Every engineering team in your organization ships code through a pipeline. They branch, test, review, and deploy. If something breaks, they roll back. If someone asks "what changed?", the answer is in the commit history. This isn't heroic discipline to process; it's just how software gets built.

Now think about how your detection engineering team works.

Rules get written in a UI. Maybe copied and pasted from a wiki. There's no peer review; someone clicks "save," and it's live. No test cases validate the logic before deployment. No rollback if something breaks. When an alert suddenly floods your SOC, good luck figuring out what changed and when. When a detection stops firing, you might not notice for weeks.

This is, by definition, a process gap. And it's one that the rest of engineering solved years ago. The gap becomes manageable through the five custom rules, listed below. As your detections grow, you need the same discipline that every other engineering team already has.

Process Stage	How it works in software engineering	How it works in detection engineering
Storage	Git / Version Control	UI / Wiki / "Tribal Knowledge"
Validation	Automated CI/CD Tests	"Wait and see if it fires"
Review	Peer-reviewed Pull Requests	Single-user "Save" button
Rollback	One-click git revert	Manual query deletion

How does this help my security team?

Detection as Code gives your team a structured, repeatable way to build and manage detections with confidence. Instead of relying on manual updates and guesswork, every change is tested, reviewed, and tracked before it reaches production. Before we get into the how, here's why Detection as Code changes the way your team works:

• A more reliable process. Every change goes through version control and peer review before it goes live. When something goes wrong, you know exactly what changed, when it changed, and who approved it. Roll back in seconds if needed.

• A safety net of tests. Inline test cases validate detection logic before deployment. Positive tests prove it catches the threat; negative tests prove it doesn't fire on legitimate activity.

• Confidence in what's deployed. terraform plan previews every change before anything touches production. Terraform state is the authoritative record of your detection estate, not some spreadsheet.

The result is a detection workflow your team can trust. Changes are predictable, validated, and fully traceable, so security teams don’t get caught up in troubleshooting and can focus on improving coverage and overall posture. 

The anatomy of a detection

Here is what a detection rule looks like using Rapid7’s Terraform provider. It offers a practical view of how detection engineering teams can use Detection as Code in practice:

resource "rapid7_siem_detection_rule" "encoded_powershell" {
  name        = "Encoded PowerShell Command Execution"
description = "Detects PowerShell launched with base64-encoded commands"
techniques  = ["T1059.001"]
  action   = "CREATES_ALERTS"
priority = "HIGH"
logic = {
    leql = <<-LEQL
      from(event_type = process_start_event)
      where(
        (process.exe_path = /.*\\powershell\.exe$/i
         OR process.exe_path = /.*\\pwsh\.exe$/i)
        AND process.cmd_line ICONTAINS " -e"
AND process.cmd_line ICONTAINS-ANY [
" JAB", " SUVYI", " SQBFAFgA", " aWV4I"
]
      )
    LEQL
    testcases = [
      {
        matches = true
        payload = jsonencode({
          process = {
            exe_path = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
cmd_line = "powershell.exe -ep bypass -e JABjAGwAaQBlAG4AdAA="
}
        })
      },
      {
        matches = false
        payload = jsonencode({
          process = {
            exe_path = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
cmd_line = "powershell.exe -File C:\\Scripts\\backup.ps1"
}
        })
      }
    ]
  }
}

Why this works:

1. Version-controlled logic: The LEQL query defines the threat logic in a text format that Git can track.

2. MITRE ATT&CK^® untegration: The techniques field ensures your coverage map updates automatically.

3. Inline testing: We aren't just deploying a query, but a validated unit of logic. The pipeline won't let this reach production if the logic fails to fire on the matching" payload or accidentally fires on the un-matching payload.

Why Terraform?

Because it's the industry standard for managing infrastructure as code. We didn't invent a proprietary CLI; we built on the tool that thousands of platform teams already run daily. If your organization uses Terraform for cloud infrastructure, your detection engineers now use the same tool, the same workflow, and the same review process.

Governance happens naturally in this model. Open a pull request. Your team sees the logic, the test cases, and the expected behavior. They comment, suggest improvements, and approve. Every change is traceable in your commit history. This isn't a separate compliance exercise bolted onto your workflow. It is the workflow.

