The attack, from the inside
Most threat intelligence tells you that an IP address is malicious. Some tell you who's behind it. Almost none show you what happens after the connection is made.
State of the Attack shows you what the attacker actually did once they got in. Step by step. The payload they dropped. The commands they ran. The infrastructure they built. The mistakes they made.
Every analysis on this site starts with what we observed. A connection at 03:14 UTC. A credential spray against an Exchange server. A payload that phones home to a C2 server in a country that shouldn't be talking to your network. We walk through the full kill chain, from initial access to objective, with the actual artifacts.
This is not a news site. We don't aggregate vendor blogs or rehash advisories. Every piece is built from first-party observations. When we publish, it's because we watched the attack happen.
Who this is for
The security practitioner who needs to know what the attack looks like from the inside. The detection engineer writing signatures. The incident responder trying to figure out if they've seen this before. The CISO who wants to show the board what "the threat" actually looks like when it lands on the network.
What to do with it
Read the kill chain. Check your environment for the indicators. Share the detection guidance with your SOC. If you see something we captured, you have a head start.
One intelligence shop. Three perspectives.
State of the Threat identifies the risk. State of the Attack shows the mechanism. State of the Defense shows why defenses fail.
Same intelligence pipeline. Same source list. Same author. The threat brief tells your board what's coming. The attack analysis shows your SOC what it looks like. The defense case study shows your team why the controls that should have been there weren't.