Panther

Most AI closes the alert. Panther AI closes the loop. Join us live March 19 to see what that actually means in practice — agents that investigate alerts with full context, encode every analyst decision back into detection logic, and make the whole system smarter with every interaction. Jack Naglieri (Panther) · Francis Odum (SACR) · Spencer M. (HealthEquity) When agents have the expertise of your most technical team member, every decision compounds. Register now — seats are limited. 👉 https://lnkd.in/gmPGEuG7

LLM-generated malware is here. Our threat research team analyzed Ghost Loader, an npm credential stealer that appears to be partially AI-generated, complete with blockchain C2 infrastructure and multi-stage evasion techniques. 𝑇ℎ𝑒 𝑠𝑐𝑎𝑟𝑦 𝑝𝑎𝑟𝑡? The barrier to entry collapsed. What used to require significant malware dev skills now requires intent and iteration with coding agents. Full technical breakdown includes detection rules, YARA signatures, and complete IOC list: https://bit.ly/4tZI7nn #ThreatResearch #SupplyChain #NPM

We’re excited to be partnering with our friends at Material Security to bring 𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑇ℎ𝑒𝑎𝑡𝑒𝑟 back on the road. Join us in 𝐀𝐮𝐬𝐭𝐢𝐧 on 𝐀𝐩𝐫𝐢𝐥 𝟕 for a live screening of the 1995 classic 𝐻𝑎𝑐𝑘𝑒𝑟𝑠 — with commentary, trivia, and plenty of moments that will feel… a little too familiar. 👇 Register at the link below. We hope to see you there! https://lnkd.in/gPszsM_3

“𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐢𝐬 𝐞𝐬𝐬𝐞𝐧𝐭𝐢𝐚𝐥𝐥𝐲 𝐚 𝐝𝐚𝐭𝐚 𝐩𝐫𝐨𝐛𝐥𝐞𝐦, 𝐚𝐧𝐝 𝐏𝐚𝐧𝐭𝐡𝐞𝐫’𝐬 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡 𝐭𝐨 𝐬𝐨𝐥𝐯𝐢𝐧𝐠 𝐢𝐭 𝐢𝐬 𝐭𝐡𝐞 𝐛𝐞𝐬𝐭 𝐢𝐧 𝐭𝐡𝐞 𝐛𝐮𝐬𝐢𝐧𝐞𝐬𝐬.” That line came from a recent customer review, and it captures a shift a lot of security teams are feeling right now. For years, SIEM was treated like log storage: ingest less, control cost, write queries, and hope investigations finished in time. But detection and investigation don’t really break because of queries. They break when security data isn’t usable, when teams can’t structure it, iterate on it, or actually build detections around it. What stood out in this review was how teams are putting Panther to work in practice: • smaller teams relying on built-in detections and connectors to get coverage quickly • mature detection engineering teams treating detections like code — testing, versioning, and scaling coverage over time Security tooling is starting to look less like log management and more like data engineering. And that shift is changing how modern SOCs operate.

One Salesforce integration turned into access across hundreds of organizations. Our threat research team just broke down the Drift and Gainsight breaches, where attackers used stolen OAuth tokens through trusted connected apps to move across customer environments using legitimate API activity. 𝐖𝐡𝐚𝐭 𝐬𝐭𝐨𝐨𝐝 𝐨𝐮𝐭: • OAuth tokens reused at scale (700+ orgs via Drift, ~200 more tied to Gainsight) • activity blending into normal RTEM logs (token revokes, refresh failures, connected app spikes) • bulk exfil that looks like routine API usage (high-volume object queries, Bulk API jobs, unfamiliar IPs/user agents) • attackers targeting Case objects, where support logs often contained API keys, credentials, and other embedded secrets Full technical breakdown + detections can be found below. 👇 https://bit.ly/46Zg11p #DetectionEngineering #SOC #SecOps

