We celebrated this year’s Threat Detection Report—our annual analysis of the most prevalent threats and techniques we saw over the last year—not just by doubling down but tripling down. Red Canary experts recently came together for a three-part SecOps Weekly miniseries to break down the report from all angles, discussing the attack vectors that adversaries have favored over the last year, the latest malware trends, and how security teams can leverage the report.

Didn’t get a chance to make the live sessions? We’ll recap each episode and highlight some of the key takeaways from each below:

Part 1: Inside the Threat Detection Report

Keith McCammon, Zscaler VP, Infosec, was joined by Red Canary’s Katie Nickels, Senior Director of Intelligence Operations and Brian Donohue, Principal Security Researcher, to preview the report’s findings, including how the past year has seen a massive surge in identity threats, why browsers are more important than ever, and the evolving role of social engineering in threats.

Key takeaways

• Identity is the gateway: Adversaries are heavily targeting credentials and tokens through methods like consent phishing (OAuth abuse) and infostealers because identity is the most direct path to an organization’s data.
• Browsers are the new endpoint: Almost all work these days occurs within the browser, making it a primary target for malware and stealing session tokens. Organizations should focus on “version pinning” for browser extensions and ad blockers to reduce attack surface.
• Social engineering can bypass many technical controls: As technical defenses improve, adversaries continue to lean on exploiting human vulnerabilities. MFA bombing (fatiguing a user into approving a login) and vishing (voice phishing/help desk impersonation) remain successful ways to circumvent strong security measures.

Part 2: How the report is used in the wild

The report has always been a playbook for frontline defenders but how can security teams incorporate its findings into their planning? Keith McCammon was joined by Jorge Orchilles, Senior Director, Readiness and Proactive Security, Verizon, to talk about operationalizing the Threat Detection Report. They discussed the role of purple teaming and how to use tools like Atomic Red Team and VECTR to put the report’s findings into action.

Key takeaways

• Prioritize procedure-level intelligence: Move beyond high-level techniques to specific procedures. As one technique can have hundreds of different implementations, defenders should use threat reports to identify and test the exact steps that adversaries are following.
• Optimize testing with tracking tools: Use a centralized system (like the open source tool VECTR or even a detailed spreadsheet) to document whether a test was blocked, logged, or alerted. This allows teams to triage new threat reports by comparing them against their existing database of known defensive gaps.
• Be a good boxing partner: Security testing should be collaborative, not a “gotcha” blame game. Like a boxing partner, the goal of purple and red teaming is for internal teams to challenge each other in training so they’re unified and prepared for the real fight: adversaries.

Part 3: Defenders on Defenders

In what’s become a Threat Detection Report tradition (see here and here), Senior Intelligence Analyst Stef Rand and Senior Malware Analyst Tony Lambert reviewed how threat actors have adapted their tactics over the last year. The two discussed how adversaries have increasingly leveraged Node.js in threats like JustAskJacky and Tampered Chef, existing system tools (LOLBins and LOLBAS), and DLL sideloading, to evade detection. They provided practical defense strategies and real-world examples to help organizations counter these timeless threat techniques.

Key takeaways

• The rise of Node.js as a stealthy scripting alternative: Adversaries are adopting Node.js and other non-native scripting languages (Python and Deno) because they offer a wide variety of execution patterns that can “muddy the waters” for defenders. Unlike native Windows tools like PowerShell, which many organizations have robust visibility and control over, Node.js apps can be compiled into executables or run as individual scripts, making it difficult to distinguish malicious activity from legitimate development work within an organization.
• DLL sideloading and LOLbins exploit trust: Adversaries continue to favor evergreen techniques like DLL sideloading and living off the land binaries (LOLbins). By sneaking code into the execution chain of a trusted, signed application or using built in Windows tools (like Finger.exe and forfiles), adversaries can bypass controls that verify the initial process name, in turn allowing them to operate under the guise of legitimate system activity.
• Proactive defense requires quick wins and deep baselining: Complex controls like application allowlisting can be effective but labor-intensive. Focus on quick wins, like changing the default file handlers for script files to open in Notepad rather than executing, and baselining—to better spot legitimate Windows processes executing from unusual file paths or user folders.

Looking ahead

While our SecOps Weekly miniseries has come to a close, the Threat Detection Report is a resource designed for year-round utility. Think of the report not as a one-time read, but as a living playbook you can reference throughout the year to benchmark your strategy against the latest adversary tradecraft. Cross-reference the report with these videos so your security team can better leverage this year’s report.