Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

When geopolitical tensions rise, cybersecurity quickly becomes part of the public conversation. Government agencies issue warnings. Security teams increase monitoring. Headlines start asking which organizations could become targets if cyber operations escalate alongside physical conflict. But geopolitical conflict does not suddenly create cyber risk. What it does increase is the likelihood that existing weaknesses will be tested and pre-existing risks could be exposed.

Working at the Black Hat Network Operations Center (NOC) as a data scientist makes me a bit of an outlier (pun intended) among network engineers and hard-core threat hunters.

With the holiday season all wrapped up (pun definitely intended), I finally have time to sit down and digest what we saw in the network traffic at Black Hat Europe 2025 while working alongside the other Network Operations Center (NOC) partners: Arista, Cisco, Jamf, and Palo Alto Networks. As usual, there is a mix of the expected, a dash of the unexpected, and some lessons for newcomers and greybeards alike. Let’s get into it.

I’ve worked as a threat hunter in several Black Hat Security Conference Network Operations Centers (NOCs) across the globe. So I didn’t expect to be surprised by much when signing on to be a part of the NOC for SCinet—a conference that has the “fastest conference network in the world.” And yet I was surprised by just how diverse the SCinet NOC team was, how collaborative the environment was, and how much we were able to achieve with automation in such a short amount of time.

Welcome back to our threat hunting series with Corelight and CrowdStrike. In our previous posts, we armed you with techniques to spot adversaries during Initial Access and how they establish Persistence to maintain their foothold. Now, we're diving into the shadowy dance of Defense Evasion and Lateral Movement.

CVE-2025-20393 is a CVSS 10.0 Remote Code Execution (RCE) flaw in Cisco Secure Email Gateways currently being actively exploited by China-nexus groups. A recent advisory from Cisco Talos details how an actor dubbed “UAT-9686” is leveraging this vulnerability to target Cisco Secure Email Gateways (ESA) and Secure Email and Web Managers (SMA). The attack allows threat actors to execute arbitrary commands with root privileges and deploy persistence mechanisms.

Critical vulnerabilities in React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478) enable unauthenticated remote code execution in default configurations. The flaw resides in the "Flight" protocol used for server-side rendering, making it a sought after target for adversaries looking to bypass standard controls. While the public discourse is currently cluttered with unreliable exploits, we need to ground our defense in verifiable network evidence.

In the ever-escalating battle against cyber threats, security teams are often caught in a deluge of alerts, struggling to distinguish real threats from the noise. The sheer volume of threat data can be overwhelming, leading to alert fatigue and, worse, missed detections. But what if you could really cut through the clutter and focus on what truly matters?

In today's rapidly evolving cybersecurity landscape, organizations face unprecedented challenges. Cyber threats are not only increasing in volume but are also becoming more sophisticated and evasive, using AI themselves to enhance their attacks. The attack surface has expanded dramatically, while Security Operations Centers (SOCs) are often left with fewer resources to combat these growing threats.

Endpoint detection and response (EDR) tools, and the analysts using them, have become incredibly effective. They have become so good, in fact, that we're now seeing a clear shift in adversary behavior: attackers are being pushed off the endpoint and onto places where EDR cannot run. This isn't just a theory. As I was writing a separate blog about a recent Cisco exploit which spurred an immediate CISA emergency directive, news dropped about another major network edge vendor, F5.