‘We Were Not Ready for This’: Lebanon’s Emergency System Is Hanging by a Thread

In Lebanon, nearly 1 in 5 people has been displaced by Israeli attacks, leaving the government to manage a modern crisis without modern digital infrastructure.

Security Latest – ​Read More

Hack-for-hire group caught targeting Android devices and iCloud backups

Security researchers exposed a spying campaign by a hack-for-hire group that used Android spyware and phishing to steal iCloud credentials and hack victims’ devices.

Security News | TechCrunch – ​Read More

After two years of testing, wind power still can’t replace solar for me – here’s why

My years of hands-on testing show that while solar energy is straightforward, portable wind turbines require ongoing maintenance to remain efficient.

Latest news – ​Read More

Home Depot’s Spring Black Friday sale starts this week: Here’s what to know

Home Depot is discounting everything from grills to patio furniture to outdoor power equipment. Here’s everything to know before you shop.

Latest news – ​Read More

CIA director quietly elevated agency’s cyber espionage division

The Center for Cyber Intelligence, which had resided within the CIA’s Directorate of Digital Innovation since 2015, was promoted to a full-fledged mission center last October.

The Record from Recorded Future News – ​Read More

Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption 

Signature Healthcare was forced to cancel some services, and pharmacies are unable to fill prescriptions due to the hacker attack.

The post Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption  appeared first on SecurityWeek.

SecurityWeek – ​Read More

How I use my smart thermostat to get ahead of temp spikes (and save on bills)

It’s easy to stay comfortable while saving money thanks to these helpful automations.

Latest news – ​Read More

Building Phishing Detection That Works: 3 Steps for CISOs 

90% of attacks start with phishing. For CISOs, the real pain begins when the SOC cannot quickly tell whether a suspicious alert is just noise or the start of credential theft, account compromise, malware delivery, or wider business disruption. 

Modern phishing campaigns are designed to create exactly that uncertainty. QR codes, redirect chains, CAPTCHAs, phishing kits, and AI-generated lures can all hide the real objective until late in the attack flow.  

So what does phishing detection that actually works look like for a modern SOC or MSSP? Let’s find out. 

Why Modern Phishing Still Breaks SOC Workflows 

Phishing is still one of the most common ways attackers get into organizations, but the threat no longer follows a simple pattern. Modern phishing campaigns are built to hide their real intent, delay validation, and make investigation harder for already overloaded security teams. 

What makes today’s phishing especially disruptive is the mix of techniques now used in a single campaign. Security teams are no longer dealing with one suspicious email and one malicious link. They are dealing with layered attack flows that may include: 

  • redirect chains that hide the real destination 
  • QR codes that bypass traditional inspection 
  • CAPTCHAs that slow or block analysis
  • Phishing-as-a-Service kits that make advanced attacks easier to launch  
  • AI-generated lures and deepfake content that make phishing more convincing 

This combination puts much more pressure on SOC workflows. The challenge is understanding what actually happens next and doing it fast enough to reduce business risk. 

The numbers reflect this shift. 20% of phishing campaigns hide links in QR codes, while Tycoon2FA attacks increased by 25% between Q1 and Q3 2025. Gartner also found that 62% of companies experienced a deepfake attack in 2025. Together, these trends show that phishing is more adaptive, more evasive, and more difficult to investigate quickly. 

Numbers proving the danger of modern phishing attacks
Numbers proving the danger of modern phishing attacks

For SOC teams, this creates a dangerous workflow gap. An alert may show that something looks suspicious, but it often does not reveal whether credentials are being harvested, whether MFA is being bypassed, whether malware is delivered after the phishing stage, or how far the attack could spread if it succeeds. That lack of visibility is where delays begin. 

When visibility breaks down, the workflow usually breaks down with it: 

  • triage takes longer 
  • confidence in decisions drops 
  • more cases are escalated 
  • response slows at the exact moment speed matters most 

To make phishing detection work, CISOs need an approach that helps the SOC spot threats sooner, understand their impact earlier, and contain them before they escalate. 

Step 1: Strengthen Monitoring with Fresh Phishing Intelligence

The first step is making sure the SOC can see phishing activity early enough to act on it. If malicious domains, URLs, or campaign indicators surface too late, the team starts every investigation from behind.

Strong monitoring is not just about collecting more alerts. It is about improving what the SOC sees first and giving teams a better chance to catch phishing before it spreads further. The more current and relevant the intelligence is, the easier it becomes to recognize real threats early and prioritize them correctly.

