Threat catalog
Live threats — mapped to controls
Every threat is deterministically mapped to the MITRE ATT&CK TTPs and the controls that mitigate it. Sign in to see your status against each one.
Initial Access Broker Sale
Initial-access brokers selling administrative or remote access to a victim organisation (VPN, RDP, Exchange OWA, AWS console, AD domain admin). The buyer is typically a ransomware affiliate. Demands MFA on every remote pathway, PAM for admin tiers, dark-web monitoring of company brand + employee emails.
Threat Actor Targets Public Website
A named hacktivist group or hostile actor publicly claims attack against an organisation's website. Whether the attack succeeds depends on the web-tier defences: WAF, patching, rate-limiting and DDoS posture.
DDoS Campaign Against Public Services
Volumetric or application-layer attack aimed at taking a service offline. Demands edge mitigation (CDN / scrubbing), rate limiting, autoscaling capacity and upstream provider failover.
ICS / OT Device Vulnerability
Vulnerability disclosed in an industrial / building-control device. Implies the device may be reachable from the corporate network or directly from the internet. Calls for network segmentation, asset inventory and vendor patch tracking.
Database Leak / Unauthorised Data Exposure
Attacker dumps or sells a customer database. Implies the data store was accessible from the internet, lacked encryption at rest, or had weak access controls. DLP, classification, encryption and database access auditing close the gap.
Website Defacement Campaign
Ongoing pattern of website defacements where attackers replace site content to push a political or trophy message. Implies the targeted CMS / web tier has unpatched vulnerabilities, weak admin credentials, or missing WAF.
OT / Industrial Control System Attack
Attack targeting operational technology — pumps, controllers, processing equipment. Implies OT exposure to the internet, default credentials on engineering workstations, or flat-network bridging from IT. Calls for IT/OT segmentation, vendor patch tracking, monitoring on Modbus/OPC traffic.
Stolen Credential Dump
Aggregated credentials (often from infostealer malware) appear on criminal forums. Even if your org's data isn't in this exact dump, the same playbook hits you next. Demands password monitoring (HIBP-style), MFA enforcement, session token revocation, and EDR on endpoints to stop the stealer at source.
Ransomware Incident
Confirmed ransomware encryption + extortion event. Calls for the full playbook: MFA on remote access, immutable backups, EDR on every endpoint, network segmentation, PAM and a tested IR playbook.
Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor
Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen