When CISOs ask for budget, they are rarely competing against “no security.” They are competing against growth initiatives, product launches, and cost optimization. 

Technical jargon and security metrics often fall flat here. To win the conversation, threat intelligence cannot be framed as more data for analysts. It must be positioned as a business enabler that reduces measurable risk, protects revenue, and accelerates decision-making. 

Here are the board-ready cases that connect threat intelligence investments directly to business objectives.  

1. Protecting Revenue and Avoiding Financial Loss

Boards understand one number very well: the cost of a breach. What they often underestimate is how much of that cost comes from late detection. 

Reactive security means discovering threats after damage has already begun. By then, costs multiply across downtime, incident response, legal exposure, regulatory fines, and reputational damage. 
 
Threat intelligence changes the equation. 

ANY.RUN’s Threat Intelligence Feeds deliver high-fidelity indicators sourced from interactive sandbox analyses of live malware samples and targeted attacks. This expands threat coverage, reduces the likelihood of successful breaches, and directly lowers potential financial impact — turning threat intelligence into a clear ROI driver.  

TI Feeds: features and data sources 

Threat Intelligence Lookup is another decision-enabling service from ANY.RUN. It is an on-demand searchable database that provides instant access to detailed threat reports, behavioral insights, direct links to sandbox sessions, and contextual connections between IOCs and active campaigns, enabling rapid enrichment during investigations. Instead of asking “What could happen?”, security leaders can answer “What is actively targeting organizations like ours right now?” 

See what malware is threatening the organizations from your country and industry right now 

Board-level takeaway: 

Early detection driven by real-world threat intelligence materially lowers breach impact and recovery costs. 

Message pattern: “Investing in threat intelligence reduces our average incident response cost by 60-70% by enabling early detection and prevention. For every major incident we prevent, we save the organization between $1-4 million in direct costs, not including reputational damage and customer trust.” 

2. Ensuring Revenue-Critical Operations and Business Continuity

Board members understand downtime in dollars per minute. For e-commerce platforms, financial services, manufacturing operations, or SaaS providers, every minute of disruption translates directly to lost revenue, damaged customer relationships, and competitive disadvantage. Ransomware attacks alone now cost businesses an average of 25 days of downtime — a strike that many organizations cannot absorb. 
 
Threat intelligence supports resilience by helping organizations: 

• Identify emerging attack campaigns early; 

• Anticipate shifts in attacker tactics; 

• Prepare controls before attacks reach critical systems. 

TI shortens mean time to detect (MTTD) and mean time to respond (MTTR) by providing actionable context during incidents. SOC teams correlate alerts against real-time feeds, quickly identifying and containing threats before they spread. 

Threat intelligence supports quick informed decisions impacting KPIs 

With ANY.RUN’s feeds, powered by community submissions from thousands of organizations, teams gain immediate access to indicators tied to active global campaigns. This accelerates incident response, limits disruption, and keeps critical systems online preserving revenue and operational momentum.

Board-level takeaway:  

Threat intelligence reduces the likelihood that cyber incidents escalate into operational outages or prolonged downtime. 

Message pattern: “Our revenue-critical operations represent $X million in daily transactions. Threat intelligence gives us advance warning of attacks targeting our industry, allowing us to prevent disruptions before they impact operations. The cost of this service is equivalent to less than one hour of system downtime.” 

3. Maximizing ROI on Existing Security Investments 

Most organizations have already invested heavily in security infrastructure: firewalls, SIEM platforms, EDR solutions, and of course SOC teams. However, tools are only as effective as the intelligence that drives them. Without current threat data, your security stack operates reactively, generating alerts based on generic signatures and outdated indicators. 
 
Threat Intelligence Feeds dramatically amplify the effectiveness of your security investments. Context-rich current threat data transforms them from reactive alert generators into proactive defense mechanisms. 
 
ANY.RUN’s Threat Intelligence Feeds integrate seamlessly with major security platforms through APIs and standard formats like STIX. Your existing tools immediately gain access to millions of current indicators and threat context without requiring additional headcount or infrastructure. Your SOC analysts can make faster, more accurate decisions because they have the context they need at their fingertips. 

