The IT Nerd

Team Cymru has published a new research blow from Senior Threat Intelligence Advisor Stephen Campbell which explores how nation-state actors are targeting the Defense Industrial Base (DIB) through long-term reconnaissance and pre-positioning designed to shape future operations.

Using examples like Volt Typhoon, Salt Typhoon, Lazarus, and UNC1549, Stephen breaks down how adversaries exploit smaller contractors, edge infrastructure, and supply chain gaps to quietly establish access long before an attack is visible.

The piece argues that traditional endpoint-focused defenses miss much of this activity and that network telemetry, infrastructure intelligence, and collective defense are now essential for identifying adversaries before they can operationalize that access.

The full blog is here: https://www.team-cymru.com/post/defense-industrial-base-nation-state-network-telemetry

Team Cymru today announced the general availability of the Pure Signal™ MCP Server, the first purpose-built, production-grade Model Context Protocol (MCP) server for threat intelligence. Available immediately, the server connects any MCP-compatible AI agent — including Claude, Microsoft Security Copilot, Copilot Studio, GitHub Copilot and custom agents — directly to Team Cymru’s Pure Signal platform, the world’s largest threat intelligence data ocean.

Cybersecurity teams are deploying AI agents to automate alert triage, accelerate threat hunting, and orchestrate incident response, with AI agents forecasted to be the primary consumers of threat intelligence within the next 18 to 24 months. MCP, an open standard introduced by Anthropic, has rapidly become the de facto interface between AI agents and the external data and tools they rely on, with Microsoft, Google, Anthropic and every major AI development platform now supporting it.

A Different Kind of MCP Server

Most threat intelligence vendors view MCP as a thin wrapper over their existing REST APIs. Team Cymru took a different path. The Pure Signal MCP Server is integrated into the existing API surface but layers purpose-engineered processing on top: responses are concise, context-rich and token-efficient by design, preserving the LLM’s context window so agents spend tokens reasoning about threats rather than parsing raw payloads.

Through a single MCP connection, AI agents gain native access to the full breadth of Team Cymru’s Pure Signal platform:

• IP & Domain Intelligence — Full detail lookups including summary, communications, tags, maliciousness scoring, open ports, and behavioral context.
• NetFlow Communication Patterns — Observe who an IP is communicating with across the global internet, the data only Team Cymru has at this scale.
• Passive DNS (PDNS) — Historical DNS resolution data revealing infrastructure relationships over time.
• X.509 Certificates — Certificate details exposing shared infrastructure, hosting patterns, and attribution signals.
• WHOIS Intelligence — Registration data with pivoting capability for infrastructure mapping.
• Scout Query Language — AI agents can construct and execute sophisticated queries using Team Cymru’s native search syntax.
• Usage & Quota Management — Programmatic visibility into API consumption for governance and cost control.

Built for the Teams Defending the Internet

Pure Signal MCP delivers immediate value across every layer of the security organization. SOC teams can connect AI-powered triage agents to Pure Signal for instant indicator enrichment, reducing mean time to investigate from hours to minutes. Threat intelligence teams can task AI agents with autonomous hunting across the global internet using the same data that has powered Team Cymru’s government and Fortune 500 customers for two decades.

Security engineers and architects can integrate Pure Signal into custom AI workflows, multi-agent systems, and automated response pipelines through a single MCP connection rather than a sprawl of bespoke integrations. MSSPs and managed service providers can differentiate their offerings with AI-powered intelligence and scale analyst capacity without scaling headcount. CISOs and security leaders gain a clear, demonstrable path to AI-readiness backed by production-grade infrastructure.

Availability

Documentation, integration guides, and authentication setup are available at mcp.cymru.com/docs. Prospective customers can request a free trial at team-cymru.com or contact sales for an AI-native threat intelligence briefing. 

The Pure Signal MCP Server is generally available today to all Team Cymru Pure Signal customers, at no additional cost, by visiting https://www.team-cymru.com/mcp-server.

