The landing site for Trackr Services
Chinese state actors have been inside major U.S. carrier networks for months to years. Here is what enterprise defenders should actually do about it — detection logic, SIEM specifics, and the control updates that matter.
Wildcarded sub claims in IAM trust policies for GitHub Actions OIDC are still the most common cloud-CI footgun in 2026. Here’s the detection that actually catches it, and the tuning round that has to happen before the SOC stops ignoring the alert.
Image-mode RHEL moves the host into an ostree-backed, container-built world. The threat model shifts up the stack, and most detection content built for traditional EL hosts quietly stops working.
CVE-2026-48095 is a heap buffer overflow in 7-Zip’s NTFS handler reachable from any file extension because of signature-based fallback parsing. The fix shipped in 26.01 three days after the private report; public disclosure came 25 days later. PoC is public, the trigger is a one-line undefined shift, and the exploitable vtable sits 304 bytes from the overflow site. The patch is uncomplicated. The deployment surface isn’t.
Microsoft Defender’s new Preview adds automatic Isolate device to the attack disruption stack — distinct from the Device contain action that’s been auto-firing since 2023. The distinction matters operationally. So does Microsoft’s stated 99%+ confidence threshold, the 3-day offline retry window, the workstation-only scope, and the exclusion model defenders need to wire up before flipping this on.
A defender-oriented look at the SharePoint ToolShell chain (CVE-2025-53770 / 53771) — what the telemetry actually looks like in a real SIEM, where the first round of tuning breaks, and which assumptions about your SharePoint farm change the answer.
Cloudflare’s May 18 post on cyber-frontier-models — running Anthropic’s Mythos Preview against 50+ of their own repositories under Project Glasswing — is the latest in a twelve-month cluster: Mythos’s 2,000 zero-days in seven weeks, OpenAI’s Aardvark scanning 1.2M commits in 30 days, XBOW on top of HackerOne, AISLE taking 13 of 14 OpenSSL CVEs for 2025. Defender-side analysis only; the goal is to read the trend, not to provide an operator playbook.
Continuous Access Evaluation and Device Bound Session Credentials closed some of the AitM gap, but session token theft against Entra ID is still the dominant identity attack and most of the detection burden still falls on the SOC. Here is the shape of the problem and where the first round of tuning has to land.
Token Protection and DBSC closed some doors in 2026 but left the SOC with a messier detection surface than the vendor decks suggest. Here is what the incident actually looks like in the SIEM, where the first round of tuning has to land, and what most teams get wrong on revocation.
Agentic AI assistants in the browser collapse the gap between read access and exfil. Here is what the detection actually looks like in the M365 audit pipeline, where the noise comes from, and which assumptions change the answer.