ANY.RUN integration options 
 
Board-level takeaway: 

Threat intelligence ensures security investments are aligned with real, current threats to the business, not theoretical risks. 

Message pattern: “We’ve invested $X million in security infrastructure. Threat intelligence feeds cost a fraction of that while potentially doubling the effectiveness of every security tool we’ve already purchased.” 

4. Optimizing Security Resource Allocation and Driving Efficiency

Cybersecurity budgets are under scrutiny, with boards demanding maximum value from every dollar. Overworked SOC teams drowning in alerts waste resources on false positives and low-priority events. Hiring more analysts is expensive, slow, and increasingly unrealistic. Boards want efficiency, not headcount inflation. 

Threat intelligence enriches alerts with context, reduces noise, and allows teams to focus on high-risk threats. Pre-filtered, accurate IOCs improve detection rates while lowering analyst burnout. 

ANY.RUN’s feeds are designed for exactly this: clean, enriched indicators ready for automation, with low false-positive rates thanks to sandbox-verified data. The result is higher SOC productivity, better resource utilization, and a stronger return on existing security investments. 
 
By feeding curated, high-confidence intelligence directly into detection and response workflows, ANY.RUN’s Threat Intelligence Feeds: 

• Reduce false positives, 

• Speed up alert triage, 

• Shorten investigation time, 

• Enable junior analysts to make better decisions faster. 

This allows organizations to scale their security posture without scaling payroll. 
 
Board-level takeaway: 

Threat intelligence increases SOC productivity, delivering better protection without proportional increases in staffing costs. 
 
Message pattern: “Our SOC team currently handles X,000 alerts monthly with Y analysts at an annual cost of $Z. Threat intelligence increases our team’s effective capacity by 50-70% without adding headcount, delivering better protection while keeping personnel costs stable.”

5. Demonstrating Regulatory Compliance and Due Diligence

Regulatory frameworks like GDPR, NIS2, DORA, and SOC 2 don’t just require security controls. They mandate demonstrable due diligence and continuous improvement. Failure to meet these standards results in crippling fines (up to 4% of global revenue under GDPR), potential business restrictions, and loss of customer trust. More importantly, regulators increasingly expect organizations to demonstrate proactive threat awareness and intelligence-driven security practices. 
 
Threat intelligence feeds provide auditable evidence of continuous monitoring, proactive threat hunting, and intelligence-driven security operations. ANY.RUN’s TI Feeds deliver documented indicators of compromise with rich context, enabling your team to demonstrate to auditors that you’re actively monitoring the threat landscape relevant to your industry and geography. 

Board-level takeaway:  
 
Threat intelligence provides auditable evidence of proactive monitoring and rapid response capabilities. Non-compliance triggers fines, audits, and reputational damage. 

Message pattern: “Threat intelligence isn’t just about preventing attacks — it’s about showing regulators, auditors, and customers that we take our security obligations seriously. This investment protects us from regulatory fines that could reach tens of millions of dollars and positions us favorably during audits and compliance reviews.” 

Conclusion 

Threat intelligence gives CISOs a way to translate cyber risk into business terms the board understands. It replaces reactive defenses with foresight, guesswork with evidence, and isolated security efforts with a unified, risk-driven strategy. 

ANY.RUN’s Threat Intelligence Feeds are built on visibility into real attacker activity observed daily in live malware executions. This means decisions are based on what adversaries are doing now, not what they did months ago. For CISOs, this enables stronger protection. For boards, it delivers confidence that security investments directly support business objectives. 

In budget discussions, threat intelligence should not be positioned as “more data.” It should be positioned as business assurance: fewer costly incidents, more efficient operations, and a clearer understanding of cyber risk across the organization. 

When CISOs can demonstrate that intelligence-driven security reduces financial impact, protects revenue streams, and scales without ballooning costs, the budget conversation changes. Threat intelligence becomes a strategic pillar of the organization’s risk management program, not a line item to be negotiated away. 

About ANY.RUN 

As a leading provider of interactive malware analysis and threat intelligence, ANY.RUN is trusted by over 500,000 analysts across 15,000 organizations worldwide. Its solutions enable teams to investigate threats in real time, trace full execution chains, and surface critical behaviors within seconds.  

Safely detonate samples, interact with them as they run, and instantly pivot to network traces, file system changes, registry activity, and memory artifacts in ANY.RUN’s Interactive Sandbox. For threat intelligence insights, integrate TI Lookup and TI Feeds supplying enriched IOCs and automation-ready intelligence. No infrastructure maintenance is required.   

Start your 2-week trial of ANY.RUN’s solutions → 

FAQ: Threat Intelligence for CISOs and Boards 

The post 5 Ways Threat Intelligence Drives SOC ROI: Board-Ready Cases for CISOs  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

If you’ve ever looked at a SOC queue and thought, “Where do we even start?” you’re not alone. 

Most teams face more alerts than they can realistically investigate, tools that don’t always connect, and investigations that take longer than they should. 

In a recent webinar, we shared a simple framework for speeding up detection and response without overloading teams. You can watch the full recording here: SOC Leader’s Playbook 

SOC teams that applied this approach have already seen measurable results: 

• 21 minutes less MTTR per incident 

• 15-second median MTTD 

• 3× improvement in team throughput 

For now, let’s look at how you can apply the same ideas to help your SOC respond faster in real environments. 

The Cost of a Slow SOC 

When detection and response take too long, the impact shows up fast and in very practical ways. 

• Incidents cost more: According to IBM’s Cost of a Data Breach Report 2025, the average breach now costs $4.4 million, and that number grows the longer attackers stay active. 

• Downtime lasts longer: Delayed response means systems stay compromised, business processes slow down, and recovery becomes harder. 

• Teams waste time on noise: Analysts spend hours chasing alerts that turn out to be harmless, often repeating the same checks across different tools. 

• Real threats get missed: Fatigue and overload make it easier for serious incidents to slip through unnoticed. 

• People burn out:  Constant pressure and reactive work drain focus and motivation, especially in Tier 1 teams. 

For SOC leaders, this creates a familiar loop: more alerts, slower response, higher risk, and exhausted teams. Breaking that loop starts with reducing time at every stage, from the first alert to final containment. 

Step 1: Prioritize Incidents and Reduce False Positives 

Speed starts with focus. If your SOC treats every alert the same, response will always be slow. 

Most teams receive far more alerts than they can realistically investigate. Many are low-risk, duplicated, or lack context. Analysts lose time figuring out what an alert actually means instead of responding to real threats. 

The root issue is usually threat intelligence. 

Indicators pulled from public reports often arrive too late, after attackers have already changed infrastructure. Other feeds may be fast but offer no explanation beyond “malicious,” forcing analysts to investigate manually. Automation suffers, false positives rise, and the SOC stays reactive. 

What works 

Effective prioritization depends on threat intelligence that is: 

• Real-time, not report-based 

• Context-rich, showing how an indicator is used 

• Integrated, flowing directly into SIEM, SOAR, and EDR 

When alerts arrive already enriched with reputation, behavior, and risk level, teams can automate routine triage and focus on high-impact incidents. 

How this looks with ANY.RUN 

ANY.RUN delivers this through its Threat Intelligence Feeds. 

TI Feeds provide real-time IOCs sourced from live attacks analyzed in ANY.RUN’s Interactive Sandbox by 15,000 organizations and 500,000 analysts. As a result, 99% of network IOCs are unique and come with links to full sandbox reports for immediate context. 

For SOC teams, this means earlier detection of new threats, fewer false positives, and up to a 20% reduction in Tier 1 workload. 

Step 2: Speed Up Threat Investigations 

Once an alert is prioritized, the next bottleneck is investigation speed. 

Many SOCs still rely on static analysis. It’s fast, but it doesn’t show what actually happens when a file or link runs. Modern malware hides behind obfuscation, delayed execution, or multi-stage delivery, leaving analysts with partial answers and slow decisions. 

To respond quickly, teams need to see real behavior, not just a verdict. 

What actually speeds investigations up 

Effective investigations depend on dynamic analysis that: 

• Integrate with your existing tools to automate investigations and avoid manual handoffs 

• Expose real threat behavior quickly, even in multi-stage or silent attacks 

• Deliver clear, actionable reports with verdicts, IOCs, and TTPs 

• Defeat evasion techniques, forcing malware to reveal itself 

How teams do this with ANY.RUN 

ANY.RUN helps SOC teams move from alert to answer in under 60 seconds. 

By detonating files and URLs in real time, the Interactive Sandbox exposes the full attack chain and automatically generates clear reports with verdicts, IOCs, and attacker techniques. This allows teams to confirm threats quickly and move straight to containment, cutting up to 21 minutes from MTTR per incident. 

Because the results are easy to interpret, even junior analysts can handle more alerts independently. Many teams report up to a 30% reduction in Tier 1–to–Tier 2 escalations, easing pressure on senior staff and speeding up response overall. 

For high-volume workflows, the sandbox also runs in Automated Interactivity mode. Files and URLs can be sent automatically via API, SDK, or native integrations with SOAR, EDR, and other security tools. The sandbox detonates the entire attack chain on its own and returns a conclusive verdict with full context in seconds. 

Check a real-world case inside sandbox 

In this analysis, a QR code hidden in a phishing email leads to a CAPTCHA-protected page and then to a fake Microsoft 365 login designed to steal credentials. The sandbox detonates the full chain, reveals the phishing infrastructure, and confirms credential theft behavior in seconds. 

Step 3: Verify Alerts Fast 

Not every alert points to a file you can detonate. 

Often, SOC teams see alerts tied to a suspicious IP, domain, URL, or process. In those cases, the key question is simple: Is this a real threat, or just noise? 
The faster you answer that, the faster you can move on. 

Where verification slows teams down 

Most alerts are enriched using free reputation services. These usually provide only a label like “malicious” with no explanation. 

There’s no context about: 

• how the indicator was used, 

• what malware or campaign it’s linked to, 

• or what the attacker is actually doing. 

So, analysts start from zero. They search blogs, PDFs, forums, and tools, copy-paste the same indicator repeatedly, and hope something useful turns up. It’s slow, distracting, and often outdated. Even when teams cross-check multiple sources, the information can be incomplete or contradictory. 

The result is delayed decisions, unnecessary escalations, and analyst fatigue. 

What helps analysts verify alerts faster 

Analysts move faster when they have access to a single, reliable source of fresh threat intelligence that gives instant context for any indicator they see. 

The most effective solutions don’t rely on second hand reports. They pull data from their own live sources; real malware executions, active honeypots, and real victim environments. That means the intelligence is current, detailed, and available the moment an alert appears. 

With this level of context, analysts can make confident decisions in seconds instead of spending time searching, cross-checking, and guessing. 

How teams do this with ANY.RUN 

ANY.RUN enables fast alert verification through its Threat Intelligence Lookup. 

TI Lookup gives analysts instant access to live attack data for IPs, domains, URLs, file hashes, and behavioral indicators. Each lookup returns real-world context, including how the indicator is used, what malware it’s linked to, and where it was observed; all based on active threat analysis, not old reports. 

As the intelligence comes from real malware executions shared by 15,000 organizations and 500,000 analysts, analysts can verify alerts in seconds instead of starting from zero. 

To see how this works in practice, imagine this: A SOC receives an alert about a connection to an unfamiliar IP address. A quick lookup shows it’s actively used in a Remcos malware campaign, with links to sandbox sessions where the same infrastructure was observed. With this context, the analyst can block the connection and close the alert confidently within minutes. 

TI Lookup query: destinationIP:”23.95.117.252″ 

For even faster workflows, TI Lookup integrates directly with SIEM, SOAR, TIP, and XDR platforms. Alerts can be enriched automatically as they arrive, so reputation, behavior, and threat context are available immediately, reducing manual checks, unnecessary escalations, and investigation time. 

Make Fast Response the Standard 

In most SOCs, the problem isn’t speed. It’s the delay between seeing an alert and knowing what to do next. 

When alerts arrive without context, investigations stall. When verification depends on manual research, response drags on. Fixing these gaps changes how the SOC operates: 

• incidents are prioritized earlier, 

• investigations reach clear answers faster, 

• alerts are confirmed before they turn into distractions. 

Teams that apply this approach consistently reduce MTTR by 21 minutes, detect threats in a median of 15 seconds, and achieve a 3× increase in team efficiency, without adding pressure to the team. 