Already have rules built in the UI? One command imports them all:

terraform query -generate-config-out imports.tf

AI-assisted detection writing

The quick-start repo ships with IDE configurations for Claude Code, Cursor, VS Code Copilot, and Kiro. These configs give your AI assistant full context on the Terraform provider schema, LEQL syntax, and MITRE ATT&CK mappings.

In practice: open your editor, describe a threat in plain English, such as ‘write me a detection for lateral movement via RDP from non-admin workstations,’ and get back a complete Terraform resource ready for review. The AI accelerates the engineer; it doesn't replace them. The time from "I need a detection" to "this is ready for review" drops from hours to minutes.

Start building detections as code today

Rapid7’s Terraform provider for Detection as Code is now available across all Incident Command and InsightIDR tiers.

To get to work, use the Getting Started guide for a walkthrough as you setup, authenticate, and run your first deployment. Clone the quick-start template, run terraform plan, and see your detection estate as code.
For more information on Incident Command, visit Our hub page for SIEM.

How are organizations using the Bitdefender GravityZone Endpoint Protection Platform (EPP) to reduce risk? Verified customers answer this question in the paragraphs below.

The coverage of Anthropic’s Mythos Red Team report has followed a predictable arc: a sensational headline, reactions ranging from alarm to dismissal, and little engagement with what the research actually demonstrates. That is worth correcting, because what Mythos reveals is not primarily a story about AI finding vulnerabilities. It is a story about why trusting software is no longer a viable strategy, and what the architectural response should be. 

The tension arising out of the conflict in Iran is beginning to show signs of expanding beyond a strictly regional crisis. Following our recent published advisories, this communication is intended to outline and summarize the detection and enrichment coverage available to Rapid7 customers, broadly assess the macro cyber threat landscape, and demonstrate the specific actions undertaken within the Rapid7 portfolio to assure our customers of the protection they receive and can expect moving forward. For a research-driven companion piece from Rapid7 Labs, dive into Iran’s Cyber Playbook in the Escalating Regional Conflict.

Tracking the campaigns associated with the current conflict 

There exists a number of threat campaigns (both directly and indirectly) associated with groups associated with Iranian APT actors. In order to track details of these campaigns, any relevant indicators of compromise will be made available within Intelligence Hub.

⠀

As additional intelligence is identified and verified this campaign (and any others) will be incorporated and made available both within the detection stack across the Rapid7 portfolio, but equally for enrichment purposes within Intelligence Hub.

Hacktivist activity and Digital Risk Protection (DRP) coverage 

Since the regional military escalations began in late February 2026, Rapid7 Labs has tracked a significant and ongoing spike in retaliatory cyber activity targeting regional and Western infrastructure. What we're seeing falls into two broad buckets. The first is state-directed operations, primarily espionage and data exfiltration, carried out by actors like:

• MuddyWater/Seedworm (MOIS)

• CyberAv3ngers (IRGC)

• The Handala persona (assessed as being maintained by Void Manticore under MOIS direction). 

The second is a much noisier layer of hacktivist activity, stemming from groups that lack sophistication but generate outsized visibility through DDoS campaigns and public breach claims. These groups include:

• Keymous+

• DieNet

• NoName057(16).

A major theme across this escalation is fabrication. Many of the breach claims circulating on Telegram and dark web forums are exaggerated or outright fake. Threat actors, especially on the hacktivist side, are recycling old leaked datasets, overstating their access, and running what amount to psychological operations aimed at causing panic and reputational damage. That said, where state-directed actors are involved, legitimate data theft is a real concern, and there is a strong likelihood that stolen material will be weaponized publicly and quickly.

Rapid7's Digital Risk Protection platform is purpose-built to cover exactly these kinds of threats. Here is how our coverage maps to the current activity:

• Dark web and forum monitoring — The coordination and announcements driving these campaigns are happening across Telegram, X (formerly Twitter), and dark web leak sites. DRP continuously monitors clear, deep, and dark web sources, with proprietary crawlers, inspecting tens of millions of pages. This gives us visibility into restricted forums and early warning when campaigns begin targeting specific organizations or sectors.

• Data leakage detection and claim verification — With so many unsubstantiated breach claims in circulation, the ability to quickly distinguish real exposures from fabricated ones is critical. DRP monitors threat actor dumps and leak sites for exposed company assets and correlates what it finds against each customer's digital footprint, giving organizations a clear answer on whether a claimed breach actually affects them.

• Brand security and phishing defense — Threat actors are exploiting public confusion to register lookalike domains, clone websites, and create impersonation profiles on social media. DRP identifies these phishing and impersonation threats and supports the takedown of the attacker's infrastructure.

