Based on Cyentia Institute's Information Risk Insights Study Cyentia Institute. “Information Risk Insights Study.” 2026. https://www.cyentia.com/iris2025/ . Loss Magnitude (LM) answers a fundamental question in risk analysis: "If this threat succeeds, how much will it cost us?" Loss Magnitude combines with Loss Event Frequency to produce annualized risk—a dollar figure that enables direct comparison between different threats and informed decisions about security investments.

Overview These three variables represent the defender side of the FAIR model. Unlike TCap (which measures attacker capability from threat intelligence), CS and RS measure organizational defensive posture. Because threat intelligence does not contain information about the reader's specific control environment, this analysis uses fixed baseline values representing a "typical mid-maturity organization." Readers should adjust based on their actual control implementation. The Rela

Start Here... It's been a while since my last post. As I puzzled through the work, I realized I was missing a few pieces of my usual kit. One of them is a Threat Intelligence Platform (TIP). I did have an old Malware Information Sharing Platform (MISP) that I had maintained for several years. It contained everything from OSINT to CVEs to data breach information. I decided last year to decommission the server. What a colossal mistake. There were years of valuable information i

Overview Probability of Action (PoA) measures the likelihood that a threat actor will act once contact with a target occurs. In FAIR methodology, PoA captures the threat actor's motivation and commitment to follow through on an attack opportunity. PoA is expressed as a decimal between 0.00 and 1.00 and is combined with Contact Frequency (CF) to calculate Threat Event Frequency (TEF): TEF = CF × PoA PoA Estimation Context Inferred vs. Observed Probability of Action This rubric

Overview Contact Frequency (CF) measures how often a threat actor comes into contact with organizations matching the target profile. In FAIR methodology, "contact" occurs when the threat reaches or touches the target—regardless of whether the attack succeeds. CF is expressed as an annual rate (events per year) and is combined with Probability of Action (PoA) to calculate Threat Event Frequency (TEF): TEF = CF × PoA CF Estimation Context Inferred vs. Observed Contact Frequency

Overview Threat Capability (TCap) measures the ability of a threat actor to successfully execute an attack against an organization's assets. Per Open FAIR methodology, TCap is assessed across three factors: Resources  - Tool diversity, operational duration, exploit acquisition, and custom development capability Skills/Expertise  - Technical knowledge, experience, and development capabilities Access  - Ability to reach targets through vulnerabilities, tools, and positioning Ea

Group-IB reports that a financially motivated actor it tracks as GoldFactory used smishing/vishing/phishing and government-service impersonation to push malicious APKs and trojan droppers that install modified banking apps across parts of APAC, enabling remote control, data theft, and fraud by bypassing app security controls.

A malware campaign attributed to PureRAT targets job seekers via email lures using archived “HR documents” that drop a Foxit Reader–branded executable for DLL side-loading, then runs batch/Python staging (including base64-downloaded loader), sets persistence via an autorun registry entry, and steals browser data while communicating with attacker infrastructure.

In 2025, the Russia-nexus Calisto intrusion set used spearphishing, trusted-contact impersonation, and redirector-based credential harvesting (including AiTM-style tactics) to target NGOs and other entities linked to Ukraine support, including Reporters Without Borders.

A long-running malicious browser-extension ecosystem (“ShadyPanda”) that used trusted marketplace distribution and silent updates to enable large-scale surveillance (URLs, searches, clicks, fingerprints) and, in some cases, hourly remote code execution via downloaded JavaScript, affecting millions of Chrome and Edge users.

Resilience, Attack Surface, and Exposure (RASE)

An examination of the MITRE Top 25 CWE for 2025.

Running Aces Casino, Hotel & Racetrack experienced a Qilin-attributed ransomware intrusion that compromised its network, enabling unauthorized access and exfiltration of sensitive customer PII (names, Social Security numbers, dates of birth, and driver’s license numbers), prompting regulatory notification and remediation actions.

A ransomware attack fully encrypted the Village of Golf Manor’s computer network and all available backups, prompting the council to pass Resolution No. 2025-30 to hire third-party experts who may advise whether paying a ransom for a decryption key is in the village’s best interest, while officials state they are not currently inclined to pay.

A security researcher used automated TruffleHog scans across all 5.6 million public GitLab Cloud repositories and found 17,430 live secrets tied to 2,804 domains—including cloud, database, messaging, and OpenAI keys—showing that many organizations still expose long-lived credentials in public code despite some revocations after notification.

PRC state-sponsored cyber actors are deploying the BRICKSTORM backdoor to maintain long-term, stealthy access to VMware vSphere and related Windows infrastructure in government and IT organizations, enabling persistent control, lateral movement, and data exfiltration.

The Water Saci campaign in Brazil uses layered, multi-format malware delivered via socially engineered WhatsApp messages, with AI-assisted scripting, to propagate a banking trojan that targets Brazilian banking and cryptocurrency users while evading traditional endpoint defenses.

Iran-aligned MuddyWater is running a focused cyberespionage campaign against Israeli and Egyptian organizations, deploying new custom tools such as the Fooder loader, MuddyViper backdoor, credential stealers, and reverse tunnels to improve stealth, persistence, and credential theft against government and critical infrastructure networks.

Albiriox is a newly emerged Android RAT sold as a malware-as-a-service that uses social-engineering droppers, accessibility-driven VNC remote control, and overlay attacks to enable Russian-speaking threat actors to perform on-device banking and crypto fraud against users of hundreds of financial apps worldwide.

CISA reports that two Android Framework vulnerabilities, CVE-2025-48572 and CVE-2025-48633, are being actively exploited in the wild, enabling local privilege escalation without user interaction on Android 13–16 devices and therefore require prioritized remediation as part of vulnerability management programs.

CISA reports that two long-known OpenPLC ScadaBR web vulnerabilities (stored XSS and authenticated arbitrary file upload) are now being actively exploited and must be urgently remediated by federal and other organizations using the software.

Attackers used a compromised account to access the French Football Federation’s club administration software and stole members’ personal and contact information (names, demographics, and contact details) before the account was disabled and passwords reset.

A smishing-enabled cyberattack against analytics provider Mixpanel led to unauthorized access and export of limited analytics datasets, including OpenAI platform user profiles and device/usage details, but not ChatGPT content or credentials, creating downstream phishing and social-engineering risk for affected customers while prompting OpenAI to sever Mixpanel integrations and Mixpanel to execute a full incident-response and hardening program.

Resilience, Attack Surface, and Exposure (RASE)