🔬 Cloud Threat Research

About This Page

Threat research is how the cloud security community learns from real attacks. This page collects the research teams, reports, feeds, and frameworks that cloud defenders actually read. Where possible, we link directly to the research output (a blog, a feed URL, or a report) rather than a vendor marketing page.

Spot something missing? Submit a PR on GitHub or email admin@csoh.org.

Vendor Research Teams

The fastest path to fresh, technical threat intel. These are the teams whose telemetry - incident-response engagements, agent fleets, sandbox detonations, honeypots - surfaces novel cloud-attacker behavior weeks or months before it lands in MITRE ATT&CK or the next annual report. Each team writes from a slightly different vantage (CSPM, EDR, IR consulting, IaaS provider, runtime), so cross-referencing two or three on the same incident usually fills in details any one source misses. Subscribe to a handful via RSS, weight the ones whose stack overlaps yours (cloud provider, K8s distro, EDR vendor), and treat the detections they publish as starter content for your own SIEM or hunt program.

Wiz Research

Cloud-native vulnerability research - tenant isolation failures, shared-responsibility gaps, and novel CSP bugs (e.g. ChaosDB, ExtraReplica, OMIGOD).

Research Multi-Cloud Vulnerabilities

Unit 42 (Palo Alto Networks)

Threat intelligence on ransomware, APTs, cloud attack trends, and the annual Unit 42 Cloud Threat Report.

Threat Intel APT Ransomware

Mandiant / Google Cloud Threat Intel

Incident response telemetry, nation-state tracking (UNC/APT groups), and the annual M-Trends report.

Threat Intel APT GCP

Microsoft Threat Intelligence

Tracks actors like Storm-0558, Midnight Blizzard, and Octo Tempest - with deep Azure/Entra ID attack detail.

Threat Intel Azure Entra ID

Google Threat Analysis Group (TAG)

Nation-state actor tracking, 0-day exploitation analysis, and coordinated disclosure research.

Threat Intel Nation-State 0-day

CrowdStrike Counter Adversary Ops

Adversary tracking (Scattered Spider, Cozy Bear, etc.), breakout-time stats, and the annual Global Threat Report.

Threat Intel Adversary Tracking

SentinelLabs

In-depth malware reverse engineering and cloud intrusion analysis (e.g. LABRAT cryptojacking, Scarleteel).

Malware Analysis Reverse Engineering

Datadog Security Labs

Cloud detection engineering research, attack path analysis, and the annual State of Cloud Security report.

Detection Engineering AWS Multi-Cloud

Sysdig Threat Research (TRT)

Container and Kubernetes attack research - cryptojacking operations, runtime exploits, and supply-chain threats.

Containers Kubernetes Runtime

Aqua Nautilus

Cloud-native threat research focused on container registries, package repositories, and CI/CD supply chain attacks.

Containers Supply Chain

Permiso Security

Identity-centric cloud threat research: LUCR-3 (Scattered Spider), AWS privilege escalation, and IdP abuse.

Identity AWS

Cado Security Labs

Cloud incident response and forensics research - covers novel malware families targeting AWS, Azure, and GCP.

Incident Response Forensics

Google Cloud Security Blog

Product security research and detection content from Google Cloud, Chronicle, and BeyondCorp.

GCP Detection Engineering

AWS Security Bulletins

Official AWS advisories for vulnerabilities affecting AWS services, open-source projects, and shared infrastructure.

AWS Advisories

Microsoft Security Response Center

MSRC advisories and vulnerability disclosure posts for Microsoft cloud, OS, and identity products.

Azure Advisories

IBM X-Force

Threat intelligence research and the annual X-Force Threat Intelligence Index with cloud attack trend data.

Threat Intel Reports

Cisco Talos Intelligence

One of the largest commercial threat intel teams - ClamAV, Snort, ransomware tracking, and deep adversary playbooks.

Threat Intel Ransomware

Proofpoint Threat Insight

Research into phishing, BEC, and cloud account takeover campaigns - primary source for SaaS/M365 threats.

