We're Going Kalshi Mode on Threat Intel. Seven Predictions on Last Week's Stories. Public Receipts. Resolution Dates Below.

Most threat intel reads like horoscopes. Vague enough to be unfalsifiable, hedged enough to never be wrong, vendor-flavored enough to sell next quarter's product. We hate that. So we are going Kalshi mode for the next two weeks. Seven binary YES or NO contracts on stories from the past seven days. Each one has a probability we believe, a deadline by which it resolves, the receipts that drove the number, and what would flip us. You can grade us in real time. We will publish a follow-up post when each resolves.

Here are the seven.

1. ShinyHunters publish the ADT data by Monday April 27, 2026 at 23:59 UTC. We say 35 percent YES.

The receipts. ShinyHunters claimed Vercel two weeks ago and Mandiant flagged the attribution as a likely imposter. We pulled adversaries.shinyhunters from our 361-actor index and graded all public ShinyHunters claims since 2024. Roughly 40 percent went to actual leaks. The remaining 60 percent were posturing, brand-borrowing, or extortion theater. The April 27 deadline announced for ADT was leaked to journalists rather than embedded in the extortion infrastructure itself. That is the posturing pattern. Flips us to YES if a sample drops by Sunday afternoon. Samples mean real. No sample means imposter.

2. CVE-2026-40050 (CrowdStrike LogScale) gets a public proof of concept on GitHub by Monday May 5. We say 80 percent YES.

The receipts. Unauthenticated path traversal. CVSS 9.8. The vulnerability sits on a specific cluster API endpoint that runZero has already documented an enumeration query for. Path traversal of this class typically gets a working exploit within 72 hours of an advisory drop. CrowdStrike published the advisory on Saturday morning April 25. The clock started 24 hours ago. We have already seen one exploit researcher tweet that they have local reproduction. The PoC is coming. Flips us to NO if by Tuesday no public PoC has appeared and CrowdStrike issues a follow up that deprecates the affected endpoint outright.

3. CISA adds at least one more vulnerability to the Known Exploited Vulnerabilities catalog by Friday May 1. We say 95 percent YES.

The receipts. CISA has added 13 vulnerabilities to KEV in the last 5 days. Microsoft Defender on April 22. Three Cisco Catalyst SD-WAN entries on April 20. Four more on Friday April 24. The cadence is near-daily. Federal agencies are not patching faster than CISA is finding new entries. This is statistical near-certainty under the 95 percent cap we put on every claim because Murphy was an optimist. Flips us to NO only if a federal shutdown or CISA leadership change disrupts the pipeline. Neither is on the table.

4. Mustang Panda registers a new Claude-themed C2 domain by Monday May 5. We say 88 percent YES.

The receipts. Our IOC index has 82 Claude-themed indicators. 29 of them landed in the last 30 days. We have the registration cadence. Mustang Panda has been adding roughly one new Claude-themed domain per day for six weeks. install-claude.com on April 17. Three claude-app variations on GitLab pages on April 13. claudepage.pages.dev on April 12. The playbook does not pause unless their infrastructure gets sinkholed at scale, and Cloudflare plus GitLab plus Bitbucket coordinating a synchronized takedown of all known Mustang Panda C2s in the next 7 days would be unprecedented. Flips us to NO only if that takedown happens.

5. Vercel breach attribution gets revised away from ShinyHunters by Friday May 8. We say 65 percent YES.

The receipts. Mandiant already hedged the attribution as likely imposter in the public statement on April 20. We tracked their UNC-numbered re-attribution behavior on prior cases in our incident-response index. They follow up with a real UNC tracking number within 2 to 3 weeks of an initial disclosure roughly half the time. The Lumma Stealer plus Context dot AI plus pivot through a browser extension is a clean adversary picture forming, and clean pictures tend to get UNC names. Flips us to NO if ShinyHunters publishes operationally distinct evidence, meaning a leak sample whose hashing or formatting overlaps with prior confirmed ShinyHunters dumps from 2024.

6. Law enforcement action against the Interlock-ransomware-adjacent Tor exit operator by Monday June 1. We say 22 percent YES.

The receipts. Our Tor attribution research published April 20 documented 50 exit relays under one operator on the same ASN that hosts Interlock ransomware command and control. The research is solid. Law enforcement rarely acts on third-party research alone without independent corroboration. Tor exit relay seizure or compelled-cooperation processes typically run multiple months. Six weeks is short. Flips us to YES if Europol or the DOJ have been working this in parallel and our publication nudges a decision, but we will not see the daylight on that until the takedown lands.

7. DugganUSA Stripe MRR increases by at least 9 dollars by Monday April 27, 2026 at 23:59 UTC. We say 30 percent YES.

This is the contract we have skin in. Eight attributable Tor clicks to our pricing page in the first 24 hours after the CTA retrofit prove the funnel fires. Tor users do not buy. The LinkedIn cross-post of our CrowdStrike LogScale piece needs 12 to 48 hours to propagate. AI crawlers reindex on 24 to 72 hour cycles. New posts surface to humans Sunday morning at the earliest. Mathematically the baseline conversion is small. Hitting YES requires a non-baseline event. The candidates are on the warm list. Juan Leon at Datavant, who registered after a Reddit thread on March 13. Ross Seldon at Perficient, who scored his AIPM audit and asked about channel-partner economics. Moritz Metz, who said in writing on March 22 that he wanted to support our work with a paid plan and has not yet pulled the trigger. Flips us to YES if any of those three convert this weekend. The 30 percent number is the joint probability across them.

The honest read is that contracts one through six are spectator sports. Other people's actions, our predictions. Contract seven is the only one where our work directly drives the outcome, which is exactly why it is the smallest probability.

We will publish a resolution post for each contract within 48 hours of the deadline. Win or lose. Public.

If you are reading this and you want the same threat intel that drove these probabilities, the feed is below. If you are a vendor we named and you think our probability for your story is wrong, the open invitation to publish your own counter-prediction is also below.

Sources for the underlying stories. CrowdStrike Tech Alert for CVE-2026-40050. CISA KEV catalog April 20, 22, 24, 2026. BleepingComputer ADT confirmation. The Hacker News Vercel-Context AI attribution. Mandiant UNC-numbered tracking documentation. Our own adversaries index, IOC index, and Tor attribution research.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com