Binary Defense

Big change. Same mission. We’ve refreshed our brand, but our purpose remains: make the world a safer place. This next phase of Binary Defense reflects who we’ve always been and where we’re headed next. Explore the new look: binarydefense.com/?utm_source=tw…

Today is about remembrance. We honor the men and women who gave their lives in service to something bigger than themselves and recognize the sacrifice carried by their families, friends, and communities. Thank you to those who served and to those we remember today.

Attackers don't need custom malware when Microsoft already signed the binary for them. Phantom Stealer is abusing legitimate Microsoft Edge executables like msedge.exe and cookie_exporter.exe to harvest credentials, cookies, crypto wallet data, and keystrokes, then exfiltrating everything over Telegram, Discord, or FTP. Because the binaries are signed, most endpoint tools won't blink. Shannon Mong and the ARC Labs team pulled apart a live sample and mapped the full infection chain, from initial execution and process hollowing through data harvesting and exfiltration, along with the detection opportunities at every stage. If you're hunting for this, the detection table and GitHub link are worth your time. binarydefense.com/resources/blog… Learn more:

When infrastructure gets taken down, sophisticated threat actors don't stop. They route around it. @Dragonkin37 gets into how Iranian-linked operators are maintaining cyber operations under pressure using distributed infrastructure, proxy groups, and alternative communication methods in the latest piece from The Cipher Brief. If you think disruption equals deterrence, this is worth your time. thecipherbrief.com/iran-digital-t…

Everyone's announcing an AI SOC. Most of them are announcing a marketing deck. @HackingDave started building Night Beacon because he saw where the threat landscape was heading. Not to chase a trend. Not to have a story for the board. To solve a problem that wasn't fully visible yet. Watch the clip.

Not bypassing MFA. Recovering it. That's the shift @Dragonkin37 wants more teams paying attention to. When an adversary abuses MFA recovery methods, they're not breaking in. They're re-establishing trust. The credentials are valid. The access looks legitimate. The activity blends right into normal operations. By the time anyone notices, they're already moving as a trusted user. JP breaks down the real-world tradecraft behind these intrusions and the behavioral signals that still expose them. Full episode: binarydefense.wistia.com/live/events/ej…

"I literally treat them as part of my team." That's not a goal we set out to hit on a slide deck. It's what happens when you show up every day like you actually work there. This Director of Information Security in healthcare didn't need another vendor. They needed someone in the Slack channel, answering questions, flagging threats, and treating their environment like it mattered. That's what we do. If your security partner goes quiet after implementation, that's not a partner. That's a product.

Most detection programs aren't built around attackers. They're built around alerts. That's the difference between reacting to what fired and systematically reducing the risk of what hasn't yet. On June 9th, our detection engineers Cameron Lohr and Jordan McGrath are sitting down with Frank Duff and Sean Whitley from Tidal Cyber to break down how procedure-level intelligence and detection engineering actually work together. No theory. Real-world examples of how you move from gap identification to production deployment, and how you prove your defenses are reducing risk, not just generating coverage numbers. If you're running a detection program and still feel like you're playing catch-up, this one's for you. June 9th | 1PM EST | Free to attend Link to register : binarydefense.com/webinars/opera…

Adversaries are moving faster than most security teams can respond. Average breakout time is now 29 minutes. In some cases, it’s 27 seconds. You can’t solve that by endlessly adding alerts, dashboards, or headcount. You solve it by removing friction inside the SOC. That’s where AI changes the equation. Not by replacing analysts. By helping them investigate faster, summarize incidents quicker, and focus on the decisions that actually matter. This is what NightBeacon was built for. AI speed. Human judgment. Operational impact that compounds across every shift. Read the full breakdown: binarydefense.com/resources/blog…

You shouldn’t have to change how your business works to make security work. We shape the solution around how you actually operate. Binary Defense is built differently. Your tools. Your workflows. Your priorities. That’s how you get something that actually fits and actually works. Because security shouldn’t feel like a workaround.