Phishing SaaS

Annual Threat Reports

The strategic-level documents that set the conversation each year - read by CISOs, board members, and the practitioners who have to translate the findings into roadmaps. They're worth reading critically: each report is part marketing, part field data, and the vendors disagree as much as they agree (one will call ransomware the top threat, another will name initial-access brokers, a third valid-account abuse). That disagreement is itself useful - it tells you what's noisy in their telemetry vs. yours. Skim two or three each year, extract the numbers that matter (median dwell time, top initial-access vectors, ransom-pay rates, breach cost per record) and use them to ground budget conversations in something other than hype. Most are free downloads behind a form.

Mandiant M-Trends

Annual analysis of attacker behavior from Mandiant's incident response engagements - includes dwell time stats and cloud-specific TTPs.

Report IR

CrowdStrike Global Threat Report

Cloud intrusion growth rates, eCrime & nation-state actor profiles, and breakout-time benchmarks.

Report Adversary Tracking

Unit 42 Cloud Threat Report

Dedicated to cloud posture and attack data from Palo Alto telemetry - config drift, exposed credentials, and misconfigurations.

Report Cloud Posture

Verizon DBIR

The industry-standard Data Breach Investigations Report - thousands of incidents analyzed, with growing cloud coverage.

Report Breaches

IBM X-Force Threat Intelligence Index

Annual trends on initial access vectors, top attacked industries, and cloud credential abuse.

Report Threat Intel

Datadog State of Cloud Security

Real-world cloud posture data - IMDSv2 adoption, long-lived credentials, and public storage exposure across thousands of accounts.

Report Cloud Posture

CSA Top Threats to Cloud Computing

Cloud Security Alliance's ranked list of cloud threats, updated periodically with real incident case studies (the "Pandemic Eleven").

Report Framework

ENISA Threat Landscape

European Union's annual threat landscape report - a useful non-US perspective on cloud, supply chain, and ransomware trends.

Report EU

Sophos State of Ransomware

Annual survey of ransomware victims - includes ransom payment rates, recovery costs, and attack entry points.

Report Ransomware

Notable Cloud Incidents & Post-Mortems

Real attacks beat tabletop scenarios - actual adversaries make moves a red team wouldn't think of, defenders miss things in ways no checklist predicts, and the fallout (regulatory, financial, reputational) makes the lesson stick. Each incident here has either a vendor post-mortem, a CISA advisory, or court documents detailed enough to reconstruct the attack step-by-step. Read them looking for recurring patterns rather than one-off vulnerabilities: identity sprawl and over-permissive roles, secrets committed to source, weak tenant isolation, supply-chain compromise, and gaps between provider and customer responsibility keep showing up across years and clouds. Start with our own step-by-step kill chains mapped to MITRE ATT&CK Cloud, then drill into the primary sources to see what each company actually disclosed (and, sometimes, what they tried not to).

CSOH Breach Kill Chains

Our in-house collection: Capital One, Storm-0558, SolarWinds, LastPass, MGM, Snowflake - all mapped to MITRE ATT&CK Cloud.

CSOH Original MITRE Mapped

Capital One (2019)

SSRF → IMDSv1 → over-privileged IAM role → 106M records exfiltrated from S3. The case that made AWS ship IMDSv2.

AWS SSRF IAM

Storm-0558 (2023)

Microsoft's own post-mortem on how a stolen consumer signing key was used to forge tokens for enterprise Exchange Online accounts.

Azure Token Forgery

SolarWinds / SUNBURST (2020)

Supply-chain compromise that pivoted to Azure AD / M365 via Golden SAML. CISA's remediation guide is the canonical reference.

Supply Chain Azure AD

LastPass (2022-23)

Home-PC Plex exploit → keylogger → master password → AWS S3 customer vault exfiltration. 33M customers affected.

AWS S3 Credential Theft

Scattered Spider / MGM (2023)

CISA joint advisory covering Scattered Spider (Octo Tempest, UNC3944) tradecraft - help-desk social engineering, Okta abuse, Azure pivot.

Social Eng Okta Azure

Snowflake / UNC5537 (2024)

Infostealer-harvested credentials used against Snowflake tenants without MFA - impacted 165+ organizations.

Snowflake Infostealer

Uber (2022)

Contractor MFA fatigue → PAM vault credentials → domain admin, AWS, GCP, Slack. Uber's own disclosure.

MFA Fatigue Multi-Cloud

Microsoft AI SAS Token Leak (2023)

38TB of internal data exposed via an overprivileged, long-lived Azure SAS token on a public GitHub repo. Discovered by Wiz.

