Adaptive Threat Detection

Intelligence from the frontline,
not from a feed.

DEFION is the source, not the relay. Our intelligence is rooted in our own SOC telemetry, hundreds of DFIR cases and 40+ specialised threat sources.

No generic bulletin lists. Instead: context for your sector, actionable IoCs for your SOC and strategic briefings for the boardroom.

Request a threat analysis View our Threat Intelligence

Threat coverage by the numbers

40+
Threat sources
Internal and external, monitored 24/7
30+
Ransomware groups
Actively tracked, including TTPs
34
Publications
Own research and analyses
24/7
Intelligence coverage
No blind spots, no gaps
Monitor coverage

What we monitor for you

You don't have the capacity to follow every threat source yourself. We do it for you and deliver only what is relevant to your environment and sector.

CVEs and vulnerabilities

You know which new CVEs are actively being exploited and whether your software or hardware is vulnerable. Not every CVE is critical; we filter on exploitability in the wild.

Ransomware groups

You have insight into the 30+ active ransomware groups we track: TTPs, victim profiles, ransom strategy and infrastructure. Know whether your sector is in the crosshairs.

APT actors

You know which state-sponsored actors are active in the Netherlands, Belgium and Spain. From NOBELIUM to APT28: we track campaigns and map them to MITRE ATT&CK techniques.

OT and ICS threats

Your OT environment is not blind. We monitor threats specific to industrial protocols and ICS/SCADA environments, including new malware that disrupts production processes.

Dark web and data leaks

You know when your organisation name, credentials or internal data appears on dark web forums. We actively monitor initial access brokers and data leak platforms.

Sector intelligence

You receive intelligence filtered for your sector: financials, government, healthcare, industry or technology. Generic feeds deliver noise; sector-specific context delivers action.

Current

Recent intelligence

Week 15, 2026: three active threats we are currently monitoring and for which we have published detection rules and IoCs.

CVE CRITICAL May 20, 2026

CVE-2026-42945: NGINX 18-year-old heap buffer overflow actively exploited in the wild, public PoC available, RCE possible

CVE-2026-42945 is an 18-year-old heap buffer overflow in the NGINX ngx_http_rewrite_module affecting versions 0.6.27 through 1.30.0. An unauthenticated attacker can crash worker processes or achieve Remote Code Execution via crafted HTTP requests when ASLR is disabled. A public proof-of-concept is available on GitHub and NGINX has confirmed active exploitation in the wild. NCSC-NL issued advisory NCSC-2026-0164. NGINX is deployed by millions of organizations worldwide including a significant share of EU critical infrastructure, reverse proxies, and API gateways. Simultaneously, Cisco Catalyst SD-WAN (CVE-2026-20182, CVSS 10.0, authentication bypass) is under limited targeted exploitation with NCSC-NL warning of an imminent mass scan surge. Action: upgrade NGINX immediately to version 1.31.0 or 1.30.1, verify ASLR is enabled on all Linux servers, and emergency-patch Cisco SD-WAN controllers before the scan surge arrives.

CVENGINXRCENCSCActive ExploitationCiscoSD-WAN
Supply Chain CRITICAL May 20, 2026

TeamPCP/UNC6780 Mini Shai-Hulud: coordinated supply chain attack injects malicious code into 84 npm and PyPI artifacts via GitHub Actions

On May 11, 2026, threat actor TeamPCP (tracked as UNC6780) executed a coordinated supply chain attack dubbed Mini Shai-Hulud. Using a combination of GitHub Actions Pwn Request vulnerabilities, build cache poisoning, and OIDC token theft, the group compromised 84 artifacts across 42 packages in the npm and PyPI ecosystems. Affected packages include TanStack (widely used in JavaScript/React applications), UiPath automation tooling, Mistral AI SDK components, OpenSearch, and Guardrails AI. Any organization using affected package versions in CI/CD pipelines may have executed malicious code with build-level access. This represents the highest-leverage attack vector of 2026: a single GitHub Actions compromise reached 42 packages simultaneously. MITRE techniques: T1195.001, T1553, T1078.004. Action: audit all CI/CD pipelines for affected package versions, review GitHub Actions permissions, rotate OIDC tokens, and run a software supply chain audit.