About ANY.RUN 

ANY.RUN provides interactive malware analysis and threat intelligence solutions used by 15,000 SOC teams to investigate threats and verify alerts. They enable analysts to observe real attacker behavior in controlled environments and access context from live attacks. The services support both hands-on investigation and automated workflows and integrates with SIEM, SOAR, and EDR tools commonly used in security operations. 

See ANY.RUN’s solutions in action with 14-day trial 

The post SOC Leader’s Playbook: 3 Practical Steps to Faster MTTR  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Attackers often go after outdated and unused test accounts, or stumble upon publicly accessible cloud storage containing critical data that’s a bit dusty. Sometimes an attack exploits a vulnerability in an app component that was actually patched, say, two years ago. As you read these breach reports, a common theme emerges: the attacks leveraged something outdated: a service, a server, a user account… Pieces of corporate IT infrastructure that sometimes fall off the radar of IT and security teams. They become, in essence, unmanaged, useless, and simply forgotten. These IT zombies create risks for information security, regulatory compliance, and lead to unnecessary operational costs. This is generally an element of shadow IT — with one key difference: nobody wants, knows about, or benefits from these assets.

In this post, we try to identify which assets demand immediate attention, how to identify them, and what a response should look like.

Physical and virtual servers

Priority: high. Vulnerable servers are entry points for cyberattacks, and they continue consuming resources while creating regulatory compliance risks.

Prevalence: high. Physical and virtual servers are commonly orphaned in large infrastructures following migration projects, or after mergers and acquisitions. Test servers no longer used after IT projects go live, as well as web servers for outdated projects running without a domain, are also frequently forgotten. The scale of the problem is illustrated by Lets Encrypt statistics: in 2024, half of domain renewal requests came from devices no longer associated with the requested domain. And there are roughly a million of these devices in the world.

Detection: the IT department needs to implement an Automated Discovery and Reconciliation (AD&R) process that combines the results of network scanning and cloud inventory with data from the Configuration Management Database (CMDB). It enables the timely identification of outdated or conflicting information about IT assets, and helps locate the forgotten assets themselves.

This data should be supplemented by external vulnerability scans that cover all of the organization’s public IPs.

Response: establish a formal, documented process for decommissioning/retiring servers. This process needs to include verification of complete data migration, and verified subsequent destruction of data on the server. Following these steps, the server can be powered down, recycled, or repurposed. Until all procedures are complete, the server needs to be moved to a quarantined, isolated subnet.

To mitigate this issue for test environments, implement an automated process for their creation and decommission. A test environment should be created at the start of a project, and dismantled after a set period or following a certain duration of inactivity. Strengthen the security of test environments by enforcing their strict isolation from the primary (production) environment, and by prohibiting the use of real, non-anonymized business data in testing.

Forgotten user, service, and device accounts

Priority: critical. Inactive and privileged accounts are prime targets for attackers seeking to establish network persistence or expand their access within the infrastructure.

Prevalence: very high. Technical service accounts, contractor accounts, and non-personalized accounts are among the most commonly forgotten.

Detection: conduct regular analysis of the user directory (Active Directory in most organizations) to identify all types of accounts that have seen no activity over a defined period (a month, quarter, or year). Concurrently, it’s advisable to review the permissions assigned to each account, and remove any that are excessive or unnecessary.

Response: after checking with the relevant service owner on the business side or employee supervisor, outdated accounts should be simply deactivated or deleted. A comprehensive Identity and Access Management system (IAM) offers a scalable solution to this problem. In this system, the creation, deletion, and permission assignment for accounts are tightly integrated with HR processes.

For service accounts, it’s also essential to routinely review both the strength of passwords, and the expiration dates for access tokens — rotating them as necessary.

Forgotten data stores

Priority: critical. Poorly controlled data in externally accessible databases, cloud storage and recycle bins, and corporate file-sharing services — even “secure” ones — has been a key source of major breaches in 2024–2025. The data exposed in these leaks often includes document scans, medical records, and personal information. Consequently, these security incidents also lead to penalties for non-compliance with regulations such as HIPAA, GDPR, and other data-protection frameworks governing the handling of personal and confidential data.

Prevalence: high. Archive data, data copies held by contractors, legacy database versions from previous system migrations — all of these often remain unaccounted for and accessible for years (even decades) in many organizations.