Team Cymru, the trusted intelligence partner to the world’s most targeted organizations, today released its Voice of Cybersecurity Strategist Report, exposing a critical disconnect between security ambition and real-world execution. Despite increased investment, many organizations still operate with limited visibility of critical external attack surfaces and active threat infrastructure, leaving blind spots where risk actually materializes. The results reveal meaningful gaps between perceived readiness and operational capability, particularly around external visibility, threat intelligence, and AI-driven security priorities.

Key findings include:

• 50% of security practitioners say they experienced a major security breach in the past year
• 72% of those breached say their threat hunting program played a key role in preventing or mitigating the breach
• Only 38% report comprehensive, real-time visibility into threats beyond the network perimeter (45% report “good” visibility)
• AI-enabled threats are the top emerging concern (22%), ahead of ransomware (20%) and cloud service vulnerabilities (17%)
• 45% cite insufficient real-time threat intelligence as their biggest external threat intelligence gap
• 60% allocate 20% to 40% of their threat intelligence budget to external threat intelligence and monitoring, and 32% allocate more than 40%
• The ability to leverage AI is the top evaluation criterion for threat intelligence investments (52%)
• AI-enhanced threat detection and response is ranked the most critical security capability (61%)

The report underscores a growing “confidence versus capability” gap across modern security infrastructures protecting critical infrastructure, government agencies, and civilian-reliant business operations.. While most respondents believe they have “good” visibility into threats beyond their perimeter, only 38% say that visibility is comprehensive and real-time. That shortfall matters more as attacks accelerate and adversaries expand beyond traditional boundaries.

At the same time, AI is reshaping both sides of the fight. AI-enabled threats ranked as the top emerging concern among respondents (22%), narrowly outpacing ransomware (20%). In response, organizations are prioritizing AI in their security strategy, with 52% naming the ability to leverage AI as their top criterion when evaluating threat intelligence investments, and 61% ranking AI-enhanced threat detection and response as the most critical capability for an effective security program. Yet the report also suggests many programs are still constrained by foundational data and integration issues, with 45% citing insufficient real-time threat intelligence as their biggest gap, and 42% pointing to challenges integrating external threat data with internal tools.

Investment and operating models are shifting toward external, technology-driven defense. 92% of respondents allocate at least 20% of their threat intelligence budget to external threat intelligence and monitoring, including 32% who allocate more than 40%. When it comes to resourcing, 44% report a mostly technology-focused approach to balancing tools and people, signaling a push toward automation, orchestration, and integrated workflows to increase team efficiency.

Measuring value is increasingly tied to proactive outcomes. The primary metric respondents use to assess external threat intelligence effectiveness is spotting threats before they affect the organization (27%), followed closely by faster threat detection (26%). When communicating to boards and executive leadership, respondents most often cite the number of incidents prevented or detected (50%) and mean time to detect and respond (50%), reflecting a focus on tangible outcomes and operational speed.

The report also highlights why progress can stall. The biggest challenge to funding threat intelligence initiatives is a focus on compliance requirements over threat-driven investments (26%), followed by competing priorities within the security program (23%) and limited executive understanding of external threats (22%). Looking ahead, the top planned strategic shift over the next 12 to 24 months is increasing the efficiency of the existing security team (45%), alongside aligning with increasing regulatory compliance (40%) and consolidating threat intelligence suppliers (39%).

Methodology

Team Cymru surveyed 121 information security, cybersecurity, and risk management leaders responsible for setting cybersecurity strategy, approving security technology investments, and managing security budgets and resources. The survey was conducted online via Pollfish using organic sampling beginning April 17, 2025 capturing perspectives across multiple industries.

To download the full Voice of the Cybersecurity Strategist report, visit here.

Team Cymru today announced a strategic partnership and integration with OpenCTI, the widely adopted open-source threat intelligence platform developed by Filigran. The collaboration brings Team Cymru’s Pure Signal intelligence and Scout capabilities directly into OpenCTI, enabling defenders to access global visibility, instant enrichment, and automated threat-hunting workflows without ever leaving the platform.

