RedLab's Threat Research Unit publishes original adversarial research, threat actor intelligence,
and practitioner-focused advisory content drawn from active red team engagements, incident response
investigations, and our proprietary threat telemetry network. All research is conducted by operators
with hands-on adversarial experience.
Original research from the RedLab team, published when we have something worth saying —
not on a content marketing calendar.
Threat Intelligence
March 2025
The Rise of AI-Augmented Social Engineering Attacks
Threat actors are integrating large language models into their social engineering pipelines —
generating hyper-personalized spear-phishing lures at scale, cloning executive voices for vishing
attacks, and producing deepfake video for business email compromise. This report details the operational
tradecraft observed in active campaigns, provides indicators of AI-assisted targeting, and outlines
defensive countermeasures that security teams can deploy today.
Advisory
February 2025
Zero Trust in Practice: Lessons from 50 Enterprise Deployments
After leading Zero Trust architecture programs at 50 enterprise organizations over three years,
our practitioners have distilled the patterns that separate successful deployments from expensive
stalls. This advisory identifies the five most common failure modes — identity sprawl, policy
complexity paralysis, incomplete device inventory, shadow IT blind spots, and executive buy-in
erosion — and provides a pragmatic remediation playbook for each.
Research
January 2025
Critical Infrastructure Under Fire: ICS/SCADA Threat Landscape Report
Nation-state actors and ransomware groups have dramatically increased targeting of industrial
control systems and operational technology networks. This report analyzes 120 publicly disclosed
and RedLab-observed ICS/SCADA incidents from 2023–2024, maps attacker TTPs to ICS-specific
MITRE ATT&CK techniques, and provides asset owner-specific hardening guidance for Purdue
Model tiers 0 through 3.
Threat Intelligence
October 2024
Ransomware Economics: Understanding the Modern Extortion Ecosystem
Ransomware is no longer a technical attack — it is a mature criminal industry with affiliates,
service providers, insurance analysts, and negotiation intermediaries. This report dissects the
ransomware-as-a-service economic model, traces cryptocurrency laundering patterns, analyzes
negotiation outcomes across 400 anonymized incidents, and examines how double and triple extortion
have changed victim decision calculus.
Cloud Security
August 2024
Cloud Misconfigurations: The Silent Data Breach Enabler
Across 200 cloud security assessments conducted in 2023–2024, RedLab found that misconfiguration
was the root cause or contributing factor in 73% of cloud security incidents — outpacing
vulnerability exploitation by a factor of 3. This report documents the fifteen most critical
AWS, Azure, and GCP misconfiguration patterns, how attackers discover and exploit them at scale,
and the configuration baseline controls that eliminate the highest-impact risks.
Advisory
May 2024
Insider Threat Programs That Actually Work
Most insider threat programs are surveillance programs dressed up in HR language. They generate
legal exposure, destroy employee trust, and fail to detect the actual insider threats they were
designed to catch. This advisory — informed by RedLab's work with financial institutions,
defense contractors, and technology companies — describes how to design an insider threat program
that balances genuine risk reduction with privacy, legal compliance, and organizational culture.
Proprietary Intelligence
RedLab Threat Intelligence
RedLab operates a proprietary threat intelligence network built from seven years of adversarial
operations data, incident response telemetry, dark web monitoring, and global sensor infrastructure.
Our intelligence is not a feed resold from a third-party vendor — it is original collection,
processed and contextualized by analysts who understand what the data actually means for defenders.
Intelligence is only valuable when it is actionable. RedLab's threat intelligence products are designed
to integrate directly into your SIEM, SOAR, and vulnerability management workflows — structured as
STIX 2.1/TAXII 2.1 feeds for machine consumption and as curated analyst reports for human decision-making.
Strategic IntelligenceThreat actor profiling, geopolitical context, industry targeting trend analysis for CISO and board audiences
Operational IntelligenceActive campaign monitoring, adversary infrastructure tracking, malware family evolution, and campaign attribution
Tactical IntelligenceIOC feeds, YARA rules, Sigma detection rules, and network signatures for direct SIEM and EDR ingestion
Brand & Digital Risk MonitoringDomain squatting alerts, credential exposure monitoring, dark web brand mentions, and supply chain compromise indicators
Recent Intel Highlights
Live Feed
CRIT
New Ivanti Connect Secure RCE under active exploitation2 hours ago
HIGH
UNC3944 expanding targeting to hospitality sector6 hours ago
HIGH
Qilin ransomware new data extortion TTPs observed14 hours ago
MED
BEC campaign targeting CFOs using AI voice synthesis1 day ago
MED
TA558 phishing infrastructure refreshed — new IOCs2 days ago
LOW
Microsoft Entra ID token theft via CAM bypass research3 days ago
Receive RedLab research publications, threat intelligence digests, and advisory content directly
to your inbox. We publish when we have something worth saying — typically two to four times per month.
No marketing content. Unsubscribe anytime.
Original research publications before public release
Monthly threat landscape digest curated by our analysts
Critical vulnerability advisories with remediation guidance
Early access to whitepaper releases and webinar invitations
Downloadable Reports
Whitepapers & Reports
In-depth technical reports available for download. Registration required for gated reports.
Ungated research is published in the interest of raising the defensive security community's collective knowledge.
2025 Annual Report52 pagesFree
2025 RedLab Threat Report: The Evolving Enterprise Attack Surface
RedLab's annual review of enterprise threat trends compiled from 300+ red team engagements,
150+ incident response investigations, and threat intelligence collections across 2024.
Covers initial access evolution, identity-based attacks, cloud compromise patterns, supply chain
risks, and AI-assisted attack techniques. Includes sector-specific risk ratings and a 12-month
threat forecast.
Anatomy of a Modern Ransomware Attack: A Technical Playbook for Defenders
A granular, stage-by-stage technical analysis of a composite ransomware attack based on RedLab
incident response data from 2023–2024. Covers initial access vectors, persistence mechanisms,
lateral movement techniques, data staging and exfiltration, and encryption deployment. Each
stage includes ATT&CK TTP mappings, detection opportunities, and hardening guidance.
The CISO's Guide to Communicating Cyber Risk to the Board
Practical guidance for security leaders on translating technical risk findings into board-level
language. Covers risk quantification frameworks (FAIR, CRQ), metric selection and dashboard design,
incident communication protocols, and how to structure budget conversations around business outcomes
rather than security features. Includes annotated example board decks from RedLab practitioners.