• Analyst-verified intelligence — Our threat intelligence analysts investigate and triage what surfaces through the platform to ensure customers receive only intelligence that has been verified and is actionable. When a real compromise or data exposure is confirmed, our team works directly with the affected organization to assess the impact and support remediation.

CVE intelligence 

To fuel the data leak and psychological operations discussed above, state-directed actors like MuddyWater and Void Manticore are actively weaponizing recently disclosed, high-impact vulnerabilities. Rather than focusing on a single product, these APTs are broadly targeting a combination of internet-facing edge devices, enterprise management infrastructure, and client productivity software to gain their initial foothold.

The vulnerabilities being leveraged in these campaigns all provide either authentication bypass or remote code execution, giving attackers a direct path into the environment. Once inside, the goal is the same every time: establish persistence and get data out. As noted above, any legitimate data stolen during these intrusions is highly likely to be handed off to hacktivist personas and weaponized publicly to support the broader disinformation campaigns.

The following CVEs have been identified as actively exploited or assessed as high-priority targets in the current threat environment:

• CVE-2026-1281

• Description: A critical command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that grants unauthenticated attackers root-level remote code execution. This has been leveraged as a zero-day vulnerability to compromise mobile endpoint management environments.
  Tied to: MuddyWater (MOIS)

• Metasploit Module: https://github.com/rapid7/metasploit-framework/pull/20932

• CVE-2024-4577

• Description: A critical OS command injection vulnerability in PHP running in CGI mode on Windows. By exploiting Windows "Best-Fit" encoding behaviors, attackers can bypass escape mechanisms and execute arbitrary code on the host server.
  Tied to: Void Manticore (the MOIS-affiliated actor that maintains the Handala hacktivist persona)

• Metasploit Module: https://github.com/rapid7/metasploit-framework/pull/19247

• CVE-2025-32433

• Description: A pre-authentication remote command execution (RCE) flaw in Erlang-based SSH servers. Threat actors can execute arbitrary root commands by sending specially crafted SSH packets, bypassing authentication entirely.

• Metasploit Module: https://www.rapid7.com/db/modules/exploit/linux/ssh/ssh_erlangotp_rce/ 

• CVE-2025-52691

• Description: An unauthenticated file upload flaw in SmarterTools SmarterMail. Attackers exploit a path traversal weakness via the guid variable to drop malicious files, such as webshells or malicious cron jobs.

• Metasploit Module: https://github.com/rapid7/metasploit-framework/pull/20866

• CVE-2025-9316

• Description: An unauthenticated session bypass vulnerability impacting N-able N-Central. Attackers frequently chain this with an XML External Entity (XXE) vulnerability to read highly sensitive local configuration and backup files from the host infrastructure.

• Metasploit Module: https://github.com/rapid7/metasploit-framework/pull/20713 

• CVE-2026-21514

• Description: A security feature bypass vulnerability in Microsoft Word that allows an unauthorized attacker to bypass Object Linking & Embedding (OLE) mitigations locally. Exploitation requires user interaction to open a maliciously crafted document.

• Rapid7 Coverage: Analyzed extensively in Rapid7's Patch Tuesday - February 2026 blog post and prioritized for customer patching due to active exploitation

Detection and Response for Rapid7 customers 

Rapid7’s Threat Hunting team has been actively hunting for activity related to Iranian actors since the regional conflict began. We are utilizing threat intelligence related to new indicators of compromise and known tactics, techniques, and procedures to conduct these hunts. If we have validated findings, the MDR SOC will investigate and communicate the details of findings using the standard notification processes.

Additional reading from Rapid7 Labs: Iran’s Cyber Playbook in the Escalating Regional Conflict

Security teams have been talking about alert fatigue for years. And yet, for many SOCs, the problem isn’t getting better. It’s getting worse.

As environments expand across cloud, SaaS, identity, and legacy systems, analysts are flooded with signals that all demand attention but rarely arrive with enough context to act quickly. Staffing shortages only amplify the issue. The result is a SOC stuck reacting to noise instead of responding to real risk.

Recent industry research reinforces what analysts already know. False positives remain one of the top challenges in detection and response, and many analysts encounter low-value alerts so frequently that it slows investigations and contributes directly to burnout. Alert fatigue isn’t just an efficiency problem. It’s an operational risk.

