Invictus Incident Response

💥 𝐂𝐥𝐨𝐮𝐝 𝐋𝐚𝐛𝐬 𝐢𝐬 𝐥𝐢𝐯𝐞! 🏗️ A hands-on lab environment to practice your cloud incident response skills. cloudlabs.invictus-ir.com We're also doing a giveaway here, to enter: 1. Like this post 2. Comment why you want to have access (Winners announced Monday September 1) #stayInvictus #CloudLabs #CloudIncidentResponse

🚀 Introducing 𝐀𝐥𝐥-𝐈𝐧 access for Cloud Labs Most cloud security training happens in a vacuum. Real-world attacks don't. We are incredibly excited to announce the launch of our All-in level for Cloud Labs. Here is what makes this scenario unique: 🌐 Cross-Cloud Attacks: You will trace sophisticated threats that pivot across different cloud environments, mimicking the true complexity of modern, multi-layered breaches. 🛠️ Live Environment Access: You get real, hands-on access to investigate active threat scenarios directly within live Google Workspace and Google Cloud environments. It is time to test your cloud incident response skills for real! #stayInvictus #CloudIncidentResponse #CloudLabs

Our latest research is live on a recent #AiTM case we worked on together with BIO-ISAC This blog dives into the underlying infrastructure of modern phishing campaigns and includes Indicators of Compromise of this recent campaign. invictus-ir.com/news/the-invis… #stayInvictus #CloudIncidentResponse #AiTM

Have you ever wondered, what modern cloud compromises look like? This is your chance to investigate one, our newest lab is ready for you! Sign-up now to investigate our latest lab👇 cloudlabs.invictus-ir.com #stayInvictus #CloudLabs #CloudIncidentResponse

Our latest research on OAuth apps is now live. In this blog we take a look at some case studies where Entra ID apps were abused. We have also included actionable advice on how to prevent these issues in your environment: invictus-ir.com/news/entra-oau… #stayInvictus #CloudIncidentResponse #SaaS #EntraID

Happy is an understatement! This year we will be teaching both our AWS and Microsoft Cloud IR course at @BlackHatEvents in Las Vegas. Grateful for this opportunity!

🧪New year, new lab, same quality! Another lab inspired on real life incident response cases. If you've worked on incidents in Entra ID you probably know the importance of 𝘌𝘯𝘵𝘦𝘳𝘱𝘳𝘪𝘴𝘦 𝘈𝘱𝘱𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴 and 𝘈𝘱𝘱 𝘙𝘦𝘨𝘪𝘴𝘵𝘳𝘢𝘵𝘪𝘰𝘯𝘴. This lab is a deep dive on a lot of different techniques attackers abuse around apps in Entra. #stayInvictus #CloudLabs #CloudIncidentResponse

InfoSec vs. Microsoft

@_heilancoos @grahamhelton @raesene Thanks for sharing this, it's a great body of reference 🫡

I fell down the Kubernetes security rabbit hole. So I wrote a deep-dive on attack techniques, detection engineering, and scripts to test everything in a lab. Shoutout to @GrahamHelton and @raesene for their previous work! heilancoos.github.io/research/2025/…

Cloud Labs update for November, we've been cooking in the lab! In our new scenario you can play with EKS, ECR, pipelines and more fun stuff in the cloud. Sign up now and profit of the #BlackFriday deal! cloudlabs.invictus-ir.com #stayInvictus #CloudLabs #CloudIncidentResponse

Someone tried to hack us, read what happened next... invictus-ir.com/news/the-story… #stayInvictus #CloudIncidentResponse #DFIR #BEC

Get your checkbooks ready....

Back with a bang 🧨 A new post in our Cloud Threat Actor series, today is Part V on 𝐒𝐢𝐥𝐤 𝐓𝐲𝐩𝐡𝐨𝐨𝐧 a.ka. HAFNIUM 🐼 So far we've covered: - TraderTraitor - Sea Turtle - Laundry Bear - JavaGhost Blog: invictus-ir.com/news/profiling… #StayInvictus #CloudIncidentResponse #DFIR

Get in there! @BlackHatEvents is offering a £300 discount, enter the code 𝐇𝐀𝐂𝐊𝐓𝐇𝐄𝐏𝐑𝐈𝐂𝐄 at registration! Register: #advanced-cloud-incident-response-in-azure-and-microsoft-365-2508-45487" target="_blank" rel="nofollow noopener">blackhat.com/eu-25/training… #stayInvictus #CloudIncidentResponse #DFIR

@UK_Daniel_Card Yeah it is a good time, because logs are always on, contrary to M365. Some logs depend on a license. Typical stuff we see ATO, OAuth apps an data theft. More exotic things when Google Cloud is involved. Let us know if we can help and good luck 🫡

Anyone here that does IR, have you ever done Google Workspace incidents and what did they look like?

@CloudSecList @riptidesio @material_sec @wiz_io @redcanary Thank you 🙌🏻

📖 CloudSecList Issue 310 is live, with content from @riptidesio @material_sec @InvictusIR @wiz_io @redcanary and more! cloudseclist.com/issues/issue-3…

One of the most insecure defaults is getting less insecure at the end of this month. Microsoft is limiting what permissions a user can consent to. This is very interesting for everyone doing #BEC investigations. Curious to see if this will impact malicious app usage. More info (#microsoft-recommended-current-settings" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/entra/id…) #stayInvictus #BEC #CloudIncidentResponse

🔙 We’re back with a new blog, this time diving into a recent incident response case study. Check it out 👇 invictus-ir.com/news/anatomy-o… #stayInvictus #CloudIncidentResponse #BEC

After the launch of Cloud Labs last month, we're excited to share with you the new 𝐏𝐫𝐞𝐦𝐢𝐮𝐦 lab for this month. We are committed to brining you a (at least one) new lab every month! Sign-up now: cloudlabs.invictus-ir.com