that rewards joint success. With multi-cloud availability, marketplace listings across AWS, Azure, and Google Cloud, and support for regional hosting in markets like the Middle East, partners can tap into new revenue opportunities across verticals and geographies. 

The PAINT Partner Program is open to qualified partners globally. Interested organizations can learn more and apply by visiting Abstract Security’s partner page. 

https://www.abstract.security/partners

Abstract Security, the pioneer in streaming detection and response, today unveiled its groundbreaking Shift Left strategy for security operations—bringing real-time analytics, correlation, and response closer to the source of data. Abstract’s new model empowers security operations teams to detect threats in stream, before data hits storage—not after the damage is done. 

Read more about the Shift-Left Detections Approach from Abstract Security: www.abstract.security/blog/shift-left-detections-with-abstract.  

Why Shift Left for Detection Matters 

Instead of analyzing logs hours after an event, Abstract enables security teams to detect and respond in the moment: 

• Real-time correlation across cloud, endpoint, identity, and SaaS sources 
• In-stream threat intelligence and asset context 
• Instantaneous detection logic execution, before data hits the SIEM or data lake 

The result: security operations that are not only faster, but smarter, leaner, and more effective. 

A New Standard for ROI in Detection 

Traditional detection requires pushing massive volumes of telemetry into SIEMs just to run rules—an expensive, delayed, and inflexible process. Abstract changes the economics of detection by running analytics in-stream: 

• Up to 70% reduction in SIEM ingestion volume 
• 4x faster detection using ready-to-deploy rules with no custom tuning required 
• Improved signal-to-noise ratio, enabling faster, more confident responses 

To learn more about how companies like Juul Labs are already transforming their journey with Abstract, visit https://www.abstract.security/abstract-canvas.   

Detection-as-Code, Powered by ASTRO

Abstract’s ASTRO team delivers constantly evolving detection logic and threat intelligence as code—built for real-time execution. ASTRO also treats DFIR as code, enabling live incident investigations, timeline reconstruction, and playbook automation directly in the stream. 

• No manual queries 
• No stale enrichments 
• No delays in response 

DFIR becomes just as fast and automated as detection itself. Learn More about the DFIR-As-Code from Abstract in their blog series here. 

A Shift Worth Making 

Abstract’s Shift Left philosophy offers security teams a chance to modernize without overhauling. You don’t need to rip and replace. You just need to move detection to where the action is—before the threat moves past you. 

Abstract Security and SentinelOne have joined forces to deliver a powerful new integration between Abstract’s real-time security data pipeline and SentinelOne’s AI-powered Singularity Platform—reshaping how security teams detect, analyze, and respond to threats. 

This partnership addresses one of cybersecurity’s biggest challenges: how to find true threats in a sea of irrelevant data. Together, Abstract and SentinelOne® provide a scalable, intelligent solution that filters out noise, reduces cost, and accelerates response times across the enterprise. 

The Power of Two: Intelligence at the Edge, Clarity at the Core 

SentinelOne brings market-leading autonomous protection to endpoints, cloud workloads, and identities—combining behavioral and agentic AI, real-time threat detection, and automated response across the attack surface. With Singularity AI SIEM, organizations gain fast, searchable access to ‘hot’ security data—critical for reducing MTTD (mean time to detect) and MTTR (mean time to respond). 

Abstract Security complements this with a streaming-first, AI-enhanced data pipeline built specifically for security use cases. It ingests from any source, normalizes data to open standards (OCSF), applies advanced filtering, and routes high-value data into the Singularity platform. 

What This Partnership Delivers 

• Noise Reduction at Scale 
  Abstract filters out irrelevant data before it reaches SentinelOne’s Singularity™ AI SIEM, removing noise and reducing alert fatigue. 

• Real-Time Analytics and Threat Detection 
  By combining Abstract’s in-stream threat enrichment with SentinelOne’s threat detection capabilities, teams can detect and respond to threats faster and with greater accuracy. 

• No-Code Integration & Easy Migration to SentinelOne 
  With Abstract’s easy to use drag-and-drop pipeline creation, security teams can deploy in minutes without engineering effort and migrate from legacy SIEMs to SentinelOne’s Singularity™ AI SIEM with zero downtime—thanks to prebuilt connectors and automatic data normalization. 

• Unified Security Architecture 
  Together, the platforms create a streamlined, modern security stack—eliminating data silos, blind spots, and manual workflows. 

Why It Matters Now 

Organizations are under pressure to reduce risk, lower costs, and modernize outdated security infrastructure. This partnership offers a practical, high-impact path forward—unlocking value from existing data and enabling security teams to operate at machine speed. 

For security teams looking to move beyond the limitations of legacy SIEMs, this opportunity delivers a modern security operations platform built for today and ready for what’s next.