Trusted processes are doing the work. That’s the problem. Phantom Stealer blends into normal system behavior, abusing Microsoft-signed binaries to harvest credentials, cookies, and vault data without raising alarms. What stands out is how clean it is. Layered execution. Legitimate tooling. Built-in exfil redundancy. This is what modern tradecraft looks like when it’s done right. Full breakdown from ARC Labs: binarydefense.com/resources/data…

SVG phishing isn’t dangerous because it’s new. It’s dangerous because most tools still treat SVGs like harmless images. Meanwhile, adversaries are embedding scripts, external payloads, credential harvesters, and encoded malware inside files that bypass traditional controls. This is where architecture matters. After ARC Labs published new research on malicious SVG phishing, NightBeacon went from identified gap to live production detection in under 10 minutes. No retraining. No release cycle. No rebuilding the platform. Just research becoming operational detection at the speed defenders actually need. Read the full breakdown: binarydefense.com/resources/blog…

NightBeacon moves fast. But this isn’t about speed alone. It’s about what happens when speed meets accountability. Most platforms give you one or the other. Automation without ownership. Or people without the scale to keep up. That gap is where teams burn time. Where alerts pile up. Where “we’ll look into it” turns into hours lost. NightBeacon was built to close that gap. It investigates at machine speed. Analysts own every outcome. Nothing gets passed back to your team unfinished. Not theory. Not positioning. How the work gets done now. NightBeacon. The future of cybersecurity isn't artificial. binarydefense.com/nightbeacon?ut…

Nolan Warner hits on a simple but critical shift. Start from suspicion. Build a baseline. Continuously refine it. Because the difference between normal and malicious often isn’t technical. It’s behavioral. That’s what this clip gets into. In this ThreatTalk, we break down real intrusions where nothing looked obviously wrong. No exploit. No malware. No broken controls. Just trusted tools. Valid access. Normal workflows. And that’s what let it work. If you’re responsible for detection or threat hunting, this is the shift: Stop asking “is this allowed?” Start asking “does this make sense?” Watch the full session for the patterns, signals, and decisions that help you catch what others miss. binarydefense.wistia.com/live/events/ej…

Most teams don’t feel it right away. But they know when something’s off. That constant question in the back of your mind “Did we miss something?” That’s what real coverage removes. Binary Defense is always on. Across the network. At the edge. Wherever it starts. Not just alerting. Investigating. Responding. So your team isn’t left wondering. They know someone’s already on it. Peace of mind isn’t something you say. It’s something you feel.

Trusted processes are doing the work. That’s the problem. Phantom Stealer blends into normal system behavior, abusing Microsoft-signed binaries to harvest credentials, cookies, and vault data without raising alarms. What stands out is how clean it is. Layered execution. Legitimate tooling. Built-in exfil redundancy. This is what modern tradecraft looks like when it’s done right. Full breakdown from ARC Labs: binarydefense.com/resources/blog…

A single Run command kicked this off. What followed: in-memory execution, Python-based control, and layered persistence. Nothing about it looked out of place. See the full chain: binarydefense.com/resources/blog…

You’re not missing threats. You’re buried under everything that isn’t one. 98,000 alerts. 15 real problems. That gap is where time disappears. And where adversaries get space. binarydefense.com/resources/whit…

It started as a routine request. Something the help desk sees every day. @Dragonkin37 breaks down a real case where an adversary didn’t bypass security. They used it. MFA removed. Password reset. After that, everything looked normal. Because it was all approved access. Logging in. Moving laterally. Even modifying payroll. No alerts. No obvious signal. Just trust, working against you. Watch the full ThreatTalk, Hiding In Plain Sight: When Trust Becomes the Attack Path, to see how this actually unfolds and where most teams miss it. lnkd.in/d2nUkXRp

Intelligence isn’t just being stolen anymore. It’s being signaled. Prediction markets are turning classified insight into public signals anyone can watch. Not through leaks, but through behavior. Timing. Wagers. Patterns. That changes the game. As @Dragonkin37 put it, this has crossed into a real counterintelligence problem. When insiders act on foreknowledge, they’re not just profiting. They’re broadcasting it. And it cuts both ways. Adversaries don’t need access if they can read the market. Worth the read if you’re thinking about where intelligence exposure is actually happening now. thecipherbrief.com/dangerous-trad…

3700 alerts. Zero interruptions. That’s not a quieter environment. That’s a different operating model. A Tech Services CISO said it plainly: Last month, every single alert was handled without escalating to their team. No noise. No unnecessary disruption. No pulling admins out of real work to chase signals that go nowhere. This is what it looks like when detection and response actually work the way they should. Not more alerts. Better outcomes.