Detection: given the vast variety of data types and storage methods, a combination of tools is essential for discovery:

• Native audit subsystems within major vendor platforms, such as AWS Macie, and Microsoft Purview
• Specialized Data Discovery and Data Security Posture Management solutions
• Automated analysis of inventory logs, such as S3 Inventory

Unfortunately, these tools are of limited use if a contractor creates a data store within its own infrastructure. Controlling that situation requires contractual stipulations granting the organization’s security team access to the relevant contractor storage, supplemented by threat intelligence services capable of detecting any publicly exposed or stolen datasets associated with the company’s brand.

Response: analyze access logs and integrate the discovered storage into your DLP and CASB tools to monitor its usage — or to confirm it’s truly abandoned. Use available tools to securely isolate access to the storage. If necessary, create a secure backup, then delete the data. At the organizational policy level, it’s crucial to establish retention periods for different data types, mandating their automatic archiving and deletion upon expiry. Policies must also define procedures for registering new storage systems, and explicitly prohibit the existence of ownerless data that’s accessible without restrictions, passwords, or encryption.

Unused applications and services on servers

Priority: medium. Vulnerabilities in these services increase the risk of successful cyberattacks, complicate patching efforts, and waste resources.

Prevalence: very high. services are often enabled by default during server installation, remain after testing and configuration work, and continue to run long after the business process they supported has become obsolete.

Detection: through regular audits of software configurations. For effective auditing, servers should adhere to a role-based access model, with each server role having a corresponding list of required software. In addition to the CMDB, a broad spectrum of tools helps with this audit: tools like OpenSCAP and Lynis — focused on policy compliance and system hardening; multi-purpose tools like OSQuery; vulnerability scanners such as OpenVAS; and network traffic analyzers.

Response: conduct a scheduled review of server functions with their business owners. Any unnecessary applications or services found running should be disabled. To minimize such occurrences, implement the principle of least privilege organization-wide and deploy hardened base images or server templates for standard server builds. This ensures no superfluous software is installed or enabled by default.

Outdated APIs

Priority: high. APIs are frequently exploited by attackers to exfiltrate large volumes of sensitive data, and to gain initial access into the organization. In 2024, the number of API-related attacks increased by 41%, with attackers specifically targeting outdated APIs, as these often provide data with fewer checks and restrictions. This was exemplified by the leak of 200 million records from X/Twitter.

Prevalence: high. When a service transitions to a new API version, the old one often remains operational for an extended period, particularly if it’s still used by customers or partners. These deprecated versions are typically no longer maintained, so security flaws and vulnerabilities in their components go unpatched.

Detection: at the WAF or NGFW level, it’s essential to monitor traffic to specific APIs. This helps detect anomalies that may indicate exploitation or data exfiltration, and also identify APIs that get minimal traffic.

Response: for the identified low-activity APIs, collaborate with business stakeholders to develop a decommissioning plan, and migrate any remaining users to newer versions.

For organizations with a large pool of services, this challenge is best addressed with an API management platform in conjunction with a formally approved API lifecycle policy. This policy should include well-defined criteria for deprecating and retiring outdated software interfaces.

Software with outdated dependencies and libraries

Priority: high. This is where large-scale, critical vulnerabilities like Log4Shell hide, leading to organizational compromise and regulatory compliance issues.

Prevalence: Very high, especially in large-scale enterprise management systems, industrial automation systems, and custom-built software.

Detection: use a combination of vulnerability management (VM/CTEM) systems and software composition analysis (SCA) tools. For in-house development, it’s mandatory to use scanners and comprehensive security systems integrated into the CI/CD pipeline to prevent software from being built with outdated components.

Response: company policies must require IT and development teams to systematically update software dependencies. When building internal software, dependency analysis should be part of the code review process. For third-party software, it’s crucial to regularly audit the status and age of dependencies.

For external software vendors, updating dependencies should be a contractual requirement affecting support timelines and project budgets. To make these requirements feasible, it’s essential to maintain an up-to-date software bill of materials (SBOM).

You can read more about timely and effective vulnerability remediation in a separate blog post.