This is where the quality and scale of threat data make a real difference. ANY.RUN’s phishing intelligence is built on first-hand investigations of active campaigns observed across 15,000 organizations and used by more than 600,000 security professionals worldwide. That gives teams access to fresh phishing indicators grounded in real attack activity, not just static or generic reputation data.

TI Feeds delivering actionable IOCs into your existing stack
TI Feeds delivering actionable IOCs into your existing stack

With this kind of monitoring in place, SOC teams can: 

  • spot malicious URLs, domains, and payloads earlier 
  • improve coverage across emerging phishing campaigns 
  • enrich detections with context tied to real investigations 
  • prioritize alerts faster and with more confidence 

A stronger monitoring layer gives the SOC a much better starting point. And when phishing is detected earlier, every step that follows becomes more effective. 

99% unique threat intel for your SOC

Catch threats early. Act with clear evidence.
 



Power your SOC now


Step 2: Improve Triage with Full Attack-Chain Visibility 

Early detection is only the starting point. Once a phishing alert reaches the SOC, the next challenge is figuring out what the attack is actually doing and whether it creates real business risk. 

This is where triage often slows down. A suspicious URL or attachment may trigger an alert, but that alone does not show whether the campaign leads to credential theft, MFA bypass, malware delivery, or a broader account takeover attempt. Without that visibility, teams spend more time validating the threat, confidence in verdicts drops, and more cases are escalated than necessary. 

Strong phishing triage should help teams quickly answer a few critical questions: 

  • Where does the attack flow actually lead? 
  • Is the user being pushed to a fake login page? 
  • Are credentials or session tokens being stolen? 
  • Does the phishing stage end in malware delivery? 

ANY.RUN helps close this gap with Interactive Sandbox analysis that exposes the full phishing chain in a safe environment. Teams can detonate suspicious URLs and files, follow redirects, open attachments, scan QR codes, and inspect CAPTCHA-protected flows to see how the attack behaves in practice.

Instead of relying on assumptions, they can validate the threat based on what actually happens. Analysts can also interact with the environment at any time, which makes it easier to investigate suspicious behavior manually when a deeper look is needed.

See how a real quishing attack can be analyzed inside ANY.RUN’s Interactive Sandbox in seconds:

Quishing attack analyzed inside ANY.RUN sandbox

This process becomes even faster with Automated Interactivity. By imitating analyst behavior inside the sandbox, it can interact with phishing pages automatically, uncover hidden links behind QR codes, solve CAPTCHAs, and continue the analysis flow without waiting for manual input. That helps teams move through evasive phishing stages faster and reach the real malicious behavior sooner.

Check sandbox analysis with Automated Interactivity 

Multi-stage phishing attack
Multi-stage phishing attack discovered inside ANY.RUN sandbox

Stronger triage reduces uncertainty, cuts wasted effort and helps teams reach conclusions faster. That means fewer unnecessary escalations, quicker containment, and less chance for phishing incidents to grow into broader operational or financial impact. 

Reduce the risk of delayed detection

Help your team investigate faster and respond earlier
 



Power up your SOC


Step 3: Speed Up Response with Clear Verdicts and Actionable Evidence 

Phishing detection does not end when the SOC confirms that something looks suspicious. The next challenge is turning that analysis into fast, confident response. 

This is where many workflows still slow down. Even after a phishing attack has been investigated, teams often need to manually collect indicators, document what happened, map behavior to known techniques, and prepare findings for escalation or response. That extra effort creates delays at exactly the moment when speed matters most. 

A strong response workflow should give teams what they need to act without friction:

  • a clear verdict on the threat 
  • extracted IOCs for blocking and investigation 
  • mapped TTPs for faster understanding 
  • structured reports for escalation and handoff 
  • evidence that helps response teams move with confidence 

ANY.RUN helps speed up this stage by turning phishing analysis into decision-ready outputs. Teams can see how the attack unfolds across redirects, phishing pages, credential theft attempts, and payload delivery, often reaching a verdict within the first 60 seconds. Clear verdicts, extracted IOCs, mapped TTPs, visual behavior details, and auto-generated reports make incidents easier to understand and faster to contain.

Auto-generated report for faster response
Auto-generated report for faster response

For CISOs, the real benefit is a faster path from investigation to containment. It helps teams contain phishing incidents sooner, make more consistent decisions under pressure, and reduce the time attackers have to turn a phishing attempt into credential theft, fraud, or wider business disruption. 