Supply ChainTeamPCPnpmPyPIGitHub ActionsDevOpsOIDC
Ransomware HIGH May 20, 2026

The Gentlemen RaaS: 320+ victims in 50+ countries, 315 percent growth, energy and government focus, internal breach on May 11

The Gentlemen is an emerging ransomware-as-a-service group that first appeared in mid-2025 and has grown at an extraordinary rate of over 315 percent year-on-year. The group has claimed more than 320 victims across 50+ countries and 20+ industries, with a primary focus on energy infrastructure, government entities, healthcare organizations, and NAS/Exchange/backup systems. The group uses SystemBC proxy C2 infrastructure with over 1,570 confirmed victims on a single observed C2 server (Check Point). Tactics include systematic backup and NAS destruction before encryption (T1490), data-centric extortion, and X/Twitter pressure campaigns against victims. The Gentlemen suffered an internal data breach on May 11, 2026, which may temporarily disrupt operations but could also accelerate attacks as operators seek leverage. Previously confirmed Dutch victims include Amstel Securities. Action: deploy The Gentlemen detection signatures, verify backup isolation and immutability, and monitor NAS access patterns for anomalous enumeration.

RansomwareThe GentlemenRaaSEnergyGovernmentHealthcareNetherlands
Knowledge production

Research and reports

DEFION publishes on two levels. Technical depth for security teams. Strategic context for management.

Technical

  • In-depth CVE analyses and exploitability scores
  • Malware reversals and behavioural analyses
  • KQL detection rules for Microsoft Sentinel
  • Pwn2Own and conference technical write-ups
  • MITRE ATT&CK mapping per campaign
Go to Research Labs ›

Strategic

  • Monthly threat reports for the CISO
  • Sector analyses per industry and region
  • MITRE ATT&CK heatmaps at organisational level
  • Client briefings on active campaigns
  • Quarterly Threat Landscape report NL/EU
Go to Research Labs ›
Audiences

Who is this relevant for?

Threat Intelligence is not just for SOC analysts. Every security role benefits from the right information at the right time.

CISO

  • Monthly threat briefing for the boardroom
  • Risk assessment per sector and regulation
  • Evidence base for security investments

SOC Analyst

  • IoC feeds ready for use in your SIEM
  • KQL detection rules per campaign
  • Technical depth per threat and TTP

IT Director

  • Visibility into vulnerabilities in your environment
  • Patch prioritisation based on exploitability
  • Overview of active threats in your sector

Incident Responder

  • Context-rich IoCs and YARA rules
  • TTP mapping for attribution and containment
  • Rapid sector briefings on active campaigns
Product offering

Intelligence products

From freely accessible publications to client-specific threat analyses. Choose the level that suits your organisation.

For everyone

Freely accessible

  • Blog: technical analyses and threat reports
  • Quarterly Threat Landscape report NL/EU
  • CVE updates and patch advisories
  • Research Labs publications
Go to Research Labs ›
Most chosen
Included with MDR

MDR clients

  • Weekly tailored threat briefings
  • IoC feeds directly in your SIEM or EDR
  • KQL detection rules per campaign
  • Direct notification on critical threats
  • MITRE ATT&CK heatmap per quarter
More about MDR ›
Request required

Custom

  • Client-specific threat analysis
  • Sector briefing for your industry
  • Dark web scan for organisation name and credentials
  • Imminent Threat Exposure assessment
Get in touch ›
Frequently asked questions

FAQ Threat Intelligence

What is Threat Intelligence and why do I need it?
Threat Intelligence is the systematic collection, analysis and contextualisation of information about threats relevant to your organisation. Without TI you react to incidents after they have already happened. With TI you know which attackers are active in your sector, which vulnerabilities are being exploited and how you can prepare. DEFION translates raw threat data into concrete action points for your security team.
What is the difference between strategic and operational threat intelligence?
Strategic TI is for the CISO and the board: trend analyses, sector reports and the threat landscape at management level. Operational TI is for the SOC and security team: IoC feeds, KQL detection rules, YARA signatures and technical analyses of specific malware or campaigns. DEFION delivers both layers, tailored to the recipient.
How does DEFION Threat Intelligence differ from a commercial feed?
Commercial feeds aggregate public sources and add little context. DEFION combines 40+ internal and external sources with its own SOC telemetry, DFIR case data and sector-specific analysis. Our analysts add context to every alert: what this means for your sector, which actions are required and which detection rules apply.
How quickly do you publish when an active campaign or zero-day emerges?
For a critical zero-day or active campaign we typically publish an initial analysis within 24 to 48 hours. MDR clients receive a direct notification with IoCs and detection rules. For complex incidents such as supply-chain attacks, a more in-depth briefing follows within 72 hours. We prioritise speed without sacrificing accuracy.
Can I subscribe to Threat Intelligence without MDR?
Yes. Our free publications are available to everyone via our blog and quarterly report. For organisations that want deeper intelligence without a full MDR subscription we offer custom options: client-specific threat analyses, sector briefings and IoC feeds on request. Contact us for the possibilities.

Request a threat analysis

Want to know which threats are active in your sector and whether your environment is vulnerable? Our analysts produce a targeted analysis based on your profile.

Get in touch View Research Labs

No obligations. First analysis free of charge for qualified organisations.