Eight Vendor Blogs Pitched AI This Week. Here Is What They Buried.

# Eight Vendor Blogs Pitched AI This Week. Here Is What They Buried.

April 27, 2026 — DugganUSA

I ran a sweep of the major security vendor blogs tonight. Unit 42, Check Point, Microsoft, SentinelOne, Recorded Future, Talos, ESET, Mandiant. Eight vendors, the last seven days.

Every single one led with AI.

Unit 42 published Cracks in the Bedrock: Agent God Mode. Then Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox. Then Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System. Then Fracturing Software Security With Frontier AI Models. Then Frontier AI and the Future of Defense. Five posts. One vendor. One week. All AI.

Check Point ran AI Finds Every Gap: How Many Can Your Network Survive? and From Access Control to Outcome Control: Securing AI Agents with Check Point and Google Cloud and Experience AI-Powered Check Point Firewall at Google Cloud Next.

SentinelOne shipped Frontier AI Reinforces the Future of Modern Cyber Defense and Automation at Machine Speed: Rethinking Execution in Modern Cybersecurity.

Microsoft posted AI-powered defense for an AI-accelerated threat landscape and The agentic SOC: Rethinking SecOps for the next decade and Incident response for AI: Same fire, different fuel.

Recorded Future published From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 and AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? and Emerging Enterprise Security Risks of AI.

That is one week. The number of net-new file hashes, IPs, or C2 domains across all of those AI posts is zero.

This is not a complaint about vendor research. Unit 42's Bedrock work is real. The agentic-attack-on-cloud paper is real. The point is what gets buried under the AI deck. The threats actually shipping this week did not slow down to wait for the AI panel.

What The AI Deck Buried

Unit 42 published When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks on April 22. AirSnitch is a class of attack against enterprise Wi-Fi where the access point's forwarding table can be poisoned through MAC spoofing, allowing GTK replay against connected clients. There are no file hashes. There are no C2 domains. The indicators are behavioral — unexpected MAC-to-port mapping changes, attacker devices presenting the gateway's MAC address, high volume of multicast frames carrying unicast payloads, off-cycle GTK renegotiation. Important paper. Buried under five AI posts on the same blog.

Unit 42 also published TGR-STA-1030: New Activity in Central and South America on April 24. The blog post is a teaser. The full incident response detail is not public. Active cluster, multiple countries, since February. Buried.

Unit 42 also published The npm Threat Landscape: Attack Surface and Mitigations on April 24. A walkthrough of every supply-chain compromise primitive that has worked in 2026. Critical reading for anyone running an npm pipeline. Buried under the AgentCore sandbox-escape posts that ship the same week.

Microsoft's April 16 deep dive on Sapphire Sleet's macOS intrusion path, lure to compromise, extended the DPRK cluster's known toolkit onto macOS. We covered Sapphire Sleet ourselves earlier this month — they are the actor behind the Axios npm supply chain compromise. Microsoft's macOS extension is detection-grade research. Buried under The agentic SOC.

ESET shipped GopherWhisper, an Android malware family, and a new NGate variant trojanized as an NFC payment app. Mobile threat intelligence. Buried under whatever ESET will be saying about AI at RSAC.

I indexed AirSnitch and TGR-STA-1030 as tracking advisories tonight. When a customer queries our IOC index for either name, the result returns the behavioral signals plus a pointer to Unit 42's paper. That is two new documents. The actual indicator weight tonight came from a different cleanup.

The Gentlemen Were Already Here

Check Point Research has been running point on a ransomware-as-a-service operation called The Gentlemen since the DFIR report dropped earlier this month. Climbing the leak-site charts fast. Go-based Windows binary, Linux and ESXi variants, embedded PsExec for lateral movement, Cobalt Strike for command and control, SystemBC for staging. Drops a wallpaper called gentlemen.bmp and a ransom note called README-GENTLEMEN.txt. Twenty-seven file hashes in the IOC table. Two C2 IPs. One YARA rule.

Check Point's blog post on April 20 was the marketing summary pointing back to that DFIR report. That is the post that hit my sweep tonight.

The DFIR's two C2 IPs were a Cobalt Strike beacon at 91.107.247.163 and a SystemBC proxy at 45.86.230.112. The hash list ran twenty-seven SHA-256s across Windows, Linux, embedded PsExec, and the wallpaper.

I followed the DFIR report when it first came out. The reverse DNS on 45.86.230.112 was kautzer.stieglers.net. That is not a default hostname. Someone configured that deliberately. stieglers.net was registered April 15 on Spaceship. The SPF record listed six IPs. Reverse DNS on every one of those six IPs returned a subdomain under stieglers.net — kautzer, zieme, auer, pacocha, emmerich, and the primary at 45.86.230.178. Three of those subdomain names mapped to plausible victims. Stiegler Shipping in Mobile, Alabama. AUER Packaging in Germany. The city of Emmerich am Rhein in North Rhine-Westphalia. A law firm called Hawley, Kaufman and Kautzer in Wisconsin. Operator chose victim-themed PTR records on infrastructure they were standing up to attack those victims. Operational pride catches operators.

That investigation became the post titled How I Would Look for The Gentlemen, published April 21. The receipt is six previously-unpublished infrastructure IPs that the Check Point DFIR did not have. They have been in our STIX feed since April 21.