64% of Fortune 500 companies rely on ANY.RUN 

to strengthen their SOC operations



Integrate into your SOC


What SOC Teams Gain from Stronger Phishing Detection 

When SOC teams improve monitoring, sharpen triage, and speed up response, phishing becomes much harder to turn into a larger incident. Stronger phishing detection helps teams identify suspicious activity sooner, understand it more quickly, and act with greater confidence when time matters most.

SOC Teams Gain from Stronger Phishing Detection 
Mains steps for stronger phishing detection with ANY.RUN

This approach drives measurable improvements across day-to-day SOC operations: 

  • 36% higher detection rate 
  • up to 58% more threats detected 
  • 21 minutes faster MTTR per incident 
  • up to 20% lower Tier 1 workload 
  • 30% fewer Tier 1 to Tier 2 escalations 

The value goes beyond the numbers. Better phishing detection helps reduce alert fatigue by making suspicious activity easier to assess. It also helps Tier 1 handle more cases with confidence instead of pushing unclear investigations further down the workflow. 

📊Key Outcomes for CISOs:
  • Lower breach risk through earlier detection and more informed response
  • Reduce the cost of phishing incidents by containing threats faster
  • Ease alert fatigue with faster clarity on suspicious activity
  • Improve SOC efficiency with quicker, better-informed decisions
  • Reduce Tier 1 workload by helping front-line teams close more cases sooner
  • Improve consistency  in phishing investigations and response workflow
  • Avoid hardware costs by using cloud-based analysis 
  • Scale operations more easily as phishing volume grows
  • Get more value from existing teams without adding the same operational burden
  • Reduce the likelihood of wider business disruption by stopping phishing earlier

Phishing is often the first step in account compromise, fraud, malware delivery, and wider business disruption. When SOC teams can detect it earlier and respond faster, the organization is in a much stronger position to stop the attack before the damage spreads. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps organizations detect, investigate, and respond to modern phishing attacks with greater speed and clarity.

By combining Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, ANY.RUN gives SOC and MSSP teams the tools to spot phishing activity sooner, investigate threats more effectively, and respond with structured findings. Its approach helps security teams expose full attack chains, investigate evasive phishing techniques, and make more confident decisions under pressure.

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN is built to support modern security operations with faster threat visibility, stronger investigation workflows, and more informed response. The company is SOC 2 Type II certified, reflecting its focus on strong security controls and customer data protection. 

Integrate ANY.RUN’s solution for Tier 1/2/3 in your organization → 

The post Building Phishing Detection That Works: 3 Steps for CISOs  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Dual-Brain Architecture: The Cybersecurity AI Innovation That Changes Everything

agentic ai architecture

Cybersecurity has always been a race, but it is no longer a fair one. Attackers now operate at machine speed, orchestrating campaigns that evolve in seconds, while many defense teams still rely on workflows measured in hours or days. This widening gap has forced a fundamental shift in thinking. The conversation is no longer about faster response alone; it is about anticipation, autonomy, and intelligent coordination. 

Cybersecurity AI innovation built on agentic AI architecture is the new shift everyone is talking about. These systems are not passive tools waiting for instructions; they actively investigate, reason, and act. What distinguishes this evolution is the emergence of dual-brain design, a concept that blends real-time decision-making with long-term contextual understanding. 

The Dual-Brain Model: Separating Speed from Understanding 

Traditional systems struggle because they attempt to process everything, real-time signals and historical context, within a single framework. Dual-brain architecture breaks this limitation by dividing responsibilities into two complementary layers. 

The first layer, often described as neural memory, operates like a continuously evolving knowledge graph. It maps relationships across attacker behaviors, infrastructure patterns, and indicators of compromise. This is where neural memory threat intelligence becomes critical. Instead of storing static data, it builds a living model of how threats behave over time, adapting as new intelligence flows in. 

The second layer focuses on unstructured information. Security data rarely arrives neatly packaged; it exists in fragmented reports, dark web discussions, and analyst notes. This layer transforms raw, ambiguous inputs into semantic meaning. It doesn’t just match patterns; it interprets intent. 

Together, these layers create a system capable of both immediate reaction and informed reasoning. One “brain” reacts in real time; the other provides depth and memory. The result is a more balanced and capable AI cybersecurity architecture that can connect weak signals long before they become visible threats. 