Forgotten websites

Priority: medium. Forgotten web assets can be exploited by attackers for phishing, hosting malware, or running scams under the organization’s brand, damaging its reputation. In more serious cases, they can lead to data breaches, or serve as a launchpad for attacks against the given company. A specific subset of this problem involves forgotten domains that were used for one-time activities, expired, and weren’t renewed — making them available for purchase by anyone.

Prevalence: high — especially for sites launched for short-term campaigns or one-off internal activities.

Detection: the IT department must maintain a central registry of all public websites and domains, and verify the status of each with its owners on a monthly or quarterly basis. Additionally, scanners or DNS monitoring can be utilized to track domains associated with the company’s IT infrastructure. Another layer of protection is provided by threat intelligence services, which can independently detect any websites associated with the organization’s brand.

Response: establish a policy for scheduled website shutdown after a fixed period following the end of its active use. Implement an automated DNS registration and renewal system to prevent the loss of control over the company’s domains.

Unused network devices

Priority: high. Routers, firewalls, surveillance cameras, and network storage devices that are connected but left unmanaged and unpatched make for the perfect attack launchpad. These forgotten devices often harbor vulnerabilities, and almost never have proper monitoring — no EDR or SIEM integration — yet they hold a privileged position in the network, giving hackers an easy gateway to escalate attacks on servers and workstations.

Prevalence: medium. Devices get left behind during office moves, network infrastructure upgrades, or temporary workspace setups.

Detection: use the same network inventory tools mentioned in the forgotten servers section, as well as regular physical audits to compare network scans against what’s actually plugged in. Active network scanning can uncover entire untracked network segments and unexpected external connections.

Response: ownerless devices can usually be pulled offline immediately. But beware: cleaning them up requires the same care as scrubbing servers — to prevent leaks of network settings, passwords, office video footage, and so on.

Kaspersky official blog – ​Read More

Imagine: a user lands on a scam site, decides to make a purchase, and enters their bank card details, name, and address. Guess what happens next? If you think the attackers simply grab the cash and disappear — think again. Unfortunately, it’s much more complicated. In reality, the information enters a massive shadow-market pipeline, where victims’ data circulates for years, changing hands and being reused in new attacks.

At Kaspersky, we’ve studied the journey data takes after a phishing attack: who gets it, how it’s sorted, resold, and used on the shadow market. In this article, we map the route of stolen data, and explain how to protect yourself if you’ve already encountered phishing, or if you want to avoid it in the future. You can read the detailed report complete with technical insights on Securelist.

Harvesting data

Phishing sites are carefully disguised to look legitimate — sometimes the visual design, user interface, and even the domain name are almost indistinguishable from the real thing. To steal data, attackers typically employ HTML forms prompting users to enter their login credentials, payment card details, or other sensitive information.

As soon as the user hits Sign In or Pay, the information is instantly dispatched to the cybercrooks. Some malicious campaigns don’t harvest data directly through a phishing site but instead abuse legitimate services like Google Forms to hide the final destination server.

A fake DHL website. The user is asked to enter the login and password for their real DHL account

The stolen data is typically transmitted in one of three ways — or a combination of them:

• Email. This method is less common today due to possible delays or bans.
• Telegram bots. The attackers receive the information instantly. Most of these bots are disposable, which makes them hard to track.
• Admin panels. Cybercriminals can use specialized software to harvest and sort data, view statistics, and even automatically verify the stolen information.

What kind of data are phishers after?

The range of data sought by cybercriminals is quite extensive.

• Personal data: phone numbers, full names, email, registration and residential addresses. This information can be used to craft targeted attacks. People often fall for scams precisely because the attackers possess a large amount of personal information — addressing them by name, knowing where they live, and which services they use.
• Documents: data and scans of social security cards, driver licenses, insurance and tax IDs, and so on. Criminals use these for identity theft, applying for loans, and verifying identity when logging into banks or e-government portals.
• Credentials: logins, passwords, and one-time 2FA codes.
• Biometrics: face scans, fingerprints, and voice samples used to generate deepfakes or bypass two-factor authentication.
• Payment details: bank card and cryptocurrency wallet details.
• And much more.

