The following interview, which we publish in full, was conducted in May 2026 by Erez, a member of the deepdarkCTI community. The MedusaLocker ransomware gang is a persistent cybercriminal operation first observed in late 2019. It operates primarily as a Ransomware-as-a-Service (RaaS) model, where developers provide the malware to affiliates in exchange for a percentage
The following interview, which we publish in full, was conducted in May 2026 by me, fastfire. "BreachForums" (often referred to as "Breached") is an English-language cybercriminal forum. It functioned as a clear-net marketplace and platform for threat actors to trade stolen databases, tools, access credentials, and other illicit services. A few days ago, the forum
The Metric to Anchor Your Agentic SOC Evaluation On
There's one question that, once it anchors how we evaluate these products, makes the difference between picking a triage tool and picking a detection partner. The global median dwell time, days from first attacker foothold to the moment someone noticed, came in at 14 days. Triage speed doesn't close it. The IBM 2025 Cost of a Data Breach Report puts mean time to identify at around 181 days globally, down from 194 the year before. But the directional signal is consistent: detection completeness is where the next layer of value lives. Dwell time is the metric. Days from foothold to detection. What we measure today, what we don't measure yet The agentic-SOC category has standardized on a set of performance metrics that are easy to measure cleanly: per-ticket investigation time, alert closure rate, response latency on already-detected incidents. That's a different kind of measurement than triage speed, and it's the one the category hasn't fully built out yet. Here's the distinction, side by side: Metric category What it measures What it tells you about the product Triage-speed metrics (broadly available) How fast the system processes alerts that already fired How efficient your SOC becomes at handling known signal Detection-completeness metrics (still maturing) Whether the system surfaces threats it didn't already have a rule for Whether the product is meaningfully shortening attacker dwell time Both matter. That said, there's a meaningful distinction between triage speed and detection completeness, and understanding it helps you get full value from the agentic wave. The way to make sure the right 60% survives is to measure outcomes that map to the actual threat: how many days did the attacker have before detection, and did that number go down? Here's the question to anchor on: "Show me your customers' median dwell time before deployment and after. Dwell time." Pay attention to what happens next. If they pivot to triage speed, they're likely early on the measurement maturity curve, which is where most of the category is right now. If they say "dwell time is a lagging indicator that's hard to attribute to a single tool," they're being honest about a genuinely hard problem. Products built around that metric are the ones most likely to deliver on what this category can genuinely do: meaningfully shorten the time between an attacker's first move and the moment someone stops them.
The following interview, which we publish in full, was conducted in May 2026 by Erez, a member of the deepdarkCTI community. The MedusaLocker ransomware gang is a persistent cybercriminal operation first observed in late 2019. It operates primarily as a Ransomware-as-a-Service (RaaS) model, where developers provide the malware to affiliates in exchange for a percentage
The following interview, which we publish in full, was conducted in May 2026 by me, fastfire. "BreachForums" (often referred to as "Breached") is an English-language cybercriminal forum. It functioned as a clear-net marketplace and platform for threat actors to trade stolen databases, tools, access credentials, and other illicit services. A few days ago, the forum
In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked. The following week, the group published the data publicly, which contained 8.7M records with 7.5M unique email addresses. The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program. Carnival acknowledged a phishing incident involving a single user account and advised they were working to better understand the scope of the unauthorised activity.
In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer.
In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses. ADT also advised that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included" and that it had contacted all affected people.
In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles.
In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.
In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file.