Azure SAS Token

Codecov (2021)

Docker image credential compromise leading to bash uploader tampering - a supply-chain attack that exposed customer CI secrets.

Supply Chain CI/CD

Okta Support System (2023)

Okta's own post-mortem on the HAR-file compromise affecting 100% of customer support tickets.

Identity SaaS

isotope¹³ Supply-Chain Attack Compendium

Research database cataloging 260 supply-chain attacks (1975-2026) across 155 open-source and 105 commercial packages - indexed by year, vector, and payload insertion point.

Supply Chain Database

CISA Cybersecurity Advisories

US government post-incident advisories (AA-series) - the most detailed public documentation of major ongoing campaigns.

CISA Advisories

Supply Chain Attacks

Supply-chain compromise has moved from a niche concern to one of the dominant cloud threat patterns: a single tampered build artifact, signing key, or upstream dependency now propagates to thousands of downstream tenants before anyone notices. SolarWinds, Codecov, 3CX, the XZ Utils backdoor, and the tj-actions/changed-files GitHub Action compromise all share the same shape - trusted code gets modified upstream of where defenders look. The resources below cover both sides: the frameworks (SBOM, SLSA, sigstore, in-toto, NIST SSDF) that defenders use to harden their build and dependency chains, the research feeds that catalog malicious packages in npm, PyPI, and container registries in near-real time, and the post-mortems of incidents that defined how we think about CI/CD trust today. If you already pin dependencies and sign artifacts, weight the malicious-package feeds and incident write-ups; if you're just starting, begin with SLSA and the OpenSSF Scorecard to baseline where you stand.

SLSA Framework

Supply-chain Levels for Software Artifacts - a graduated framework (levels 1-4) for build integrity, provenance, and tamper-resistance. Maintained under OpenSSF.

Framework Provenance Build Integrity

OpenSSF

Open Source Security Foundation - home for Scorecard, Sigstore, SLSA, and the malicious packages working group. The closest thing OSS has to a coordinating defender body.

OSS Foundation

Sigstore

Keyless artifact signing (cosign, Fulcio, Rekor) - short-lived OIDC-issued certs plus a public transparency log. The default signing layer for npm, PyPI, Kubernetes, and most modern OSS releases.

Signing Transparency Log

in-toto

End-to-end framework for cryptographically attesting each step of a software supply chain. Underpins SLSA provenance generation and CNCF graduated.

Attestation CNCF

NIST SSDF (SP 800-218)

Secure Software Development Framework - the practices US federal software producers must attest to under EO 14028. The de facto compliance floor for selling software to the government.

NIST Compliance EO 14028

NIST C-SCRM (SP 800-161)

Cybersecurity Supply Chain Risk Management practices - vendor risk, third-party assessment, and the controls that map to FedRAMP and CMMC supply-chain requirements.

NIST Vendor Risk

GitHub Advisory Database

Curated CVE + GHSA database for npm, PyPI, RubyGems, Maven, NuGet, Go, Composer, Rust, and more. Backs Dependabot and is queryable via the GraphQL API.

CVE Dependencies

OSV.dev

Google's open-source vulnerability database - aggregates GHSA, PyPA, RustSec, and OS distro advisories into a single schema. Free API, used by osv-scanner.

Vulnerabilities Free API

Socket

Real-time detection of malicious npm and PyPI packages - install-script analysis, typosquat scoring, and dependency drift alerts. Publishes ongoing campaign write-ups.

npm PyPI Malicious Packages

Phylum / Veracode Threat Research

Continuous monitoring of open-source registries for malicious package campaigns - primary source for North Korea (Lazarus / Contagious Interview) npm and PyPI activity.

Malicious Packages Threat Intel

CISA ICT Supply Chain Risk Management

US government guidance, attestation forms, and advisories on ICT supply-chain compromise - including the secure software development attestation common form.

CISA Guidance

ENISA Threat Landscape for Supply Chain Attacks

EU Agency for Cybersecurity's report taxonomizing supply-chain attack patterns by attack technique on the supplier vs. the customer asset targeted.

ENISA Taxonomy

Sonatype State of the Software Supply Chain

Annual report on open-source consumption, malicious package volumes, and remediation timelines - sourced from Maven Central and Sonatype's registry telemetry.