That’s why we created a new eBook, Alert Fatigue to Action: The SOC Analyst’s Playbook.

Why alert fatigue persists, and why it’s not your fault

Alert fatigue isn’t a reflection of weak analysts or underperforming teams. It’s the outcome of security models that haven’t kept pace with modern complexity.

Traditional SIEM approaches were built for a different era. Rule-heavy detections, manual enrichment, siloed tools, and flat log views force analysts to spend valuable time stitching together context before they can even begin investigating. Even experienced analysts end up waiting for answers instead of acting on them.

Modern SOCs need a different approach. One that prioritizes analyst efficiency, reduces friction, and brings clarity to investigations from the start.

Four moves that change how SOCs operate

In the eBook, we break down four practical shifts that high-performing SOCs are making to move beyond alert fatigue:

• Automate the noise with AI-assisted classification and enrichment so analysts can focus on what truly matters

• Investigate smarter with unified context, eliminating unnecessary pivots between tools

• Shrink the response cycle using guided workflows that make investigations faster and more consistent

• Gain confidence in coverage by understanding risk across the entire attack surface, not just known assets

These aren’t theoretical ideas. They’re grounded in real-world SOC workflows and designed to help analysts move faster without sacrificing control or trust.

A look inside a real SOC investigation

One of the most impactful sections of the eBook walks through a familiar scenario: a phishing or business email compromise investigation.

Instead of listing tools or features, it shows what the investigation actually feels like for an analyst. From the frustration of waiting on data in a traditional workflow to the clarity that comes when context is surfaced early and answers arrive faster. It’s a reminder that efficiency isn’t about removing analysts from the loop. It’s about removing the friction that slows them down.

From overwhelmed to in command

At its core, the playbook is built on a simple principle. Modern SOC efficiency comes from reducing noise, unifying context, and guiding investigations with AI-assisted workflows, all while keeping analysts firmly in control.

If you’re responsible for detection and response, or if you’re feeling the strain of alert fatigue in your SOC, this eBook is designed for you.

Download Alert Fatigue to Action: The SOC Analyst’s Playbook and see how modern SOCs are turning overwhelming alert volume into faster, more confident response.

LevelBlue, a Dallas-based managed security services provider, announced Tuesday that it is expanding its managed detection and response business through a strategic partnership with cybersecurity firm Fortra that includes the acquisition of Fortra’s Alert Logic managed services unit.

The companies said the agreement covers Alert Logic’s Managed Detection and Response services, along with associated Extended Detection and Response and Web Application Firewall managed services. The announcement positions the deal as both a consolidation in the crowded managed security market and a reconfiguration of how Fortra intends to sell and support parts of its portfolio.

At the center of the arrangement is a split between software and services. LevelBlue will take on the delivery of certain Alert Logic managed offerings, while Fortra becomes a prominent technology partner whose software and platforms will be made available to LevelBlue’s customers through its managed services model. The result is a tighter coupling between product vendors and outsourced security operators, reflecting a broader industry pattern in which clients seek a single point of accountability for security operations, while vendors look for distribution through channel partners rather than direct service delivery.

Sundhar Annamalai, LevelBlue’s chief strategy officer, told CyberScoop that he sees the deal as “all upside” for AlertLogic’s MDR users. 

“Nothing’s going to change for customers,” Annamalai told CyberScoop. “The experience remains the same as they go through their changes down the line, whether that’s through their own acquisitions or they’re expanding globally. We want to be the partner they turn to to manage their cybersecurity outcomes. Given where we operate, the scale at which we operate, our ‘Follow the Sun’ strategy, we believe we’re a logical choice to grow with our customers.”

Both companies framed the move as an effort to broaden coverage across the attack surface, from cloud infrastructure to employee email accounts to public-facing applications. In practical terms, the firms are arguing that combining telemetry, tooling and operational staffing under a single managed provider can improve detection speed and response coordination, especially for customers with complex environments. 

“When we made the strategic decision to redouble our focus on providing software, as well as looking for a home for the Alert Logic services and team, it was important to us to find a place where customers would be protected, and our employees would not only be taken care of but also have potential for continued career growth,”  Matt Reck, CEO of Fortra, told CyberScoop.  “We could not be more excited about LevelBlue as a partner — both for our customers and our shared vision of the need in the market, but also for the Alert Logic team members.” 

