CISA KEV · LIVE
loading live threat feed from CISA…
S SyberOps Try the agent →
a publication on agentic AI for security operations

Notes from the autonomous SOC.

Daily threat signal, deep research, and open detection rules — written by people building the tools that triage alerts at machine speed. No vendor sludge. No SEO bait.

known-exploited CVEs tracked added this week 3 research essays · updated weekly
The Signal · daily brief

What we're watching this week

All signals
Vulnerability · 26 Apr 2026

Half of last week's KEV is in your management plane

CISA added 13 CVEs to KEV between April 20 and 24. Seven are in security and IT-management tools — Defender, SimpleHelp, Quest KACE, Cisco SD-WAN Manager. The pattern matters more than the patches.

Verdict: stop ranking your KEV queue by CVSS. Rank it by trust radius. A 7.8 LPE on the EDR running across 30,000 endpoints beats a 9.8 RCE on a single web app.
Read the brief →
Agentic AI · 25 Apr 2026

The first prompt-injection-via-log payload is in the wild

A Splunk customer reported alert reasoning being hijacked by a crafted Apache log line. The fix isn't where most teams will look first.

Verdict: stop concatenating raw log fields into your model context. Treat every field as untrusted input — not because of SQL injection, but because of token injection.
Read the brief →
Threat actor · 24 Apr 2026

LotL is back — and your EDR rules from 2022 are blind to it

A new wave of intrusions is using certutil, bitsadmin, and mshta in ways that bypass most behavior-based detections. Three quick rules to plug the gap.

Verdict: stack-rank your "trusted Windows binary" rules by parent-process anomaly, not by binary name. The binary is signed; the parent is the signal.
Read the brief →
Research · long-form

Essays from the field

All research
Featured · 18 min read

Prompt injection inside a SOC agent

What happens when an attacker can write the words your AI analyst reads? A field guide to a class of vulnerabilities that doesn't exist in any threat model — yet is shipping in production today. With concrete defenses you can implement this week.

April 2026 · Vishnu G.
Theory · 11 min read

Why rule-based SIEM hits a mathematical ceiling above 10k alerts/day

It's not a tooling problem. It's an information-theory problem. A first-principles argument for why throwing more analysts at the queue can never close the gap.

April 2026 · Vishnu G.
Practice · 14 min read

Building an accountable autonomous SOC

Every decision an autonomous agent makes is a decision your auditor will ask about. Six design principles for AI triage that scales without becoming a compliance bomb.

April 2026 · Vishnu G.
Detections · open library

Free Sigma rules. Use them however you want.

Browse the library
Sigma rule · MIT licensed

PowerShell base64 download cradle (parent-process aware)

One of the most common LotL patterns, written to fire only when the parent process is anomalous — cutting false positives by ~80% versus the standard rule.

Used by ~400 SOC teams. Tested against MITRE Caldera scenarios. Updated April 2026.

# PowerShell encoded download cradle — parent-aware
title: PowerShell Base64 Download Cradle
id: syberops/ps-b64-cradle
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-EncodedCommand'
      - 'FromBase64String'
  parent_filter:
    ParentImage|endswith:
      - '\winword.exe'
      - '\excel.exe'
      - '\outlook.exe'
      - '\mshta.exe'
  condition: selection and parent_filter
level: high
Live demo · gated

Drop a real alert. Watch the agent reason through it.

Our triage agent isn't a chatbot — it's a SOC analyst that thinks out loud. Paste any alert and watch the reasoning, the indicator extraction, the MITRE mapping, and the recommended action stream live.

Try the agent at demo.syberops.com →
access by email request · 20 triages / 24h per user
About

Who's behind this.

SyberOps is built by operators who spent too many nights triaging false positives. We're building an autonomous SOC layer — and writing about the problems we hit along the way. If you're a security engineer, SOC analyst, or detection lead, this site is for you.

Want to talk? hello@syberops.com reaches a human within a day.