Research Highlights
Where experiments become engineering patterns.

Living off the Cloud

Modern persistence and command-and-control rarely look like classic malware anymore. We study how attackers live inside SaaS and identity:

• Abuse of OAuth apps, tokens, and delegated scopes
• M365 & Google Workspace persistence patterns
• Using benign automation (Flows, Apps Script, etc.) as infrastructure

Abusing misaligned identity design

Identity is the new perimeter, but it’s also the new lateral movement layer. We focus on:

• Privilege escalation via Entra ID roles & app registrations
• Attack paths through legacy auth and mis-scoped Conditional Access
• Identity-first threat modeling for small and mid-sized environments

Signals that survive attacker adaptation

Instead of chasing every new technique, we look for durable detection opportunities:

• High-quality anomalies in cloud & identity logs
• Detection engineering patterns that scale down to lean teams
• Balancing noise vs. missed detections for hybrid environments

From shared inbox to full tenant exposure

Real-world analysis of how an attacker can pivot from a single compromised shared mailbox into broader M365 and data access with minimal tooling.

• Abuse of forwarding rules and OAuth consent
• Detection opportunities in Entra & mailbox logs
• Containment patterns we now bake into IR playbooks

Quiet lateral movement in hybrid environments

Testing and refining paths that avoid “obvious” signatures, including:

• Token theft and reuse across on-prem and cloud
• Pivoting via management tools and remote access software
• Endpoint hardening patterns derived from repeated tests

Security controls that scale for small teams

Not every environment gets a 24/7 SOC. We study which controls provide outsized value for lean security teams:

• Minimal viable logging and retention: where it really matters
• Opinionated M365 / Workspace & endpoint baselines
• IR workflows that don’t assume a large cast of responders

Solution design

We use research outcomes to shape what our solutions actually include—whether that’s which attack paths we test, which controls we recommend, or how we structure IR playbooks.

Service methodology

Engagements like Attack Surface Assessment, Adversarial Testing, and M365 Hardening use lab-derived checklists, test cases, and abuse paths.

Playbooks & templates

Research-driven patterns feed directly into guides, checklists, and playbooks available in the Resources section for clients and partners.

Training & briefings

We turn complex research topics into briefings that leadership, security teams, and engineers can act on without needing to become specialists themselves.