Insights

Field notes from the front line.

Analysis from active engagements, position papers, and practical guidance — written by the practitioners who do the work, not by a marketing team.

2026 · Q2Threat Landscape

The 2026 threat landscape: AI, cartels, and the re-breach economy.

Ransomware affiliates are pooling tooling, reinvesting ransoms into zero-day acquisition, and weaponising LLMs. A practitioner's read on what's changing and what it means for IR.

2026 · Q2DFIR

When AI breaks the chain of custody.

AI-generated narrative has started to appear in DFIR reports without analyst attribution. Why that fails in court, and how Makkari uses AI without inheriting the problem.

2026 · Q1Ransomware

Median time from initial access to encryption: under 24 hours.

The trend nobody's watching: the shrinking dwell time of double-extortion operators. What it means for your detection window, your MDR, and your retainer.

2026 · Q1Breach Counsel

Why regulator follow-ups are getting sharper — and how DFIR reports are failing them.

ICO and EU supervisory authorities are asking harder technical questions. A field note on the gaps that most commissioned forensic reports still leave open.

2025 · Q4Identity

Entra ID token theft: what we actually see in the wild.

Primary refresh tokens, device-code phishing, OAuth abuse. A non-vendor view of what post-auth identity attack actually looks like on the wire.

2025 · Q4CTEM

Attack paths, not vulnerability counts: a practitioner's CTEM primer.

Why "we patched 2,400 CVEs this quarter" is a vanity metric, and what a proper exposure programme reports to the board instead.

Full articles coming shortly — subscribe below to be notified.

Briefing list

Quarterly DFIR briefings — from our team to yours.

Short, technical, useful. Unsubscribe in one click. We don't sell lists.