Tonight's sweep added one thing to the Gentlemen story that the prior ingest did not have. The prior IOCs were imported through the STIX feed pipeline with generic identifiers and without the actor name attached. Tonight's pull from the Check Point DFIR indexed every hash and IP under the malware family field set to The Gentlemen, the source field set to checkpoint-gentlemen-2026-04-20, the actor name searchable in plain English, and a structured tag set including ransomware, cobalt-strike, systembc, esxi, raas, and psexec. Thirty net documents that promote the existing data from anonymous indicators to attributed receipts. A customer searching the feed for The Gentlemen now gets results that say so.

What Else Got Fixed Tonight

Our PreCog vendor-intel worker pulls eight feeds — the same eight blogs that sweep led with. The Talos feed had been silently failing for some unknown period of time. Talos migrated their blog from Blogger to Ghost and the old feed URL at /feeds/posts/default returns a 404. Our code held onto the old URL. Tonight I replaced it with the working Ghost RSS endpoint at /rss/. The fix is one line in workers/vendor-intel.js. While I was in there I also corrected the ESET feed URL to the canonical /en/rss/feed/ that the redirect lands on, to save a round trip per sweep.

That means PreCog has been missing Talos drops. Talos publishes UAT-cluster work, Cisco Firepower zero-day deep dives, and ICS reporting that we should have been pulling. Tonight's sanity check on the fixed feed pulled headlines including UAT-4356's Targeting of Cisco Firepower Devices, which is exactly the kind of named-actor named-victim research that should have been in our novelty queue weeks ago. We were missing it because of a CMS migration nobody told us about.

The Talos fix and the ESET fix both go into the next PreCog deployment.

Why The AI Deck Wins The Calendar

Vendor research follows two logics at once. There is the technical logic, which says: ship the analysis when it is ready. There is the commercial logic, which says: ship the analysis when the conference circuit and the budget cycle most reward it. RSAC is forty-eight hours away as of this post. Google Cloud Next is two weeks past. Microsoft Build is a month out. The AI deck is the deck because the buyer is sitting in the AI panel.

That is fine. It is also why the operational threat intelligence story has been getting drowned out for two weeks. While the field was looking up at agentic SOCs, three things happened that anyone running a Linux server should have been told about more loudly. The Gentlemen is on the leak boards. Sapphire Sleet has gone macOS. Unit 42's npm threat landscape paper documents how every supply-chain compromise primitive of 2026 actually works. The actual signal got buried under the demo signal.

We do not run a panel circuit. We run an index.

Our Approach

When we say AI in our work, we mean a specific thing. We mean a Bloom filter that fingerprints every IOC against everything we have ever seen, in O of one, so the novel ones light up the second they appear. We mean Meilisearch cross-index correlation, where the iocs index, the blog index, the pulses index, and the page-views index can all be joined in a single semantic query. We mean a weaponization classifier built out of thirteen indicator features that flags the moment a public proof-of-concept exploit on GitHub crosses from research to weapon. We mean precursor detection, six signals derived from what attackers do before they attack — collection patterns, dormant account awakening, intel harvest convergence — none of which require knowing the specific attack in advance.

That is concrete AI. It runs on six hundred dollars a month of Azure. It pulls eight vendor blogs every ten minutes, except the one we did not realize was broken, which is fixed in the next deploy.

What To Do With This

If you run a SIEM, the Gentlemen Cobalt Strike beacon is at 91.107.247.163 and the SystemBC proxy is at 45.86.230.112. Block both at the egress proxy. The wallpaper hash is fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68. Apply the Tera0017 YARA rule from the Check Point report. The six follow-on infrastructure IPs from the stieglers.net SPF — 45.86.230.178, 45.86.230.6, 194.213.18.194, 194.213.18.131, 194.213.18.90 — are in our STIX feed and were not in the Check Point DFIR.

If you run a Wi-Fi network, read the Unit 42 AirSnitch paper carefully. The detection is behavioral. Your network monitoring platform should be looking for MAC table churn, not file hashes.

If you run a feed, you can pull all of this from our STIX endpoint at analytics.dugganusa.com/api/v1/stix-feed.

The Pattern

The AI panel will still be running next week. The Gentlemen will still be encrypting Linux servers next week. Both things are true. The pattern that matters for a buyer is which of those two things your threat intelligence vendor is shipping receipts on, today.

We aim for ninety-five percent. The other five percent is honest. Murphy was an optimist.

— Patrick

Microsoft pulls our STIX feed daily. AT&T pulls it daily. Starlink pulls it daily. Get the DugganUSA STIX feed at nine dollars a month at analytics.dugganusa.com/stix. The cheapest, fastest, most accurate threat feed on the internet. 275+ enterprises pulling daily. 1.1M+ IOCs. 17.85M indexed documents. We had The Gentlemen infrastructure six days before this week's vendor coverage. Starter tier nine dollars a month — less than any competitor's sales demo. Look up an IOC at analytics.dugganusa.com. Audit your brand on AIPM at aipmsec.com. See pricing at analytics.dugganusa.com/stix/pricing.

References. Check Point Research, DFIR Report The Gentlemen, April 2026. Check Point Blog, The Gentlemen: A New Ransomware Threat Climbing the Charts Fast, April 20 2026. DugganUSA, How I Would Look for The Gentlemen, April 21 2026. Unit 42, When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks, April 22 2026. Unit 42, TGR-STA-1030: New Activity in Central and South America, April 24 2026. Unit 42, The npm Threat Landscape: Attack Surface and Mitigations, April 24 2026. Microsoft Security, Dissecting Sapphire Sleet's macOS intrusion from lure to compromise, April 16 2026. ESET WeLiveSecurity, GopherWhisper, April 23 2026. Recorded Future, From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026, April 24 2026. SentinelOne, Frontier AI Reinforces the Future of Modern Cyber Defense, April 16 2026.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.