From Alerts to Outcomes: Fixing Alert Fatigue 

One of the most persistent failures in cybersecurity operations is an alert overload. Analysts are inundated with notifications, many of which lack context or urgency. Critical threats often hide in plain sight, buried under noise. 

Dual-brain systems address this by shifting the focus from alerts to outcomes. Instead of generating isolated warnings, they construct a coherent narrative around a threat. Signals from endpoints, cloud systems, and external intelligence sources are correlated into a single, actionable story. 

This is where autonomous AI security becomes transformative. The system doesn’t stop detecting; it investigates, validates, and responds. Compromised systems can be isolated, malicious domains blocked, and policies enforced automatically. What once required hours of manual effort can now happen in seconds, with minimal human intervention. 

Cyble Blaze AI: Dual-Brain Architecture in Practice 

A clear example of this cybersecurity ai innovation in action can be seen in Cyble Blaze AI, a platform designed to operationalize agentic ai architecture at scale. Its implementation of dual-brain design brings together real-time detection and long-term contextual reasoning in a way that mirrors how experienced analysts think, only at machine speed. 

Cyble Blaze AI uses a neural memory layer to continuously map relationships between threat actors, attack techniques, and infrastructure patterns. This intelligence base allows it to connect early indicators, such as leaked credentials or exploit chatter, with internal vulnerabilities. Complementing this is a vector-based processing layer that interprets unstructured data, enabling deeper contextual understanding across sources like dark web forums and fragmented threat reports. 

What sets the platform apart is its ability to act on this intelligence autonomously. Built on a distributed agentic ai architecture, Cyble Blaze AI deploys specialized agents that monitor endpoints, cloud environments, and external threat landscapes simultaneously. These agents collaborate in real time, sharing insights and triggering coordinated responses across domains. 

The platform’s predictive capabilities are particularly notable. By analyzing more than 350 billion threat data points, it identifies patterns that signal where attacks are likely to emerge. In many cases, it can forecast risks up to six months in advance, turning neural memory threat intelligence into a forward-looking defense mechanism rather than a retrospective tool. 

Check out Cyble Blaze AI 

Agentic AI Architecture: A Network of Specialized Intelligence 

The real power of this approach lies in its structure. Rather than relying on a monolithic system, modern platforms use a distributed agentic ai architecture composed of specialized agents. 

Each agent has a defined role. Some continuously scan for anomalies across endpoints. Others focus on cloud environments or SaaS ecosystems. Response agents execute containment and remediation actions. What makes this effective is not just specialization, but coordination. 

When one agent detects a signal, it is immediately shared across the system. A suspicious login identified in a cloud environment can trigger endpoint containment actions without delay. This real-time collaboration enables detection, analysis, and response to occur in under two minutes in many scenarios. 

This level of orchestration marks a clear departure from traditional tools. It reflects a broader shift toward autonomous ai security, where systems operate with a high degree of independence while maintaining precision. 

Predictive Defense: Seeing Months Ahead 

Perhaps the most significant advancement in this cybersecurity ai innovation is its predictive capability. By analyzing vast datasets, often exceeding 350 billion threat data points, these systems identify patterns that indicate where future attacks are likely to emerge. 

This is not guesswork. It is a large-scale correlation across historical attacks, newly disclosed vulnerabilities, and global threat activity. Early indicators, such as leaked credentials or exploit discussions on underground forums, are linked to an organization’s environment. 

Through neural memory threat intelligence, the system recognizes trajectories. It can forecast risks up to six months in advance, giving organizations a critical window to act before an attack materializes. 

This fundamentally changes the role of cybersecurity. Defense is no longer reactive; it becomes anticipatory. 

Toward a Preventive Security Model 

Dual-brain architecture redefines cybersecurity by shifting the goal from reacting to threats to preventing them altogether. By combining agentic ai architecture, predictive analytics, and neural memory threat intelligence, platforms like Cyble Blaze AI enable autonomous ai security that anticipates attack paths, reduces exposure, and neutralizes risks before they escalate.  

This marks a fundamental evolution in AI cybersecurity architecture, where speed and context work together to deliver predictive, outcome-driven defense. To see how this cybersecurity AI innovation operates in practice, organizations can request a personalized demo for Cyble Blaze AI and explore its capabilities firsthand. 

The post Dual-Brain Architecture: The Cybersecurity AI Innovation That Changes Everything appeared first on Cyble.

Cyble – ​Read More