According to our research, the vast majority (88.5%) of phishing attacks conducted from January through September 2025 targeted online account credentials, and 9.5% were attempts to obtain users’ personal data, such as names, addresses, and dates. Finally, 2% of phishing attacks were focused on stealing bank card details.

Distribution of attacks by type of data being targeted, January–September 2025

What happens to the stolen data next?

Not all stolen data is directly used by the attackers to transfer money to their own accounts. In fact, the data is seldom used instantly; more commonly, it finds its way onto the shadow market, reaching analysts and data brokers. A typical journey looks something like this.

1. Bulk sale of data

Raw data sets are bundled into massive archives and offered in bulk on dark web forums. These dumps often contain junk or outdated information, which is why they’re relatively cheap — starting at around US$50.

2. Data sorting and verification

These archives are purchased by hackers who act as analysts. They categorize datasets and verify the validity of the data by checking if the login credentials work for the specified services, if they are reused on other sites, and if they match any data from past breaches. For targeted attacks, cybercriminals compile a digital dossier. It stores information gathered from both recent and older attacks — essentially a spreadsheet of data ready to be used in hacks.

3. Resale of verified data

The sorted datasets are offered for sale again, now at a higher price — and not only on the dark web but also on the more familiar Telegram.

An ad for a Telegram sale of social media account credentials

According to Kaspersky Digital Footprint Intelligence, account prices are driven by a large number of factors: account age, 2FA authentication, linked bank cards, and service userbase. It’s no surprise that the most expensive and in-demand commodity on this market is access to bank accounts and crypto wallets.

4. Repeat attacks

Once a cybercriminal purchases a victim’s digital dossier, they can plan their next attack. They might use open-source intelligence to find out where the person works, and then craft a convincing email impersonating their boss. Alternatively, they could hack a social media profile, extract compromising photos, and demand a ransom for their return. However, rest assured that nearly all threatening or extortion emails are just a scare tactic by scammers.

Cybercriminals also use compromised accounts to send further phishing emails and malicious links to the victim’s contacts. So, if you receive a message asking you to vote for a niece in a contest, lend money, or click on a suspicious link, you have every reason to be wary.

What to do if your data has been stolen

1. First, recall what information you entered on the phishing site. If you provided payment card details, call your bank immediately and have the cards blocked. If you entered a login and password that you use for other accounts, change those passwords right away. A password manager can help you create and store strong, unique passwords.
2. Enable two-factor authentication (2FA) wherever possible. For more details on what 2FA is and how to use it, read our guide. When choosing a 2FA method, it’s best to avoid SMS, as one-time codes sent via a text can be intercepted. Ideally, use an authenticator app, such as Kaspersky Password Manager, to generate one-time codes.
3. Check the active sessions (the list of logged-in devices) in your important accounts. If you see a device or IP address you don’t recognize, terminate that session immediately. Then change your password and set up two-factor authentication.

How to guard against phishing

• Don’t click on links in emails or messages without first scanning them with a security solution.
• If you receive a suspicious email, always check the sender’s address to see if you’ve had any contact with that person before. If someone claims to represent a government authority or company, be sure to compare the domain the email was sent from with the domain of the organization’s official website. No official correspondence should ever come from a free email service.
• Use an authenticator app for two-factor authentication.
• Create hack-resistant passwords. Our research shows that hackers can crack almost 60% of all passwords in the world in less than an hour. Alternatively, consider switching to passkeys, which offer much stronger account protection, but keep in mind that they come with their own caveats.
• Remember: using the same password for multiple services is a critical mistake. This is exactly what malicious actors exploit. Even if you’ve never fallen for a phishing scam, your passwords and data can still end up in data breaches, as cyberattackers target not just individuals but entire companies. This year, the Identity Theft Resource Center has already recorded over two thousand data breaches. To minimize the risks, create a unique and strong password for every account. You don’t have to — and actually can’t — memorize them all. It’s better to use a password manager, which generates and securely stores complex passwords, syncs them across all your devices, auto-fills them on websites and in apps, and alerts you if any of your credentials appear in a known data breach.

More on phishing and scams:

• How phishers and scammers use AI
• Phishing 101: what to do if you get a phishing email
• Email extortion: how scammers use blackmail
• Telegram scams with bots, gifts, and crypto
• Et cetera

Kaspersky official blog – ​Read More