Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild — Elastic Security Labs 9 May 2026 • Ruben Groenewoud • Eric Forte • Samir Bousseaden Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild This research analyzes the Linux kernel privilege escalation vulnerabilities Copy Fail and DirtyFrag, which exploit subtle page cache corruption bugs to create reliable paths to root access. Additionally, Elastic Security Labs is releasing detection logic for these vulnerabilities. 4 min read Detection Engineering Introduction Recent Linux kernel privilege escalation vulnerabilities, Copy Fail (CVE-2026-31431) , Copy Fail 2, and DirtyFrag, highlight how subtle page cache corruption bugs can become practical, reliable paths to root.

Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response — Elastic Security Labs 8 May 2026 • Erik-Jan de Kruijf Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response This article shows how a customized Elastic Security ES|QL detection rule can identify web server probing and fuzzing activity in Traefik logs and automatically block the attacking IP via Cloudflare. 8 min read Enablement Introduction Self-hosted services exposed through a reverse proxy inevitably attract automated scanners probing for misconfigurations, admin panels, and vulnerable endpoints. In this article, I show how to turn routine Traefik access logs into an active defensive control using Elastic Security and Cloudflare.

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs 7 May 2026 • Jia Yu Chan • Daniel Stepanic • Seth Goodwin • Terrance DeJesus TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook REF3076 uses a trojanized Logitech installer to deploy TCLBANKER, a Brazilian banking trojan with environment-gated payloads, WPF fraud overlays, and self-propagating WhatsApp and Outlook worm modules. 17 min read Malware Analysis , Threat Intelligence Elastic Security Labs identified a new Brazilian banking trojan that we are tracking as TCLBANKER, a malware family we assess is a major update of the MAVERICK / SORVEPOTEL family. The campaign, tracked as REF3076, features a loader with robust anti-analysis capabilities that deploys two embedded .NET Reactor-protected modules: a full-featured banking trojan and a worm module for self-propagation.

UEBA & entity analytics: Why entity record quality matters — Elastic Security Labs 5 May 2026 • Erik Huang • Mike Paquette Your UEBA is lying to you: Why entity record quality decides everything Most entity analytics systems are confidently wrong. They track users who do not exist, generate risk scores built on noise, and call it behavioral analytics. Learn why the entities records you don't create matter as much as the ones you do and how a confidence-tiered model changes the game.

Proactive threat hunting with Elastic’s AI-generated hunting leads — Elastic Security Labs 5 May 2026 • Erik Huang • Mike Paquette AI-generated hunting leads: The hunt starts before you ask the question Introducing AI-generated hunting leads, proactive, environment-aware threat hypotheses powered by Elastic Entity analytics and integrated AI reasoning. 4 min read Product Updates Threat hunting has always been a human art; a practitioner staring at logs, forming a hypothesis, and patiently chasing it down. What if the hardest part of the hunt (knowing where to look) could be done for you, automatically, in milliseconds, and tuned specifically to your environment?

Entity Analytics Watchlists in Elastic Security: organizational risk context as a scoring signal — Elastic Security Labs 5 May 2026 • Erik Huang • Jared Burgett Know who to watch before the incident finds you Elastic Security v9.4 introduces Entity Analytics Watchlists, a way to codify what your team already knows about high-risk entities and feed that context directly into risk scoring, without custom pipelines or detection engineering overhead 5 min read Product Updates Elastic Security v9.4 introduces Entity Analytics Watchlists, a new capability in the Entity Analytics suite that lets security teams create named, weighted lists of users, hosts, and services and feed that context directly into the platform's risk scoring pipeline. The gap this closes isn't awareness, as most security teams already know which entities deserve elevated scrutiny. The gap is that SIEMs have had no way to express that organizational knowledge as a risk signal.

Elastic Workflows GA: Security automation built into your SIEM — Elastic Security Labs 5 May 2026 • Tinsae Erkailo Elastic Workflows GA: automation where your security data already lives Elastic Workflows is generally available in 9.4, bringing production-ready security automation with deeper case management integration, human-in-the-loop support, natural language authoring, and more. 8 min read Product Updates Elastic Workflows is generally available in 9.4. It is the automation layer built directly into Elastic, running where your data lives across Security, Observability, and Search.

Cybersecurity Skills in Elastic Security: How they work & getting started — Elastic Security Labs 4 May 2026 • Dhrumil Patel One agent, the right skills: Elastic Security 9.4 brings domain expertise on demand to every SOC workflow Elastic Security 9.4 introduces skills, modular AI capabilities that teach the Elastic AI Agent how to detect, investigate, and hunt like a specialist. This is how they work, and why they matter for the SOC. 12 min read Product Updates Three things land on you at once: Attack Discovery correlated 12 alerts into a credential-harvesting campaign overnight, your team just onboarded a new fleet of macOS endpoints and needs detection rules for LOLBin abuse, and a risk score spike on a service account just crossed the critical threshold.

Elastic Conversational Entity Analytics for threat hunting — Elastic Security Labs 4 May 2026 • Erik Huang • Paulo da Silva Junior Elastic Conversational Entity Analytics: threat hunting in a single conversation Conversational Entity Analytics delivers Entity Analytics features as rich inline attachments and Canvas previews into Agent Builder, so you don’t have to leave the conversation. 4 min read Product Updates Entity Analytics is a core security analytics capability that extends Elastic Security from event-centric to entity-centric investigation. This security context equips threat hunters to stop chasing isolated alerts and instead uncover the full narrative of a potential compromise.

