SURIQDetection & threat hunting
Detection engineering, threat hunting, and the SIEM and endpoint signals that catch attacks the network can't see.
Millions of hacked TV boxes now rent attackers a trusted home IP. Your blocklist can't see it.
Researchers linked the Popa botnet of 2 million hacked TV boxes to a residential proxy service. Here is why IP reputation no longer stops account takeovers.
Prinz Eugen ransomware hits your newest files first and never leaves a note
Prinz Eugen ransomware encrypts your most recently changed files first and drops no ransom note, defeating canary traps and note-based SOC alerts. What to do.
Your AI agent trusts your own computer. One web page turns that into a takeover.
Microsoft's AutoJack shows how one web page an AI browsing agent visits can run code on the host. The bug is a near miss. The architecture lesson is not.
EDR evasion is now a shipped product. Your agent's silence is the only alarm left.
The Gentlemen ransomware gang ships a standardized EDR killer to affiliates using BYOVD. Here is why driver-name hunting fails and what to detect instead.
DragonForce hides its C2 inside Microsoft Teams relays. Your network sensors see a clean call.
DragonForce's Backdoor.Turn routes C2 through Microsoft Teams TURN relays, so network sensors see only Microsoft. Here is where the detectable seam actually
Your Splunk box runs a database sidecar you never configured. Attackers use it for root.
CVE-2026-20253 is an unauthenticated RCE in Splunk Enterprise 10.x via a bundled PostgreSQL sidecar. On CISA KEV, exploited now. Patch to 10.0.7 or 10.2.4.
ClickFix is now shared attack infrastructure, and the lure is the wrong thing to detect
Three unrelated crews adopted ClickFix delivery in a single quarter. The lure keeps changing; the execution chain does not. Here is where to detect it.
FortiBleed isn't a Fortinet bug. It's every password you never rotated.
FortiBleed exposed working VPN logins for tens of thousands of Fortinet firewalls. There is no CVE to patch; the fix is rotating credentials and enforcing MFA.
A Linux backdoor moved into the Windows kernel, and the detection window closes at driver load
SprySOCKS, a China-nexus Linux backdoor, now ships a Windows kernel-driver variant that hides itself from the host. Here is where defenders can still catch it.
Awesome Motive's WordPress CDN backdoor only fired for logged-in admins. Your scanner missed it.
OptinMonster, TrustPulse and PushEngage served a backdoor that ran only for logged-in WordPress admins, evading visitor scanners. How to scope and hunt it.
Why we built Suriq on Wazuh instead of writing our own detection engine
Suriq runs on Wazuh because a detection engine is a decade of decoders, CVE feeds, and agents you should never rebuild. Here is the reasoning behind the bet.
Ready to meet the Guardians?
Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.