🔥 Attackers are now using LLMs inside malware that rewrites itself at runtime. Our threat research team just published an analysis of PROMPTFLUX and PROMPTSTEAL — two malware families abusing Gemini and Qwen to evade detection. What’s happening: ➡️ PROMPTFLUX queries the Gemini API during execution to regenerate obfuscated code, drops new variants into the Startup folder, and spreads across network shares. Every run produces a new signature. ➡️ PROMPTSTEAL (linked to APT28 / FrozenLake) poses as image software while using Qwen2.5-Coder to generate commands that quietly collect AD data, processes, and system information. 𝐓𝐡𝐞 𝐩𝐫𝐨𝐛𝐥𝐞𝐦: these attacks look like normal AI API usage. Most security stacks have little to no visibility into OpenAI, Bedrock, or HuggingFace activity, which means malicious behavior blends directly into legitimate traffic. 𝐈𝐧 𝐭𝐡𝐞 𝐩𝐨𝐬𝐭, 𝐰𝐞 𝐛𝐫𝐞𝐚𝐤 𝐝𝐨𝐰𝐧 𝐡𝐨𝐰 𝐭𝐨 𝐝𝐞𝐭𝐞𝐜𝐭 𝐢𝐭, 𝐢𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠: • anomalous OpenAI API key activity • abnormal Bedrock token consumption • guardrail intervention signals and identity changes • correlating AI service logs with cloud and identity telemetry Polymorphic malware doesn’t lose to better signatures. It loses to better visibility. Full technical analysis here 👉 https://bit.ly/4rW1jk2

One click. Your AI copilot leaks customer data. One compromised GitHub Action. 10,000+ private repos go public overnight. The pattern isn’t new: attackers hijack trusted workflows—CI/CD pipelines, package managers, AI assistants—and use legitimate tooling to move fast and stay hidden. Panther founder, Jack Naglieri breaks down what’s actually happening in his latest SC Media piece: 𝐓𝐡𝐞 𝐦𝐨𝐝𝐞𝐫𝐧 𝐤𝐢𝐥𝐥 𝐜𝐡𝐚𝐢𝐧: • Entry via automation (compromised GitHub Actions, poisoned packages) • Token capture (GitHub PATs, npm creds, AI CLI sessions) • Privilege multiplication (stolen credentials + APIs + bots = automated lateral movement) • Blast radius (82,000+ secrets exposed in hours) 𝐓𝐡𝐞 𝐩𝐫𝐨𝐛𝐥𝐞𝐦: Compromise looks legitimate. A copilot reading docs. A CI job after a merge. Normal tools doing normal tasks don't trip traditional controls. What to do: • Treat AI tools like privileged endpoints (sandbox, scope permissions, shorten token lifetimes) • Move from IOC hunting to technique-based detection (repo visibility changes, mass renames, suspicious user agents) • Make detections shippable (version, test, deploy weekly, not annually) The attacks work because we have best practices on paper but lack instrumentation where work actually happens. Read the full piece below 👇 https://bit.ly/4ky9n89

Research shows that up to 𝟗𝟗% 𝐨𝐟 𝐚𝐥𝐞𝐫𝐭𝐬 𝐜𝐚𝐧 𝐛𝐞 𝐟𝐚𝐥𝐬𝐞 𝐩𝐨𝐬𝐢𝐭𝐢𝐯𝐞𝐬. Over time, that level of noise changes how teams triage, and what gets real attention. Our recent blog post breaks down: • how alert fatigue quietly increases dwell time • why “just triage faster” doesn’t scale in real SOCs • and the detection engineering practices teams use to cut noise before alerts ever reach analysts Alert fatigue isn’t really a volume problem. It’s a signal quality problem. 🔗 https://bit.ly/4666W6G #DetectionEngineering #SOC #SecOps #AISOC

“𝐈’𝐦 𝟏𝟎𝟎% 𝐚𝐝𝐝𝐢𝐜𝐭𝐞𝐝 𝐭𝐨 𝐏𝐚𝐧𝐭𝐡𝐞𝐫 𝐚𝐭 𝐭𝐡𝐢𝐬 𝐩𝐨𝐢𝐧𝐭.” - 𝑃𝑎𝑛𝑡ℎ𝑒𝑟 𝑐𝑢𝑠𝑡𝑜𝑚𝑒𝑟 Security teams fight attackers, they shouldn't have to fight their tools too. This is how it feels when a platform is built by security practitioners, for security practitioners.

“𝐈’𝐦 𝟏𝟎𝟎% 𝐚𝐝𝐝𝐢𝐜𝐭𝐞𝐝 𝐭𝐨 𝐏𝐚𝐧𝐭𝐡𝐞𝐫 𝐚𝐭 𝐭𝐡𝐢𝐬 𝐩𝐨𝐢𝐧𝐭.” - 𝑃𝑎𝑛𝑡ℎ𝑒𝑟 𝑐𝑢𝑠𝑡𝑜𝑚𝑒𝑟 Security teams fight attackers, they shouldn't have to fight their tools too. This is how it feels when a platform is built by security practitioners, for security practitioners.