ES|QL detection rules, generated from plain English by Elastic Security's AI Agent — Elastic Security Labs 4 May 2026 • Kseniia Ignatovych From plain English to production rule: AI-native Elasticsearch ES|QL detection in Elastic Security Elastic Security now lets analysts describe a threat behavior in plain language and receive a complete, validated Elasticsearch ES|QL detection rule in return, no query expertise required. 10 min read Product Updates Elastic Security now includes AI-powered detection rule creation, built into the rule creation workflow. Analysts describe a threat behavior in plain English and receive a complete, validated Elasticsearch Query Language (ES|QL) rule in return, with MITRE ATT&CK mappings, severity recommendations, and a preview against live data, all without leaving the platform or writing a single line of query syntax.

DFIR: From alert to root cause using Osquery without leaving Elastic Security — Elastic Security Labs 1 May 2026 • Raquel Tabuyo DFIR: From alert to root cause using Osquery without leaving Elastic Security Learn how to perform distributed, real-time Digital Forensics and Incident Response (DFIR) using Osquery and Elastic to investigate threats at scale without relying on disk imaging. 10 min read Product Updates Modern DFIR doesn't start with a disk image. That model worked when environments were smaller, endpoints were static, and time wasn't the primary constraint.

CI/CD pipeline abuse: the problem no one is watching — Elastic Security Labs 29 April 2026 • Mika Ayenson, PhD CI/CD pipeline abuse: the problem no one is watching How we built an open-source, drop-in CI template that uses signal extraction and LLM reasoning to catch CI/CD abuse in GitHub Actions, GitLab CI, and Azure DevOps pipelines. 9 min read Detection Engineering , Enablement , Tools Preamble In 2025 and 2026, we watched a pattern play out across the industry. Attackers stopped going after production servers directly and started targeting the automation that deploys to them.

Claude Code/Cowork monitoring at scale with Otel & Elastic — Elastic Security Labs 25 April 2026 • Spencer Niemi Monitoring Claude Code/Cowork at scale with OTel in Elastic How Elastic's InfoSec team built a monitoring pipeline for Claude Code and Claude Cowork using their native OTel export capabilities and Elastic's OTel ingestion infrastructure. 8 min read Enablement , Generative AI As AI coding assistants become standard tools in engineering workflows, security teams face a new challenge: how do you maintain visibility into what an AI agent is doing (and why) across your organization? When those agents can execute shell commands, read files, call APIs, and interact with internal systems via MCP connectors, you need real-time observability to support threat detection, incident response, and compliance.

The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation — Elastic Security Labs 21 April 2026 • Cyril François • Daniel Stepanic • Jia Yu Chan The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation Elastic Security Labs explores the ongoing arms race between LLM-driven reverse engineering and obfuscation. 23 min read Generative AI , Detection Engineering , Malware Analysis Introduction Over the past few years, we have observed a significant evolution in the capabilities of LLMs to be productive and to carry out various tasks that address real-world problems, such as program synthesis, malware research, or vulnerability research. Specifically in the context of reverse engineering, LLMs are particularly effective given the right tools because they are very good at reading source code even without symbols.

Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT — Elastic Security Labs 14 April 2026 • Salim Bitam • Samir Bousseaden • Daniel Stepanic Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT Elastic Security Labs uncovers a novel social engineering campaign that abuses the popular note-taking application, Obsidian's legitimate community plugin ecosystem. The campaign, which we track as REF6598, targets individuals in the financial and cryptocurrency sectors through elaborate social engineering on LinkedIn and Telegram. 14 min read Malware Analysis , Threat Intelligence A follow-up publication will provide a deeper technical analysis of PHANTOMPULSE itself, covering its injection engines, persistence internals, and C2 protocol in greater detail.

Elastic on Defence Cyber Marvel 2026: A Technical overview from the Exercise Floor — Elastic Security Labs 9 April 2026 • James Garside Elastic on Defence Cyber Marvel 2026: A Technical overview from the Exercise Floor An overview of the Elastic Security and AI infrastructure deployed to support the UK Ministry of Defence's flagship cyber exercise, Defence Cyber Marvel 2026. 21 min read Enablement Where to begin. For the fourth consecutive year, Elastic has had the privilege of serving as a trusted industry partner on Exercise Defence Cyber Marvel - the UK Ministry of Defence's flagship cyber exercise series.

Elastic Security Integrations Roundup: Q1 2026 — Elastic Security Labs 4 April 2026 • Carrie Pascale Elastic Security Integrations Roundup: Q1 2026 Elastic Security Labs announces nine new integrations for Elastic Security spanning cloud security, endpoint visibility, email threat detection, identity and SIEM. 5 min read Product Updates A quarterly look at Elastic’s security integrations ecosystem Security teams can only protect what they can see. Gaps in coverage, like a macOS fleet generating logs that never reach your SIEM, an email gateway running in isolation, or a cloud environment producing findings that stay siloed in the vendor console, are easily exploited by attackers.

How we caught the Axios supply chain attack — Elastic Security Labs 2 April 2026 • Joe Desimone How we caught the Axios supply chain attack Joe Desimone shares the story of how he caught the Axios supply chain attack with a proof of concept tool built in an afternoon. 9 min read Detection Engineering , Enablement Preamble Last Monday night I was working late and a Slack alert came in from a monitoring tool I had built three days earlier. Axios compromised; one of the most popular npm packages in the world.

Prioritizing Alerts Triage with Higher-Order Detection Rules — Elastic Security Labs 2 April 2026 • Samir Bousseaden Prioritizing Alerts Triage with Higher-Order Detection Rules Scaling SOC efficiency through multi-signal correlation and higher-order detection patterns. 9 min read Enablement , Detection Engineering At Elastic, we operate a large and diverse set of behavior detection rules across multiple datasets, environments, and severity levels. Most of these rules are atomic, each designed to detect a specific behavior, signal, or attack pattern.