Annual Report OSS

XZ Utils Backdoor - CVE-2024-3094

Multi-year social engineering of an OSS maintainer to plant an sshd backdoor in liblzma. Caught by a Microsoft engineer noticing a 500ms login delay. CISA + Red Hat advisories.

OSS Maintainer Compromise 2024

3CX Cascading Supply Chain (2023)

First publicly documented cascading supply-chain attack - DPRK actor compromised X_TRADER, pivoted to 3CX desktop app, which then shipped malware to 600,000+ customers. Mandiant investigation.

DPRK Cascading 2023

MOVEit / Cl0p (2023)

Zero-day SQLi in Progress MOVEit Transfer exploited by Cl0p ransomware affiliate against 2,700+ organizations and 95M+ individuals - the largest mass-exploitation supply-chain event of 2023.

Zero-Day Mass Exploit 2023

Kaseya VSA / REvil (2021)

REvil exploited an authentication-bypass zero-day in Kaseya VSA to push ransomware to ~1,500 downstream MSP customers in a single weekend. CISA joint advisory.

MSP Ransomware 2021

tj-actions / reviewdog (2025)

Compromised GitHub Actions (tj-actions/changed-files and reviewdog/action-setup) leaked CI/CD secrets from thousands of repositories via injected workflow steps. The case for SHA-pinning third-party actions.

GitHub Actions CI/CD 2025

Log4Shell - CVE-2021-44228

Transitive-dependency nightmare: a JNDI lookup bug in log4j showed up in every Java app on earth, including AWS, Azure, and GCP control-plane services. CISA's emergency directive is the canonical reference.

Transitive Deps Java 2021

CISA SBOM Resources

Software Bill of Materials guidance, formats (SPDX, CycloneDX), and the minimum-element spec from NTIA. The inventory layer that makes "are we affected by X?" answerable in minutes instead of weeks.

SBOM SPDX CycloneDX

IOC Feeds & Threat Intel Platforms

The atomic layer of threat intelligence: IPs, domains, file hashes, C2 beacons, malicious certificates, and the platforms that aggregate and enrich them. IOCs are perishable - adversaries rotate infrastructure on hours-to-days timescales - so use them for retrospective hunts and high-confidence blocklists, not as a substitute for behavioral detection. The real value comes from feeding them into your SIEM, EDR, or DNS sinkhole so a hit pages someone, and from using enrichment platforms (VirusTotal, GreyNoise, Censys, Shodan) to triage alerts in seconds instead of hours. Most of these sources offer a free community tier and a paid commercial tier; the free tiers are usually enough for a small team to bootstrap a hunt program.

AlienVault OTX

Open Threat Exchange - community-contributed IOC "pulses" with IPs, hashes, domains, and CVEs. Free API.

IOCs Community Free API

abuse.ch (URLhaus, ThreatFox, MalwareBazaar)

High-signal feeds for malicious URLs, malware samples, and C2 infrastructure. Free non-commercial use.

IOCs Malware C2

VirusTotal

File, URL, IP, and domain reputation - the industry's default triage tool. VT Intelligence for hunting requires a paid plan.

Enrichment Malware

MISP

Open-source threat intelligence platform used by CERTs and enterprises for sharing, correlating, and storing IOCs.

Platform Open Source

Shodan

Search engine for internet-exposed services - find your own exposed S3, RDS, Kubernetes API servers before attackers do.

Recon Enrichment

GreyNoise

Tells you whether an IP is part of internet-wide scan noise or targeted activity - cuts false positives on scan-based detections.

Enrichment Scan Data

Censys Search

Internet scanning and attack-surface search - track adversary infrastructure (Cobalt Strike beacons, phishing kits) across the IPv4 space.

Recon Attack Surface

CIRCL.lu

Luxembourg CERT - hosts public passive DNS, pDNS, SSL cert history, and hashlookup services for free.

Enrichment Passive DNS

Feodo Tracker

Live feed of botnet C2 IPs (Emotet, Dridex, TrickBot, IcedID) - perfect for blocklist automation.

C2 Blocklist

Spamhaus

Long-running IP/domain reputation feeds - SBL, XBL, PBL, and the Botnet Controller List (BCL) are widely used at perimeters.

Reputation Blocklist

IBM X-Force Exchange

Collaborative threat intelligence platform for IOC enrichment and sharing. Free tier includes API access.