The integration transforms the analyst experience by replacing manual lookups with immediate clarity. Alerts can now be enriched on demand with global context, allowing analysts to quickly determine whether an IP is a controller, VPN endpoint, proxy, or part of a broader campaign. This greatly accelerates triage and response by delivering decision-ready intelligence within the analyst’s existing workflow rather than forcing them to pivot across tools. Teams can also shift from reactive operations to proactive threat hunting, using automated playbooks to continuously uncover emerging malicious infrastructure, such as ransomware or DPRK-aligned activity, as soon as adversaries establish it.

By fusing internal incident data with Team Cymru’s global perspective on NetFlow-derived insights, infrastructure classifications, and traffic patterns, organizations gain a more complete understanding of threats and the entities behind them. The integration further enables dynamic indicator generation by automatically converting complex Scout search results into STIX indicators, allowing immediate monitoring, alerting, and sharing across the OpenCTI ecosystem. In practical terms, the collaboration equips analysts with the equivalent of expanding their view from only the cameras inside their building to the entire city’s traffic camera network, offering visibility into threats long before they arrive at the door.

From Filigran’s perspective, the partnership enhances both operational value and the broader open-source intelligence community. “The strength of the threat-intelligence community comes from openness and collaboration. Integrating Team Cymru’s Pure Signal with OpenCTI empowers defenders everywhere with richer context and faster analytic workflows, all while preserving the transparency and extensibility of our platform. We are proud to partner with an organization committed to elevating the global security ecosystem,” said Samuel Hassine, CEO and Co-Founder of Filigran.

This partnership underscores Team Cymru’s commitment to delivering actionable visibility that helps organizations move from reactive response to proactive, intelligence-driven defense. The integration is available now for all OpenCTI users. For configuration details and onboarding guidance, visit https://www.team-cymru.com/opencti. 

Team Cymru today announced the appointment of Joe Sander as Chief Executive Officer. Sander succeeds Founder Rabbi Rob Thomas following his retirement, while Rabbi Rob will remain actively involved on Team Cymru’s Board of Directors.

Under Rabbi Rob’s leadership, Team Cymru has grown from a visionary startup to a globally recognized cybersecurity leader with a rapidly expanding base of partners and customers around the world. The appointment of Sander signals a new phase of growth and innovation.

Sander joins Team Cymru with proven expertise in scaling growth-oriented companies, enabling them to realize their full potential. By optimizing people, processes and innovation, he has guided SaaS technology companies through stages of rapid growth.

Sander most recently served as CEO of Radiant Logic where he achieved four consecutive years of double-digit growth during his tenure. At Radiant Logic, he successfully transitioned the business from a founder-led model to a high-performing private equity-backed operation while establishing it as a “rule of 50+” business that effectively balanced growth with profitability. Previously, as CEO of Arxan Technologies, he drove substantial expansion by pushing into new geographic markets and championing product innovation.

Team Cymru’s appointment of Sander comes during a period of momentum for the company. Over the past year, the company has introduced innovative solutions, including Pure Signal™ Scout, designed to elevate proactive cybersecurity capabilities, and an Insights Threat Feed, which delivers threat intelligence with greater speed and accuracy by combining 40 million daily IP classifications with more than 2,000 contextual tags. These innovations have played a key role in Team Cymru’s successful expansion into the Asia-Pacific region and have fueled significant year-over-year new business growth in its commercial business.

Under Sander’s leadership, Team Cymru will continue global expansion in key markets in North America, Europe and Asia Pacific to meet growing market demand while maintaining its commitment to partners and investing in its Community Services, which provides vital cybersecurity resources to underserved communities.

Team Cymru today announced the general availability of its Pure Signal™ Scout Plugin for Microsoft Security Copilot.

For two decades, Team Cymru has transformed the way security professionals monitor, analyze, and respond to potential threats. Now, these same capabilities enable SOC teams to take immediate action at scale. Using the Microsoft Copilot plugin, SOC teams can seamlessly query the Team Cymru Pure Signal™ data ocean, transforming tedious investigations with immediate, context rich AI powered responses.

Security Copilot is the first AI-powered security product that enables security professionals to respond to threats quickly, process signals at machine speed, and assess risk exposure in minutes. It combines an advanced large language model (LLM) with a security-specific model that is informed by Microsoft’s unique global threat intelligence and more than 65 trillion daily signals.

Learn how to become AI-enabled with Copilot here