LevelBlue said the acquisition will give Alert Logic’s existing customer base access to what it described as a larger global footprint and broader threat telemetry. The emphasis on telemetry highlights a key competitive lever in managed detection: providers claim advantage not only through staffing and procedures in a security operations center, but also through the volume and variety of signals they can ingest across clients and environments.

The companies also emphasized complementary capabilities. Fortra’s tools were cited as extending LevelBlue’s existing strengths in data security, brand protection, email security and offensive security. The language signals an attempt to offer customers a broader menu of security functions without requiring them to integrate and manage multiple vendors on their own, a recurring pain point in enterprise security operations.

The acquisition is LevelBlue’s fourth in the past year. In July, the company acquired Trustwave and Aon’s cybersecurity and intellectual property litigation consulting groups, which include Stroz Friedberg and Elysium Digital. In October, the company announced it would acquire Cybereason.

Annamalai told CyberScoop that the Fortra deal, along with the others, shows the company is very particular about the services it wants to provide to its customer base as it grows. 

“A lot of this is, how do you drive towards security outcomes, and do that in the way that customers have chosen their own security destinies,” he told CyberScoop. “We want to do that through a technology platform that lets us be adaptable to the journey customers are on, but also platform-centric in the way that we support our customers on a go-forward basis. And so when we think about our investments, it’s on a platform strategy that lets us serve customers on their own security journey.”

Terms of the deal were not disclosed. 

The post LevelBlue scoops up Alert Logic’s managed services from Fortra appeared first on CyberScoop.

Security incidents often result from misconfigured policies, not necessarily a failure of a security product itself. Another challenge involves overlooking newly released features that must be manually enabled in endpoint configurations. While the default settings in Bitdefender GravityZone are an excellent starting point, securing your unique environment requires configurations tailored to your specific operations. 

Across your organization's infrastructure, all devices like firewalls, servers, endpoints, applications (e.g., BEST agent), and cloud services are constantly generating their own unique telemetry, often in different formats (log, txt, JSON, csv, etc.) and sizes. This volume of data creates a critical operational challenge: it is impossible to manually parse, search, or effectively correlate security events across platforms.

Stop a threat before it executes, and you maintain business continuity. Respond after it runs, and you increase the odds of business disruption and costly remediation. Security solutions vary significantly in their ability to block threats pre-execution, and the latest AV-Comparatives Enterprise Advanced Threat Protection test quantifies this gap in stark terms: Bitdefender blocked 87% of threats at the pre-execution stage, while other vendors blocked just 36% of attacks pre-execution, on average. This 51-percentage-point advantage reveals more than superior detection rates—it demonstrates a fundamental architectural difference in how security solutions approach protection.   

I'd like to thank my coauthors Adrian Schipor and Martin Zugec for their invaluable contributions to this research. 

Microsoft officially abandoned support for most versions of Windows 10 on October 14, 2025. It will continue to offer Extended Security Updates (ESU) temporarily for Windows 10 version 22H2, but that support will eventually expire as well, and can be expensive to maintain. This decision by Microsoft is significant because 40%-45% of Windows users globally still regularly use Windows 10. From a cybersecurity perspective, this poses a significant risk. By ending support for the OS, Microsoft will no longer provide key updates to close vulnerabilities and fix bugs in Windows 10. This creates an enticing target for threat actors who are always on the lookout for the lowest-hanging fruit.  

Bitdefender recently rolled out new functionality in Bitdefender GravityZone, a comprehensive cybersecurity platform that provides prevention, protection, detection, and response capabilities for organizations of all sizes. These features, consistent with our multi-layered security strategy, are intended to ease the workload of security analysts, administrators, and users.  

The cybersecurity industry has long debated whether prevention or detection is more important. The AV-Comparatives EPR Comparative Report 2025 settles the debate. By measuring both, it reveals that prevention-first is the winning strategy—stronger, simpler, and more cost-effective. Bitdefender GravityZone didn’t just participate in the evaluation; it led across the board. Bitdefender achieved the highest detection rate among all participating vendors and the lowest Total Cost of Ownership (TCO), underscoring a commitment to both security efficacy and operational efficiency. The evaluation also proves that modern security means blocking threats before they disrupt business.  

Bitdefender recently introduced new functionality in Bitdefender GravityZone, a comprehensive cybersecurity platform that provides prevention, protection, detection, and response capabilities for organizations of all sizes. These new features, consistent with our multi-layered security strategy, are intended to ease the workload of security analysts, administrators, and users.