Enrichment IOCs

OSINT Framework

Tree of open-source intelligence resources - useful when pivoting from an IOC to actor attribution.

OSINT Directory

Attack Frameworks & Matrices

Shared vocabularies for talking about attacker behavior, defender countermeasures, and detection coverage. MITRE ATT&CK is the lingua franca - its Cloud, Containers, and Kubernetes matrices show up in nearly every serious threat report - and D3FEND maps countermeasures back to those same techniques so you can reason about defensive coverage instead of just attacker creativity. Specialized matrices (Microsoft's Kubernetes Threat Matrix, OWASP's Cloud-Native Top 10) zoom in on environments where ATT&CK is too generic to be actionable. The practical move: pick one technique your team has missed in a recent incident, find every public detection rule for it (Sigma, Elastic, Splunk), measure your current coverage, and close the gap. Repeat. Over a quarter or two this turns into a real detection-engineering program rather than a wall of unread alerts.

MITRE ATT&CK - Cloud Matrix

The canonical tactics/techniques mapping for AWS, Azure AD, GCP, Office 365, and SaaS attacks.

Framework MITRE

MITRE ATT&CK - Containers Matrix

Tactics and techniques focused on container runtimes and Kubernetes - including escapes and orchestrator abuse.

Framework Containers

MITRE D3FEND

Defensive technique knowledge graph - pairs with ATT&CK to map what you can actually do about each technique.

Framework Defense

Microsoft Kubernetes Threat Matrix

Kubernetes-specific threat matrix modeled on ATT&CK - still the best starting point for K8s threat modeling.

Kubernetes Framework

OWASP Cloud-Native Top 10

OWASP's ranked list of cloud-native application risks - complements ATT&CK with an application-layer view.

Framework AppSec

TheHive Project

Open-source SOAR/IR platform that pairs with MISP for case management and observable enrichment.

Platform Open Source

Sigma Rules

Generic, vendor-agnostic detection rule format. The public rule repo is a goldmine of ready-to-translate detections.

Detection Engineering Open Source

Elastic Detection Rules

Elastic's public repo of tested detections - includes cloud-focused rules for AWS, Azure, GCP, and O365.

Detection Engineering Open Source

Government & Regulatory Advisories

Authoritative, attribution-grade detail you can't get anywhere else. CISA, NCSC, NSA, FBI, ACSC, and their counterparts have visibility into incidents most vendors don't - federal IR engagements, classified telemetry, sector-wide ISAC reporting - and they declassify enough of it into public advisories for defenders to act on. Joint advisories (multi-agency, often multi-country) are where you'll find the cleanest technical write-ups of active nation-state campaigns, including specific TTPs, IOCs, and recommended mitigations. The KEV catalog deserves special attention - if a CVE lands there, it has been observed in real attacks and your patching SLA for it should be days, not quarters. Subscribe to the email lists or RSS feeds for at least your home country's national CERT and CISA's advisories; both are free and signal-dense.

CISA Advisories

US Cybersecurity and Infrastructure Security Agency - alerts, binding directives, and joint advisories.

US Advisories

CISA Known Exploited Vulnerabilities (KEV)

Authoritative list of CVEs observed being exploited in the wild. Patch these first.

Vulnerabilities KEV

FBI IC3 Industry Alerts

FBI's public alerts on ongoing criminal campaigns - BEC, ransomware, cryptocurrency theft.

FBI Advisories

NSA Cybersecurity Advisories

NSA's public guidance - includes cloud security hardening documents and joint advisories with CISA.

NSA Advisories

UK NCSC

UK's National Cyber Security Centre - advisories and guidance, strong on supply chain and secure-by-default cloud guidance.

UK Advisories

Australian Cyber Security Centre (ACSC)

ACSC advisories - often first to publish on APAC-targeted campaigns and the source of the Essential Eight controls.

AU Advisories

NIST National Vulnerability Database

US government CVE enrichment - CVSS scores, CPE matching, references.

Vulnerabilities CVE

CVE.org

The authoritative CVE Program - search, watch feeds, and access the raw CVE records.

Vulnerabilities CVE

Help Us Keep This Current

Threat research moves fast and this page will go stale if the community doesn't help. Know a team, report, or feed we should add? Noticed a broken link?