Announcing our whitepaper on the future of endpoint security. https://t.co/NogsQiku9B

Signature-based detection has failed as adversaries mutate indicators and adapt tradecraft faster than defenses. Computer use agents embedded in daily workflows push this over the edge as dual-use insiders, indistinguishable from normal activity. https://t.co/sJYOf0Iz1u

We believe that: 1. The potential economic upsides of the productivity boosts that Computer Use Agents offer incentivize us to provide them with more access to our computers to increase the amount of context they can have. 2. They represent a new type of interpreter that

In this simple example, we show that Claude Code can read the iMessage database on the latest version of macOS, even with a leading EDR running on the system, illustrating the impact of an adversary who can remotely control the agent. We do this using Terminator, an internal

New on the blog: @michaelbarclay_ revives registry-based tradecraft using a telemetry gap in the hive restoration process. The blog also includes PoC code and detection guidance. 📃

New research from @jdu2600: a clean loader-lock escape using the PEB's PostProcessInitRoutine. Read the analysis and PoC code 📃

In @33y0re's latest post on Windows ARM64 Pointer Authentication, he dissects how PAC fortifies stack integrity and thwarts exploits at the hardware level. Explore the mechanics of this critical security layer and its role in modern Windows defenses. https://t.co/2NL7Iw4l6A

This method demonstrates how hardware-level telemetry, coupled with contextual reasoning, can surface malicious activity that signature-based approaches will always miss as malware authors innovate in response. 📃Full write-up →

By tracing execution of private memory and reconstructing its provenance, our agent surfaced the broader chain: the encryptor escalated privileges, spawned a new instance of itself, and then created a third process that deleted the encryptor from disk. All three of these

In an effort to avoid traditional static analysis of the import table and plain-text strings, the author of this encryptor constructed jump tables on the heap to invoke noteworthy Win32 APIs. This evasion attempt created an opportunity for detection elsewhere.

https://t.co/S9u4ySLPfH

While testing our agent against malware observed in the wild, we detected a LockBit encryptor not via file signatures or static IOCs, but by observing out-of-context execution of private memory using hardware telemetry. 🧵

Endpoint defense needs an architectural shift. With $16M in additional funding, we’re delivering runtime memory protection to the people defending the most important systems on earth. https://t.co/B4pos0Q1sP

Today I am releasing a new blog post on VSM "secure calls" + the SkBridge project to manually issue them!! This blog talks about how VTL 0 requests the services of VTL 1 and outlines common secure call patterns!!! Blog: https://t.co/xzB1s7HoPO SkBridge: https://t.co/0zO0E1L4Sy

I cleaned up the code I have been working on for the last few days into a tool I’m calling “Vtl1Mon”! Vtl1Mon traces VTL 1 enter (“secure call”) operations via ETW and also call stack/symbol enhances the events! https://t.co/1mAOyZxsxP

Join us in Islander E-I for @33y0re’s talk on KCFG AND KCET internals #BHUSA https://t.co/7s4lPsvI5Z

See you tomorrow at #BHUSA https://t.co/jGqmKoXf30

I am excited to say my talk at @BlackHatEvents USA 2025 was accepted where I will be sharing my recent research on kernel-mode CET as well as KCFG on Windows!

RUST WINDOWS DOCS MCP. If you've ever done Rust dev with the windows crate, you know it's painful because it makes up API calls, hallucinates types, and can't do feature flags. This MCP server just adds context. It doesn't auto hacks noobs, but it does its job pretty well

.@PreludeResearch is also now looking for software engineers in pursuit of the efforts mentioned in the previous tweet! Posting: